Closed
Bug 969174
Opened 10 years ago
Closed 10 years ago
Crash [@ compartment] with use-after-free or Opt-Crash [@ MarkInternal<JSObject>]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla31
Tracking | Status | |
---|---|---|
firefox29 | --- | disabled |
firefox30 | + | disabled |
firefox31 | + | verified |
firefox-esr24 | --- | unaffected |
b2g-v1.3 | --- | unaffected |
b2g-v1.4 | --- | disabled |
b2g-v2.0 | --- | fixed |
People
(Reporter: decoder, Assigned: nmatsakis)
References
Details
(4 keywords, Whiteboard: [jsbugmon:origRev=6de7f6039a68,testComment=8])
Crash Data
Attachments
(1 file)
1.15 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 1e9f169c9715 (run with --fuzzing-safe): gczeal(9, 2); function toString() { TypedObject.uint32.array(3); } var o = {valueOf: undefined, toString: toString}; for (var i = 0; i < 100; i++) var q = 5 + o;
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Debug crash trace: Program received signal SIGSEGV, Segmentation fault. compartment (this=<optimized out>) at js/src/frontend/NameFunctions.cpp:358 358 } #0 compartment (this=<optimized out>) at js/src/frontend/NameFunctions.cpp:358 #1 IsObjectValueInCompartment (comp=<optimized out>, v=...) at js/src/vm/ObjectImpl.h:1641 #2 js::ObjectImpl::initSlot (this=0x7ffff615d0c0, slot=0, value=...) at js/src/vm/ObjectImpl.h:1367 #3 0x00000000004dfad8 in initReservedSlot (v=..., index=0, this=<optimized out>) at js/src/jsobj.h:445 #4 js::ArrayMetaTypeDescr::create<js::SizedArrayTypeDescr> (cx=0x1831f70, arrayTypePrototype=..., arrayTypeReprObj=..., elementType=...) at js/src/builtin/TypedObject.cpp:550 #5 0x00000000004c2b51 in js::UnsizedArrayTypeDescr::dimension (cx=0x1831f70, argc=<optimized out>, vp=0x182e318) at js/src/builtin/TypedObject.cpp:669 #6 0x00000000009210a1 in js::CallJSNative (cx=0x1831f70, native=0x4c2870 <js::UnsizedArrayTypeDescr::dimension(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:220 #7 0x000000000090e30d in js::Invoke (cx=0x1831f70, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:466 rax 0xdadadada -2676586395008836902 rip 0x4db271 <js::ObjectImpl::initSlot(unsigned int, JS::Value const&)+257> => 0x4db271 <js::ObjectImpl::initSlot(unsigned int, JS::Value const&)+257>: mov (%rax),%rax Marked s-s due to use-after-free.
Crash Signature: [@ compartment] with use-after-free or Opt-Crash [@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Keywords: csectype-uaf,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Comment 3•10 years ago
|
||
I'm still seeing this on tip, needinfo from :nmatsakis because this is related to TypedObject.
Reporter | ||
Updated•10 years ago
|
Flags: needinfo?(nmatsakis)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → nmatsakis
Flags: needinfo?(nmatsakis)
Updated•10 years ago
|
status-firefox30:
--- → affected
tracking-firefox30:
--- → +
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
Reporter | ||
Comment 4•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 18e7634d4094).
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:bisectfix]
Assignee | ||
Comment 5•10 years ago
|
||
So far I've only succeed in reducing the test case to: gczeal(9, 2); function toString() { TypedObject.uint32.array(3); } for (var i = 0; i < 100; i++) toString(); Removing any part of this, including the intermediate function toString(), seems to remove the crash.
Updated•10 years ago
|
status-b2g-v1.4:
--- → disabled
status-firefox29:
--- → disabled
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Reporter | ||
Comment 6•10 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/22d628a02331 user: Nicholas D. Matsakis date: Thu Jan 30 15:21:02 2014 -0500 summary: Bug 966575 part 9 -- Remove unused type object r=sfink This iteration took 351.294 seconds to run.
Updated•10 years ago
|
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Assignee | ||
Comment 7•10 years ago
|
||
I was investigating this more. Clearly this is a bug with the weak pointer support for type representations. I can dig more into this, however I'm inclined not to, because this bug is also fixed by the patches currently under review for bug 966575.
Updated•10 years ago
|
status-b2g-v1.3:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Reporter | ||
Comment 8•10 years ago
|
||
Here's a test that still reproduces on tip (Revision 6de7f6039a68): gczeal(8, 1); try { function TestCase( ... a ) {} for (var i = 0; i < 2; ++i) TypedObject.uint32.array(3); } catch(exc1) {}
Whiteboard: [jsbugmon:] → [jsbugmon:update,origRev=6de7f6039a68,testComment=8]
Updated•10 years ago
|
Group: javascript-core-security
Comment 9•10 years ago
|
||
Hi Niko, have all the bug 966575 patches landed? I'm guessing not based on comment 7 + comment 8.
Flags: needinfo?(nmatsakis)
Assignee | ||
Comment 10•10 years ago
|
||
The remaining two patches have not landed due to a lingering ASAN failure I observe on try but haven't been able to reproduce locally. I really want to land them since I have other patches gated on them as well, so I will try to prioritize diagnosing that problem next week. I need to find an appropriate machine to run the tests on.
Flags: needinfo?(nmatsakis)
Assignee | ||
Comment 11•10 years ago
|
||
Update: I've resolved the failure that was blocking bug 966575, but waiting on review.
Updated•10 years ago
|
status-firefox31:
--- → affected
tracking-firefox31:
--- → +
Updated•10 years ago
|
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:update,origRev=6de7f6039a68,testComment=8] → [jsbugmon:update,origRev=6de7f6039a68,testComment=8,ignore]
Reporter | ||
Comment 12•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5b6e82e7bbbf).
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:update,origRev=6de7f6039a68,testComment=8,ignore] → [jsbugmon:origRev=6de7f6039a68,testComment=8,bisectfix]
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:origRev=6de7f6039a68,testComment=8,bisectfix] → [jsbugmon:origRev=6de7f6039a68,testComment=8]
Reporter | ||
Comment 13•10 years ago
|
||
JSBugMon: Fix Bisection requested, result: === Tinderbox Build Bisection Results by autoBisect === The "bad" changeset has the timestamp "20140401044332" and the hash "5641d9a1653f". The "good" changeset has the timestamp "20140401052932" and the hash "e06713a76a41". Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5641d9a1653f&tochange=e06713a76a41
Reporter | ||
Comment 14•10 years ago
|
||
Fixed by bug 966575 :)
Status: NEW → RESOLVED
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Closed: 10 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
Reporter | ||
Comment 15•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
Crash Signature: [@ compartment]
[@ MarkInternal<JSObject>] → [@ compartment]
[@ MarkInternal<JSObject>]
status-b2g-v2.0:
--- → fixed
Target Milestone: --- → mozilla31
Updated•10 years ago
|
Group: javascript-core-security
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•