Closed
Bug 1314392
Opened 8 years ago
Closed 8 years ago
Crash [@ js::IsWrapper] or Crash [@ js::GetObjectClass] or Crash [@ AddPromiseReaction] or Crash [@ js::UncheckedUnwrap] or Assertion failure: UncheckedUnwrap(obj)->is<PromiseObject>()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox49 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | fixed |
People
(Reporter: decoder, Assigned: till)
References
Details
(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 2c773b971672 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe): let promises = []; promises.push(({}), ...("-3000000000.75 << 0")); let allPromise = getWaitForAllPromise(promises); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0862f1ff in js::IsWrapper (obj=0xf133ca00) at js/src/jswrapper.h:339 #0 0x0862f1ff in js::IsWrapper (obj=0xf133ca00) at js/src/jswrapper.h:339 #1 AddPromiseReaction (cx=0xf794a000, promise=..., reaction=...) at js/src/builtin/Promise.cpp:2298 #2 0x086529d5 in PerformPromiseThen (cx=0xf794a000, promise=..., onFulfilled_=..., onRejected_=..., resultPromise=..., resolve=..., reject=...) at js/src/builtin/Promise.cpp:2136 #3 0x08653000 in js::GetWaitForAllPromise (cx=0xf794a000, promises=...) at js/src/builtin/Promise.cpp:1457 #4 0x0839b735 in JS::GetWaitForAllPromise (cx=0xf794a000, promises=...) at js/src/jsapi.cpp:4844 #5 0x08629ded in GetWaitForAllPromise (cx=0xf794a000, argc=1, vp=0xffffc218) at js/src/builtin/TestingFunctions.cpp:1482 #6 0x08532d87 in js::CallJSNative (args=..., native=<optimized out>, cx=0xf794a000) at js/src/jscntxtinlines.h:239 #7 js::InternalCallOrConstruct (cx=0xf794a000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:458 #8 0x08532f32 in InternalCall (cx=cx@entry=0xf794a000, args=...) at js/src/vm/Interpreter.cpp:503 #9 0x08532fdd in js::CallFromStack (cx=0xf794a000, args=...) at js/src/vm/Interpreter.cpp:509 #10 0x0818fc74 in js::jit::DoCallFallback (cx=0xf794a000, frame=0xffffc258, stub_=0xf133b390, argc=1, vp=0xffffc218, res=...) at js/src/jit/BaselineIC.cpp:6012 #11 0xf7be838f in ?? () [..] #26 main (argc=3, argv=0xffffce34, envp=0xffffce44) at js/src/shell/js.cpp:7928 eax 0xf133ca00 -248264192 ebx 0x8a21ff4 144842740 ecx 0xe5e5e5e5 -437918235 edx 0xf1551130 -246083280 esi 0xf794a000 -141254656 edi 0xffffbe74 -16780 ebp 0x87a0a2e <js::Wrapper::family> esp 0xffffbc90 4294950032 eip 0x862f1ff <AddPromiseReaction(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<PromiseReactionRecord*>)+447> => 0x862f1ff <AddPromiseReaction(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<PromiseReactionRecord*>)+447>: cmp %ebp,0x4(%ecx) 0x862f202 <AddPromiseReaction(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<PromiseReactionRecord*>)+450>: je 0x862f350 <AddPromiseReaction(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<PromiseReactionRecord*>)+784> This crashes in various ways, some of them seem to indicate use-after-free. Marking s-s and security-sensitive. This could be related or a duplicate to bug 1314386 which also involves Promises.
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20161029061522" and the hash "dc422956242bacfbf88d716f5b967d2c985b913b". The "bad" changeset has the timestamp "20161029061821" and the hash "309ecb16acfe18bcf53d42497d0c3a489b43bc9e". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dc422956242bacfbf88d716f5b967d2c985b913b&tochange=309ecb16acfe18bcf53d42497d0c3a489b43bc9e
Till, is bug 1313049 a likely regressor?
Blocks: 1313049
Flags: needinfo?(till)
Assignee | ||
Comment 3•8 years ago
|
||
It is, yes. Looking.
Assignee: nobody → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
Assignee | ||
Comment 4•8 years ago
|
||
This isn't s-s because it only affects a testing function not exposed in the browser (outside of tests).
Attachment #8807152 -
Flags: review?(arai.unmht)
Updated•8 years ago
|
Attachment #8807152 -
Flags: review?(arai.unmht) → review+
Updated•8 years ago
|
Group: javascript-core-security
Updated•8 years ago
|
status-firefox49:
--- → unaffected
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
Flags: in-testsuite+
Pushed by philringnalda@gmail.com: https://hg.mozilla.org/mozilla-central/rev/92c5b8d103dd Throw error instead of crashing when getting passed unexpected parameters in getWaitForAllPromise testing function. r=arai
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/92c5b8d103dd
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•