Closed
Bug 1183448
Opened 9 years ago
Closed 9 years ago
Crash [@ NativeSetExistingDataProperty] or [@ GetExistingProperty] or [@ js::NativeGetProperty]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1189744
Tracking | Status | |
---|---|---|
firefox42 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
function f(z) { eval(z) } function g(z) { f(z, { n: true }) } g(""); g(""); g("x = arguments") g("Array.prototype.shift.call(x)"); g(""); g(""); g("Array.prototype.unshift.call(x, 1)"); g(""); g(""); g("Array.prototype.shift.call(x)"); g(""); g(""); g(""); g(""); g(""); g(""); g(""); g(""); g(""); g(""); g("\ Object.defineProperty(x[0], 9, {\ set: function(){}\ });\ Array.prototype.unshift.call(x[0], 1);\ Array.prototype.shift.call(x[0]);\ ") crashes js debug shell on m-c changeset 7ec3e4b2a45f with --fuzzing-safe --no-threads --no-baseline --no-ion at NativeSetExistingDataProperty. (js opt shell also crashes) Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f Opt configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/71457f81430a user: Jason Orendorff date: Fri May 29 17:31:43 2015 -0500 summary: Bug 1125624, part 2 - Change js::StandardDefineProperty to forward to js::DefineProperty. r=Waldo. Jason, is bug 1125624 a likely regressor? Setting s-s in case the lock instruction is doing anything weird at $rcx memory address 0x00007fff5fbfc8e0.
Flags: needinfo?(jorendorff)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x224d04, 0x0000000101b71200, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x101b71200) * frame #0: 0x0000000101b71200 frame #1: 0x00000001001b22a2 js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) [inlined] js::CallJSSetterOp(cx=0x0000000101aa90f0, op=0x0000000101b71200, result=0x00007fff5fbfca78)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&) + 210 at jscntxtinlines.h:320 frame #2: 0x00000001001b2296 js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(cx=<unavailable>, obj=<unavailable>, shape=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=<unavailable>) + 198 at NativeObject.cpp:2032 frame #3: 0x00000001001b2dea js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 16 at NativeObject.cpp:2261 frame #4: 0x00000001001b2dda js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(cx=0x0000000101aa90f0, obj=<unavailable>, id=<unavailable>, value=<unavailable>, receiver=<unavailable>, qualified=<unavailable>, result=<unavailable>) + 2410 at NativeObject.cpp:2322 (lldb)
Reporter | ||
Comment 2•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x224973, 0x0000000103971500, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x103971500) * frame #0: 0x0000000103971500 frame #1: 0x00000001002ddb6c js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) [inlined] js::CallJSSetterOp(cx=0x00000001028a3180, op=0x0000000103971500, result=0x00007fff5fbfc228)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&) + 748 at jscntxtinlines.h:320 frame #2: 0x00000001002ddb46 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(cx=<unavailable>, obj=<unavailable>, shape=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=<unavailable>) + 710 at NativeObject.cpp:2032 frame #3: 0x00000001002de855 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 5 at NativeObject.cpp:2261 frame #4: 0x00000001002de850 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(cx=0x00000001028a3180, obj=<unavailable>, id=<unavailable>, value=<unavailable>, receiver=<unavailable>, qualified=Qualified, result=<unavailable>) + 2320 at NativeObject.cpp:2322 (lldb)
Reporter | ||
Comment 3•9 years ago
|
||
x = []; for (var i = 0; i < 99; ++i) { x = { x }; } Object.defineProperty(x, "", { get: Array.lastIndexOf }).toString = {}; delete x.w; print(x); crashes js debug shell on m-c changeset 5856a328963d with --fuzzing-safe --no-threads --ion-eager at a weird memory address with GetExistingProperty on the stack. It also crashes js opt shell at js::NativeGetProperty with the pc being the following lock instruction as well: (lldb) dis -p -> 0x101c62b50: lock 0x101c62b51: xchgl %ecx, %eax (lldb) register read $ecx ecx = 0x5fbfe810 (lldb) register read $eax eax = 0x01a67000 (lldb)
Crash Signature: [@ NativeSetExistingDataProperty] → [@ NativeSetExistingDataProperty]
[@ GetExistingProperty]
[@ js::NativeGetProperty]
Summary: Crash [@ NativeSetExistingDataProperty] → Crash [@ NativeSetExistingDataProperty] or [@ GetExistingProperty] or [@ js::NativeGetProperty]
Updated•9 years ago
|
Crash Signature: [@ NativeSetExistingDataProperty]
[@ GetExistingProperty]
[@ js::NativeGetProperty] → [@ NativeSetExistingDataProperty]
[@ GetExistingProperty]
[@ js::NativeGetProperty]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 5•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8781f437a5d4).
Reporter | ||
Comment 6•9 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect === The "bad" changeset has the timestamp "20150813200339" and the hash "8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c". The "good" changeset has the timestamp "20150813201139" and the hash "03b1eb0b1f9bcb470c1996dedc45992eb4acef59". Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c&tochange=03b1eb0b1f9bcb470c1996dedc45992eb4acef59 Jason, is bug 1189744 a likely fix?
Crash Signature: [@ NativeSetExistingDataProperty]
[@ GetExistingProperty]
[@ js::NativeGetProperty] → [@ NativeSetExistingDataProperty]
[@ GetExistingProperty]
[@ js::NativeGetProperty]
Reporter | ||
Comment 7•9 years ago
|
||
> Setting s-s in case the lock instruction is doing anything weird at $rcx > memory address 0x00007fff5fbfc8e0. This should be changed to sec-critical if it is indeed a dupe of bug 1189744. Going forward, this symptom should then be regarded as bad because it would map to an EXPLOITABLE rating in !exploitable as per that bug. Also, this was found by fuzzers >2 weeks before the other bug! It would be nice to stop these from falling through the cracks again.
Reporter | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Keywords: sec-high → sec-critical
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•