1085308 - Crash [@ getClass] with poisoned address

Status: RESOLVED DUPLICATE of bug 1066659

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 33c0181c4a25 (run with --fuzzing-safe --ion-eager --ion-regalloc=backtracking --arm-sim-icache-checks):


function reportCompare (expected, actual, description) {
  var expected_t = typeof expected;
  var actual_t = typeof actual;
  var output = "";
    output += "Type mismatch, expected type " + expected_t +
      ", actual type " + actual_t + " ";
  if (expected != actual) {
    output += "Expected value '" + toPrinted(expected) +
    printStatus ("Expected value '" + toPrinted(expected) +
                 "' matched actual value '" + toPrinted(actual) + "'");
  }
}
gczeal(9, 2)
var summary = 'this.JSON should not be enumerable';
test();
function test() {
  for (var i in this)  {
      actual = i;
  }
try {
  reportCompare(arguments && this ? new Object() : fin2!==1, summary);
} catch(exc1) {}
}
test();

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Test requires a non-debug (optimized) ARM simulator build and is intermittent (but reproduces > 50% of the time). Crash trace:


Program received signal SIGSEGV, Segmentation fault.
0x0847916f in getClass (this=(const JSObject * const) 0xf5900000 Cannot access memory at address 0x2b2b2b2b) at js/src/vm/RegExpStatics.cpp:120
120     }
#0  0x0847916f in getClass (this=(const JSObject * const) 0xf5900000 Cannot access memory at address 0x2b2b2b2b) at js/src/vm/RegExpStatics.cpp:120
#1  is<js::StringObject> (this=(const JSObject * const) 0xf5900000 Cannot access memory at address 0x2b2b2b2b) at js/src/jsobj.h:756
#2  ToPrimitive (vp=$jsval(-nan(0xfff88f5900000)), cx=0x92c9af0) at js/src/jsobjinlines.h:500
#3  js::LooselyEqual (cx=0x92c9af0, lval=..., rval=..., result=0xf34febdc) at js/src/vm/Interpreter.cpp:732
#4  0x08342ac8 in js::jit::LooselyEqual<false> (cx=0x92c9af0, lhs=$jsval(-nan(0xfff88f5900000)), rhs=$jsval(-nan(0xfff85f3120c40)), res=0xf34febdc) at js/src/jit/VMFunctions.cpp:236
#5  0x0833ac09 in js::jit::Simulator::softwareInterrupt (this=0x92c9098, instr=0x9359d84) at js/src/jit/arm/Simulator-arm.cpp:2173
#6  0x08337fec in js::jit::Simulator::instructionDecode (this=this@entry=0x92c9098, instr=instr@entry=0x9359d84) at js/src/jit/arm/Simulator-arm.cpp:4162
#7  0x08348934 in js::jit::Simulator::execute<false> (this=0x92c9098) at js/src/jit/arm/Simulator-arm.cpp:4215
eax     0x2b2b2b2b      724249387
=> 0x847916f <js::LooselyEqual(JSContext*, JS::Value const&, JS::Value const&, bool*)+255>:     mov    (%eax),%ebp


Marked s-s and sec-critical because this crashes at 0x2b2b2b2b and is GC-related (assuming use-after-free).

Comment 3

[Christian Holler (:decoder)]

Cc and needinfo for terrence and jonco, please pass this on to someone else if you are the wrong people to look at this :) Thanks!

Comment 4

[Terrence Cole [:terrence]]

I reproed this in the arm simulator: it seems to be identical to bug 1066659.

Comment 5

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 6

[Christian Holler (:decoder)]

Didn't see that this is intermittent, putting on the ignore list for JSBugMon for now.

Comment 7

[Brian Hackett [Laid off!]]

The patch in bug 1066659 fixes this crash for me.