Closed Bug 795574 Opened 12 years ago Closed 12 years ago

Crash [@ js::GetObjectClass] or [@ js::ComputeImplicitThis]

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla18

Tracking Flags:

Tracking

Status

firefox15

---

unaffected

firefox16

---

unaffected

firefox17

verified

firefox18

verified

firefox-esr10

---

unaffected

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files, 1 obsolete file)

stack 12 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 6.29 KB, text/plain		Details
fix and test 12 years ago Luke Wagner [:luke] 6.03 KB, patch		Details \| Diff \| Splinter Review
fix and test 12 years ago Luke Wagner [:luke] 6.64 KB, patch	Waldo : review+ bajaj : approval-mozilla-aurora+	Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

12 years ago

Attached file stack — Details

Function("\
    __defineGetter__(\"x\", function() {\
        delete this[\"x\"];\
    });\
    x()\
")()

crashes js debug and opt shell on m-c changeset c09a0c022b2e without any CLI arguments at js::GetObjectClass

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   102943:57c1c330e85f
user:        Luke Wagner
date:        Fri Aug 17 18:09:43 2012 -0700
summary:     Bug 774915 - don't use the property cache for dynamic name lookup (r=bhackett)

Inspection of the registers shows to likely be a null deref (%rax and %rcx in %pc are null or near-null), but setting s-s just to be safe.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 1

•

12 years ago

Similar testcases crash at js::ComputeImplicitThis.

Crash Signature: [@ js::GetObjectClass] → [@ js::GetObjectClass] [@ js::ComputeImplicitThis]

Summary: Crash [@ js::GetObjectClass] → Crash [@ js::GetObjectClass] or [@ js::ComputeImplicitThis]

Christian Holler (:decoder)

Updated

•

12 years ago

Crash Signature: [@ js::GetObjectClass] [@ js::ComputeImplicitThis] → [@ js::GetObjectClass] [@ js::ComputeImplicitThis]

Luke Wagner [:luke]

Assignee

Comment 2

•

12 years ago

Ahh, IMPLICITTHIS can, as this example demonstrates, miss, which returns a null 'scope' hence the (safe) NULL deref.  IMPLICITTHIS should use the 'global'-defaulting LookupNameForSet variant (which now needs to be renamed).

Group: core-security

Crash Signature: [@ js::GetObjectClass] [@ js::ComputeImplicitThis] → [@ js::GetObjectClass] [@ js::ComputeImplicitThis]

Luke Wagner [:luke]

Assignee

Comment 3

•

12 years ago

Attached patch fix and test (obsolete) — Details — Splinter Review

Simple fix: most of the patch is renaming LookupNameForSet, only real change is JSOP_IMPLICITTHIS.

Assignee: general → luke

Status: NEW → ASSIGNED

Attachment #666741 - Flags: review?(jwalden+bmo)

Alex Keybl [:akeybl]

Comment 4

•

12 years ago

We don't track all regressions for a specific release. This isn't a high volume crash or a security issue, so what's the user impact here?

Luke Wagner [:luke]

Assignee

Comment 5

•

12 years ago

Attached patch fix and test — Details — Splinter Review

Oops, need the symmetric fix in the JM stub call.  IM doesn't handle IMPLICITTHIS.

Attachment #666741 - Attachment is obsolete: true

Attachment #666741 - Flags: review?(jwalden+bmo)

Attachment #666754 - Flags: review?(jwalden+bmo)

Luke Wagner [:luke]

Assignee

Comment 6

•

12 years ago

(In reply to Alex Keybl [:akeybl] from comment #4)
> We don't track all regressions for a specific release. This isn't a high
> volume crash or a security issue, so what's the user impact here?

If a site triggers the condition (which seems relatively rare, but the web is vast), we'll get a null deref.  It's hard to tell what the actual crash volume is; ComputeImplicitThis is an inline function which means that crashes will likely show up as js::Interpret in release builds.

Christian Holler (:decoder)

Updated

•

12 years ago

Crash Signature: [@ js::GetObjectClass] [@ js::ComputeImplicitThis] → [@ js::GetObjectClass] [@ js::ComputeImplicitThis]

Jeff Walden [:Waldo]

Comment 7

•

12 years ago

Comment on attachment 666754 [details] [diff] [review]
fix and test

Review of attachment 666754 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/basic/testImplicitThisMiss.js
@@ +1,3 @@
> +// |jit-test| error:TypeError
> +var f = Function("\
> +    __defineGetter__(\"x\", function() {\

Object.defineProperty(this, "x", { configurable: true, get: function() { ... } });

@@ +1,4 @@
> +// |jit-test| error:TypeError
> +var f = Function("\
> +    __defineGetter__(\"x\", function() {\
> +        delete this[\"x\"];\

Use ' for readability in these lines?  Or maybe convert this whole thing into a function expression, not a runtime-compiled function?  Would read a whole lot better that way...

Attachment #666754 - Flags: review?(jwalden+bmo) → review+

Luke Wagner [:luke]

Assignee

Comment 8

•

12 years ago

(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #7)
> Or maybe convert this whole thing into a function expression, 

Function is necessary to generate JSOP_IMPLICITTHIS.

Crash Signature: [@ js::GetObjectClass] [@ js::ComputeImplicitThis] → [@ js::GetObjectClass] [@ js::ComputeImplicitThis]

Luke Wagner [:luke]

Assignee

Comment 9

•

12 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/8b5a786ee47b

Christian Holler (:decoder)

Updated

•

12 years ago

Crash Signature: [@ js::GetObjectClass] [@ js::ComputeImplicitThis] → [@ js::GetObjectClass] [@ js::ComputeImplicitThis]

Ryan VanderMeulen [:RyanVM]

Comment 10

•

12 years ago

https://hg.mozilla.org/mozilla-central/rev/8b5a786ee47b

Status: ASSIGNED → RESOLVED

Closed: 12 years ago

Flags: in-testsuite+

Resolution: --- → FIXED

Target Milestone: --- → mozilla18

Scoobidiver (away)

Updated

•

12 years ago

Crash Signature: [@ js::GetObjectClass] [@ js::ComputeImplicitThis] → [@ js::GetObjectClass] [@ js::ComputeImplicitThis]

status-firefox18: affected → fixed

Alex Keybl [:akeybl]

Comment 11

•

12 years ago

Tracking for FF17, but if this doesn't get fixed while 17 is on Aurora and has a non-zero risk fix, we'll likely untrack due to lack of data.

tracking-firefox17: ? → +

tracking-firefox18: ? → +

Luke Wagner [:luke]

Assignee

Comment 12

•

12 years ago

Comment on attachment 666754 [details] [diff] [review]
fix and test

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 774915
User impact if declined: null deref crash
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): seems pretty low, just restoring accidentally-changed previous behavior in a rare op

Attachment #666754 - Flags: approval-mozilla-aurora?

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 13

•

12 years ago

Release drivers, ping re: approval-mozilla-aurora?

bhavana bajaj [:bajaj]

Comment 14

•

12 years ago

Comment on attachment 666754 [details] [diff] [review]
fix and test

 Approving for aurora . Please land before monday oct 8th merge.

Attachment #666754 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Luke Wagner [:luke]

Assignee

Comment 15

•

12 years ago

https://hg.mozilla.org/releases/mozilla-aurora/rev/28ef082de058

status-firefox17: affected → fixed

u279076

Updated

•

12 years ago

Keywords: verifyme

Manuela Muntean [Away]

Comment 16

•

12 years ago

No new crashes appear in Socorro in the last month.

status-firefox17: fixed → verified

Manuela Muntean [Away]

Comment 17

•

12 years ago

In the last month, no new crashes appear in Socorro.

status-firefox18: fixed → verified

Manuela Muntean [Away]

Updated

•

12 years ago

Status: RESOLVED → VERIFIED

Keywords: verifyme

You need to log in before you can comment on or make changes to this bug.