Closed Bug 1280246 Opened 8 years ago Closed 8 years ago

Crash [@ void js::CheckTracedThing<js::Shape>] with [@ js::ProxyObject::trace] on the stack

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1282746
Tracking Status
firefox49 --- affected
firefox50 --- affected

People

(Reporter: gkw, Assigned: Waldo)

References

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 14c5bf11d37b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Debugger-debuggees-25.js
var x = newGlobal();
// jsfunfuzz-generated
Object = x.Object;
// Adapted from randomly chosen test: js/src/tests/ecma_5/strict/primitive-this-getter.js
var y = Object.getPrototypeOf(0);
var z = new Proxy({}, {});
Object.setPrototypeOf(y, z);
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1252453.js
gczeal(8, 2);
throw Error();

Backtrace:

0   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a8dace3 void js::CheckTracedThing<js::Shape>(JSTracer*, js::Shape*) + 51 (jsgc.h:1171)
1   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a912f57 js::Shape* DoCallback<js::Shape*>(JS::CallbackTracer*, js::Shape**, char const*) + 39 (TracingAPI.h:234)
2   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a5163f8 js::ProxyObject::trace(JSTracer*, JSObject*) + 56 (TracingAPI.h:57)
3   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a473a39 JSObject::traceChildren(JSTracer*) + 425 (jsobj.cpp:3891)
4   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a4447f9 js::gc::UpdatePointersTask::updateArenas() + 729 (jsgc.cpp:2231)
5   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a445678 js::gc::UpdatePointersTask::run() + 24 (jsgc.cpp:2385)
/snip

For detailed crash information, see attachment.

In opt builds this seems to be accessing weird memory addresses, e.g. 0x000000010508d820. Locking s-s as a start.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   295158:6cfb92e3d2c7
user:        Jeff Walden
date:        Tue Feb 23 13:42:30 2016 -0800
summary:     Bug 888969 - Make the getPrototypeOf/setPrototypeOf traps scriptable.  r=efaust, r=bholley

Waldo, is bug 888969 a likely regressor?
Blocks: 888969
Crash Signature: [@ void js::CheckTracedThing<js::Shape>] → [@ void js::CheckTracedThing<js::Shape>] [@ js::ProxyObject::trace]
Flags: needinfo?(jwalden+bmo)
Attached patch Tentative patchSplinter Review
The setDelegate calls for these things look a bit bogus.  If such relationship should hold, it *should* have been ensured by the prototype-relationship-creation operation.  And it looks to me like all isDelegate calls don't work on proxies, so setting this doesn't matter.  But I should investigate harder.
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
Sounds kind of bad, so I'll just mark it high. Feel free to adjust as appropriate.
Keywords: sec-high
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jwalden+bmo)
Keywords: sec-highsec-critical
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: