Closed
Bug 1087310
Opened 10 years ago
Closed 10 years ago
Assertion failure: obj->isNative(), at c:\mozilla\builds\nightly\mozilla\js\src\gc/Marking.cpp:974
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox36 | --- | fixed |
People
(Reporter: cbook, Assigned: bhackett1024)
References
()
Details
(Keywords: assertion)
Attachments
(4 files)
found via bughunter. Steps to reproduce (Windows 7 Debug Build latest Trunk) -> Load http://www.redplanet.gr/podosfairo/parwn-o-ampintal-me-gioyventoys-kai-panathhnaiko.3092445.html -->>> Assertion failure: obj->isNative(), at c:\mozilla\builds\nightly\mozilla\js\src\gc/Marking.cpp:974 will test if i can get a testcase etc
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
marking sec-sensitive just in case. Seems older Assertion failure: obj->isNative() were sec bugs before Jandem, bhacket could you take a look at this. Thanks!
Group: core-security
Flags: needinfo?(jdemooij)
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 3•10 years ago
|
||
Assignee | ||
Comment 4•10 years ago
|
||
This is a GGC bug. Here is what happens: 1) We create a tenured native object A (a DOM object) and stick a nursery pointer in one of its slots. 2) This causes a SlotsEdge entry to be added to the store buffer. 3) We then swap A with another object B, a proxy. 4) When we do a nursery collection, there is a SlotsEdge with a pointer to a proxy and a slot range that no longer makes any sense. The assertion failure is new as of bug 1073842, but the problem goes back before that. Since bug 1073842 uses a layout for proxies that mimics that of normal native objects, the same catastrophes can befall us now that befell us earlier. If user scripts can access object A before it is swapped, this is a huge security hole (both now and before bug 1073842.) If they can't, this is still a big problem that prevents using better proxy layouts, and won't be easy to fix. A couple options are doing a nursery GC whenever we swap two objects, or removing the SlotsEdge store buffer entirely. I would be in favor of the latter option as I don't think this store buffer does anything that the whole cell store buffer doesn't do better (the JIT doesn't even use the SlotsEdge store buffer). JSObject::swap is just such an incredibly dangerous API, for this and other reasons, and it would be nice if we had more forcible constraints for reasoning about when it can be used.
Flags: needinfo?(bhackett1024) → needinfo?(terrence)
Comment 5•10 years ago
|
||
Last time I tried removing the SlotsEdge buffer, I saw a massive regression on PDF.js because of all the slice operations it does. The SlotsEdges should be clipping themselves to the valid range of the current object so it's probably just a bug in that logic.
Flags: needinfo?(terrence)
Assignee | ||
Comment 6•10 years ago
|
||
Ah, I didn't notice that SlotsEdge was restricting the slots it marked to those currently valid in the object.
Assignee: nobody → bhackett1024
Attachment #8509774 -
Flags: review?(terrence)
Comment 7•10 years ago
|
||
Comment on attachment 8509774 [details] [diff] [review] patch Review of attachment 8509774 [details] [diff] [review]: ----------------------------------------------------------------- Perfect! ::: js/src/gc/StoreBuffer.cpp @@ +27,5 @@ > NativeObject *obj = object(); > > + // Beware JSObject::swap exchanging a native object for a non-native one. > + if (!obj->isNative()) > + return; Extra whitespace at eol.
Attachment #8509774 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ffbdc473752d
Updated•10 years ago
|
Flags: needinfo?(jdemooij)
Comment 9•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ffbdc473752d Seems like this needs a sec rating, sec-approval (depending on the rating), and branch nominations, yes?
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox36:
--- → fixed
Flags: needinfo?(bhackett1024)
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Assignee | ||
Comment 10•10 years ago
|
||
No, actually, since SlotsEdge does restrict the slots it marks to those which are present on the object, this is a bogus assert. Non-native objects have a slot span of zero.
Flags: needinfo?(bhackett1024)
Assignee | ||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•