Closed
Bug 1082649
Opened 10 years ago
Closed 10 years ago
Assertion failure: isAttached(), at builtin/TypedObject.cpp:1479
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox35 | --- | unaffected |
firefox36 | --- | verified |
firefox-esr31 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
614 bytes,
text/plain
|
Details | |
1.31 KB,
patch
|
nmatsakis
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 54217864bae9 (run with --no-threads --fuzzing-safe): var {StructType, uint32, storage} = TypedObject; var S = new StructType({f: uint32, g: uint32}); function main(variant) { var s = new S({f: 22, g: 44}); neuter(storage(s).buffer, variant); storage(s); } main("same-data");
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Updated•10 years ago
|
status-firefox36:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
Comment 2•10 years ago
|
||
At a glance, looks like StorageOfTypedObject needs the same TypedObjectIsAttached guard as a bunch of other accessor methods have. It looks like, since I wrote the progenitor test to this mutation, new typed-object methods (or at least this one) have arisen that don't handle neutering correctly. The process of fixing this bug should probably audit all buffer/length/byteLength/byteOffset accesses in all of TypedObject.js for proper guarding -- not just assuming this is the only one.
Reporter | ||
Comment 3•10 years ago
|
||
Marking s-s after discussing with Waldo. This is nightly only but it might be security-related.
Group: core-security
Updated•10 years ago
|
status-firefox35:
--- → unaffected
Keywords: sec-high
Comment 4•10 years ago
|
||
Bringing in bhackett as well, since he's been hacking on this code lately.
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 5•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/91914270690b user: Brian Hackett date: Wed Oct 08 09:38:09 2014 -0700 summary: Bug 1073836 - Remove byte offset slot and non-unsized uses of length from typed objects, r=nmatsakis. This iteration took 597.966 seconds to run.
Reporter | ||
Comment 6•10 years ago
|
||
Needinfo from bhackett based on comment 5.
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 7•10 years ago
|
||
After bug 1073836 we can't compute the byte offset for outline typed objects with a detached buffer. I don't think it makes much sense for storage() to do anything when the buffer is detached, and I didn't see anything addressing this in the typed objects wiki, so this patch just throws in that case. The only other use of TypedObjectByteOffset is in MapTypedParImplDepth1. I didn't find a check for attached typed objects anywhere in the functions calling that one; how are neuter checks supposed to happen with PJS execution?
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8509797 -
Flags: review?(nmatsakis)
Updated•10 years ago
|
Attachment #8509797 -
Flags: review?(nmatsakis) → review+
Comment 8•10 years ago
|
||
Regarding MapTypedParImplDepth1, it ought to check that the target array is not neutered I presume.
Assignee | ||
Comment 9•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/138f767ee224
Comment 10•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/138f767ee224
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 11•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
status-firefox-esr31:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•