Closed Bug 1082649 Opened 10 years ago Closed 10 years ago

Assertion failure: isAttached(), at builtin/TypedObject.cpp:1479

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla36
Tracking Flags:
Tracking Status
firefox35 --- unaffected
firefox36 --- verified
firefox-esr31 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
614 bytes, text/plain
Details
patch
1.31 KB, patch
nmatsakis
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 54217864bae9 (run with --no-threads --fuzzing-safe):


var {StructType, uint32, storage} = TypedObject;
var S = new StructType({f: uint32, g: uint32});
function main(variant) {
  var s = new S({f: 22, g: 44});
  neuter(storage(s).buffer, variant);
  storage(s);
}
main("same-data");
status-firefox36: --- → affected
Whiteboard: [jsbugmon:update,bisect]
At a glance, looks like StorageOfTypedObject needs the same TypedObjectIsAttached guard as a bunch of other accessor methods have.

It looks like, since I wrote the progenitor test to this mutation, new typed-object methods (or at least this one) have arisen that don't handle neutering correctly.  The process of fixing this bug should probably audit all buffer/length/byteLength/byteOffset accesses in all of TypedObject.js for proper guarding -- not just assuming this is the only one.
Marking s-s after discussing with Waldo. This is nightly only but it might be security-related.
Group: core-security
Bringing in bhackett as well, since he's been hacking on this code lately.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/91914270690b
user:        Brian Hackett
date:        Wed Oct 08 09:38:09 2014 -0700
summary:     Bug 1073836 - Remove byte offset slot and non-unsized uses of length from typed objects, r=nmatsakis.

This iteration took 597.966 seconds to run.
Needinfo from bhackett based on comment 5.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
After bug 1073836 we can't compute the byte offset for outline typed objects with a detached buffer.  I don't think it makes much sense for storage() to do anything when the buffer is detached, and I didn't see anything addressing this in the typed objects wiki, so this patch just throws in that case.  The only other use of TypedObjectByteOffset is in MapTypedParImplDepth1.  I didn't find a check for attached typed objects anywhere in the functions calling that one; how are neuter checks supposed to happen with PJS execution?
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8509797 - Flags: review?(nmatsakis)
Attachment #8509797 - Flags: review?(nmatsakis) → review+
Regarding MapTypedParImplDepth1, it ought to check that the target array is not neutered I presume.
https://hg.mozilla.org/mozilla-central/rev/138f767ee224
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox36: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Status: RESOLVED → VERIFIED
status-firefox36: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: