Closed Bug 1314392 Opened 8 years ago Closed 8 years ago

Crash [@ js::IsWrapper] or Crash [@ js::GetObjectClass] or Crash [@ AddPromiseReaction] or Crash [@ js::UncheckedUnwrap] or Assertion failure: UncheckedUnwrap(obj)->is<PromiseObject>()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox49 --- unaffected
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- fixed

People

(Reporter: decoder, Assigned: till)

References

Details

(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file)

Throw error instead of crashing when getting passed unexpected parameters in getWaitForAllPromise testing function
2.48 KB, patch
arai
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 2c773b971672 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe):

let promises = [];
promises.push(({}), ...("-3000000000.75 << 0"));
let allPromise = getWaitForAllPromise(promises);


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0862f1ff in js::IsWrapper (obj=0xf133ca00) at js/src/jswrapper.h:339
#0  0x0862f1ff in js::IsWrapper (obj=0xf133ca00) at js/src/jswrapper.h:339
#1  AddPromiseReaction (cx=0xf794a000, promise=..., reaction=...) at js/src/builtin/Promise.cpp:2298
#2  0x086529d5 in PerformPromiseThen (cx=0xf794a000, promise=..., onFulfilled_=..., onRejected_=..., resultPromise=..., resolve=..., reject=...) at js/src/builtin/Promise.cpp:2136
#3  0x08653000 in js::GetWaitForAllPromise (cx=0xf794a000, promises=...) at js/src/builtin/Promise.cpp:1457
#4  0x0839b735 in JS::GetWaitForAllPromise (cx=0xf794a000, promises=...) at js/src/jsapi.cpp:4844
#5  0x08629ded in GetWaitForAllPromise (cx=0xf794a000, argc=1, vp=0xffffc218) at js/src/builtin/TestingFunctions.cpp:1482
#6  0x08532d87 in js::CallJSNative (args=..., native=<optimized out>, cx=0xf794a000) at js/src/jscntxtinlines.h:239
#7  js::InternalCallOrConstruct (cx=0xf794a000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:458
#8  0x08532f32 in InternalCall (cx=cx@entry=0xf794a000, args=...) at js/src/vm/Interpreter.cpp:503
#9  0x08532fdd in js::CallFromStack (cx=0xf794a000, args=...) at js/src/vm/Interpreter.cpp:509
#10 0x0818fc74 in js::jit::DoCallFallback (cx=0xf794a000, frame=0xffffc258, stub_=0xf133b390, argc=1, vp=0xffffc218, res=...) at js/src/jit/BaselineIC.cpp:6012
#11 0xf7be838f in ?? ()
[..]
#26 main (argc=3, argv=0xffffce34, envp=0xffffce44) at js/src/shell/js.cpp:7928
eax	0xf133ca00	-248264192
ebx	0x8a21ff4	144842740
ecx	0xe5e5e5e5	-437918235
edx	0xf1551130	-246083280
esi	0xf794a000	-141254656
edi	0xffffbe74	-16780
ebp	0x87a0a2e <js::Wrapper::family>
esp	0xffffbc90	4294950032
eip	0x862f1ff <AddPromiseReaction(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<PromiseReactionRecord*>)+447>
=> 0x862f1ff <AddPromiseReaction(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<PromiseReactionRecord*>)+447>:	cmp    %ebp,0x4(%ecx)
   0x862f202 <AddPromiseReaction(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<PromiseReactionRecord*>)+450>:	je     0x862f350 <AddPromiseReaction(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<PromiseReactionRecord*>)+784>


This crashes in various ways, some of them seem to indicate use-after-free. Marking s-s and security-sensitive. This could be related or a duplicate to bug 1314386 which also involves Promises.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20161029061522" and the hash "dc422956242bacfbf88d716f5b967d2c985b913b".
The "bad" changeset has the timestamp "20161029061821" and the hash "309ecb16acfe18bcf53d42497d0c3a489b43bc9e".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dc422956242bacfbf88d716f5b967d2c985b913b&tochange=309ecb16acfe18bcf53d42497d0c3a489b43bc9e
Till, is bug 1313049 a likely regressor?
Blocks: 1313049
Flags: needinfo?(till)
It is, yes. Looking.
Assignee: nobody → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
This isn't s-s because it only affects a testing function not exposed in the browser (outside of tests).
Attachment #8807152 - Flags: review?(arai.unmht)
Attachment #8807152 - Flags: review?(arai.unmht) → review+
Group: javascript-core-security
Pushed by philringnalda@gmail.com:
https://hg.mozilla.org/mozilla-central/rev/92c5b8d103dd
Throw error instead of crashing when getting passed unexpected parameters in getWaitForAllPromise testing function. r=arai
https://hg.mozilla.org/mozilla-central/rev/92c5b8d103dd
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: