Closed
Bug 1359712
Opened 7 years ago
Closed 10 months ago
"clone" shell-only testing function should check the type of arguments
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1524590
People
(Reporter: kangyan91, Unassigned)
Details
(Keywords: triage-deferred)
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36 Steps to reproduce: The following testcase crashes on mozilla-central revision b1c31c4a0a67. I build with:./mach build in linux Ubuntu 14.04.5 LTS testcase.js: clone(RangeError, Float64Array.type, RegExp, Intl.DateTimeFormat.type, Proxy, Uint32Array, Int32Array); Actual results: Backtrace: program received signal SIGSEGV, Segmentation fault. 0x000000000044fdf2 in registerWithRootLists (roots=..., this=0x7fffffffcc90) at /firefox/js/src/build_DBG.OBJ/dist/include/js/RootingAPI.h:761 #0 0x000000000044fdf2 in registerWithRootLists (roots=..., this=0x7fffffffcc90) at /firefox/js/src/build_DBG.OBJ/dist/include/js/RootingAPI.h:761 #1 Rooted<JSContext*, JS::GCVector<JSObject*, 8ul> > ( initial=<unknown type in /b1c31c4a0a67/js, CU 0x0, DIE 0x1bb472>, cx=<synthetic pointer>, this=0x7fffffffcc90) at /firefox/js/src/build_DBG.OBJ/dist/include/js/RootingAPI.h:791 #2 AutoObjectVector (cx=0x7ffff694c000, this=0x7fffffffcc90) at /firefox/js/src/jsapi.h:243 #3 Clone (cx=0x7ffff694c000, argc=7, vp=0x7fffdfdff090) at /firefox/js/src/shell/js.cpp:3072 #4 0x00000000004d73f0 in CallJSNative (args=..., native=0x44fbe0 <Clone(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff694c000) at /firefox/js/src/jscntxtinlines.h:239 #5 js::InternalCallOrConstruct (cx=0x7ffff694c000, args=..., construct=<optimized out>) at /firefox/js/src/vm/Interpreter.cpp:457 #6 0x00000000004ca2e0 in CallFromStack (args=..., cx=<optimized out>) at /firefox/js/src/vm/Interpreter.cpp:508 #7 Interpret (cx=0x7ffff694c000, state=...) at /firefox/js/src/vm/Interpreter.cpp:2919 #8 0x00000000004d6f36 in js::RunScript (cx=cx@entry=0x7ffff694c000, state=...) at /firefox/js/src/vm/Interpreter.cpp:403 #9 0x00000000004d8f7e in ExecuteKernel (result=<optimized out>, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0x7ffff694c000) at /firefox/js/src/vm/Interpreter.cpp:684 #10 js::Execute (cx=0x7ffff694c000, script=..., envChainArg=..., rval=<optimized out>) at /firefox/js/src/vm/Interpreter.cpp:717 #11 0x0000000000737e30 in JS_ExecuteScript (cx=cx@entry=0x7ffff694c000, scriptArg=scriptArg@entry=...) at /firefox/js/src/jsapi.cpp:4443 #12 0x000000000042a00f in RunFile (compileOnly=false, file=0x7fffdfde8000, filename=<optimized out>, cx=0x7ffff694c000) at /firefox/js/src/shell/js.cpp:647 #13 Process (cx=cx@entry=0x7ffff694c000, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at /firefox/js/src/shell/js.cpp:1078 #14 0x0000000000430fbb in ProcessArgs (op=0x7fffffffdcc0, cx=0x7ffff694c000) at /firefox/js/src/shell/js.cpp:7207 #15 Shell (envp=<optimized out>, op=0x7fffffffdcc0, cx=0x7ffff694c000) at /firefox/js/src/shell/js.cpp:7569 #16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /firefox/js/src/shell/js.cpp:7947 register info: rax 0x0 0 rbx 0x7ffff694c000 140737330331648 rcx 0x7fffffffd668 140737488344680 rdx 0x7fffdfdf4010 140736949338128 rsi 0x4511c0 4526528 rdi 0x7fffffffcb80 140737488341888 rbp 0x7fffffffcd40 0x7fffffffcd40 rsp 0x7fffffffcbc0 0x7fffffffcbc0 r8 0x7fffdfdff0d8 140736949383384 r9 0x7fffffffffff 140737488355327 r10 0x7ffff6982000 140737330552832 r11 0xfffdffffffffffff -562949953421313 r12 0x7fffdfdff090 140736949383312 r13 0x7fffffffcc90 140737488342160 r14 0x7 7 r15 0x7fffffffcbf0 140737488342000 rip 0x44fdf2 0x44fdf2 <Clone(JSContext*, unsigned int, JS::Value*)+530> $pc info : 0x44fdf2 <Clone(JSContext*, unsigned int, JS::Value*)+530>: mov (%rax),%rdx 0x44fdf5 <Clone(JSContext*, unsigned int, JS::Value*)+533>: mov (%rdx),%rdx 0x44fdf8 <Clone(JSContext*, unsigned int, JS::Value*)+536>: testb $0x2,0xa(%rdx) 0x44fdfc <Clone(JSContext*, unsigned int, JS::Value*)+540>: je 0x44ff98 <Clone(JSContext*, unsigned int, JS::Value*)+952> 0x44fe02 <Clone(JSContext*, unsigned int, JS::Value*)+546>: lea 0x10(%r15),%rsi 0x44fe06 <Clone(JSContext*, unsigned int, JS::Value*)+550>: mov %r13,%rdx 0x44fe09 <Clone(JSContext*, unsigned int, JS::Value*)+553>: mov %rbx,%rdi 0x44fe0c <Clone(JSContext*, unsigned int, JS::Value*)+556>: callq 0x7407a0 <JS::CloneFunctionObject(JSContext*, JS::Handle<JSObject*>, JS::AutoObjectVector&)> 0x44fe11 <Clone(JSContext*, unsigned int, JS::Value*)+561>: test %rax,%rax 0x44fe14 <Clone(JSContext*, unsigned int, JS::Value*)+564>: je 0x44ffc8 <Clone(JSContext*, unsigned int, JS::Value*)+1000> Expected results: js should catche the exception and handle it without crashing.
Component: Untriaged → JavaScript Engine
OS: Unspecified → Linux
Priority: -- → P1
Product: Firefox → Core
Hardware: Unspecified → x86_64
Comment 1•7 years ago
|
||
note that "clone" is shell-only testing function and it's unsafe function that can easily crash the shell.
Comment 2•7 years ago
|
||
https://dxr.mozilla.org/mozilla-central/rev/f229b7e5d91eb70d23d3e31db7caff9d69a2ef04/js/src/shell/js.cpp#3216 > if (args.length() > 1) { > if (!JS_ValueToObject(cx, args[1], &parent)) > return false; > } else { > parent = js::GetGlobalForObjectCrossCompartment(&args.callee()); > } > > // Should it worry us that we might be getting with wrappers > // around with wrappers here? > JS::AutoObjectVector scopeChain(cx); > if (!parent->is<GlobalObject>() && !scopeChain.append(parent)) here, `parent` is nullptr, because args[1] is not an object (`Float64Array.type` is undefined). we could throw an error by detecting the non-object argument, but at least it's not critical issue, since it's shell-only.
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: P1 → --
Summary: segmentation fault, crashing at /dist/include/js/RootingAPI.h:761 → "clone" shell-only testing function should check the type of arguments
Updated•7 years ago
|
Flags: sec-bounty?
Comment 3•7 years ago
|
||
Shell functions are outside the scope of the bug bounty.
Flags: sec-bounty? → sec-bounty-
Updated•7 years ago
|
Keywords: triage-deferred
Priority: -- → P3
Updated•2 years ago
|
Severity: minor → S4
Comment 4•10 months ago
|
||
clone
function is removed by bug 1524590 patch.
You need to log in
before you can comment on or make changes to this bug.
Description
•