Closed
Bug 1113150
Opened 10 years ago
Closed 10 years ago
Crash [@ js::NativeObject::getReservedSlot] or [@ js::jit::TypedObjectPrediction::addDescr] or [@ js::OutlineTypedObject::obj_trace]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1113744
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
Details
(5 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])
Crash Data
The following testcase crashes on mozilla-central revision b7eb1ce0237d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --no-threads):
try {
var A = TypedObject.uint8.array(0);
var a = new A();
var AA = TypedObject.uint8.array(2147483647).array(0);
function A() {}
(Object.seal)(this)
gczeal(2);
function PJS_div4(v, s) {}
} catch (exc4) {}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x081620f5 in js::NativeObject::getReservedSlot (this=0xf6059580, index=0) at js/src/vm/NativeObject.h:842
842 MOZ_ASSERT(index < JSSLOT_FREE(getClass()));
#0 0x081620f5 in js::NativeObject::getReservedSlot (this=0xf6059580, index=0) at js/src/vm/NativeObject.h:842
#1 0x08109543 in kind (this=<optimized out>) at js/src/builtin/TypedObject.h:157
#2 js::TypedObject::obj_getGeneric (cx=0x9674aa8, obj=..., receiver=..., id=..., vp=...) at js/src/builtin/TypedObject.cpp:1811
#3 0x080bc8a3 in JSObject::getGeneric (cx=0x9674aa8, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1404
#4 0x085e3098 in getProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x9674aa8) at js/src/jsobj.h:630
#5 js::ValueToSource (cx=0x9674aa8, v=...) at js/src/jsstr.cpp:4266
#6 0x080fd505 in js::ObjectToSource (cx=0x9674aa8, obj=...) at js/src/builtin/Object.cpp:264
#7 0x080fe254 in obj_toSource (cx=0x9674aa8, argc=0, vp=0xffffbdc4) at js/src/builtin/Object.cpp:117
#8 0x08710880 in js::CallJSNative (cx=0x9674aa8, native=0x80fe1b0 <obj_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:231
#9 0x086efce4 in js::Invoke (cx=0x9674aa8, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:482
#10 0x086f10cc in js::Invoke (cx=0x9674aa8, thisv=..., fval=..., argc=0, argv=0x0, rval=...) at js/src/vm/Interpreter.cpp:538
#11 0x085e32d7 in js::ValueToSource (cx=0x9674aa8, v=...) at js/src/jsstr.cpp:4270
#12 0x085f8a70 in js::DecompileValueGenerator (cx=0x9674aa8, spindex=0, v=..., fallbackArg=..., skipStackHits=0) at js/src/jsopcode.cpp:1853
#13 0x0854b300 in js_ReportValueErrorFlags (cx=0x9674aa8, flags=0, errorNumber=41, spindex=0, v=..., fallback=..., arg1=0x0, arg2=0x0) at js/src/jscntxt.cpp:951
#14 0x085a4869 in JSObject::reportNotExtensible (this=0xf6047040, cxArg=0x9674aa8, report=0) at js/src/jsobj.cpp:3337
#15 0x087a76ea in js::NativeObject::putProperty<(js::ExecutionMode)0> (cx=0x9674aa8, obj=..., id=..., getter=0x0, setter=0x0, slot=16777215, attrs=5, flags=0) at js/src/vm/Shape.cpp:798
#16 0x086ff3d7 in DefinePropertyOrElement<(js::ExecutionMode)0> (cx=0x9674aa8, obj=..., id=..., getter=0x0, setter=0x0, attrs=5, value=..., callSetterAfterwards=false, setterIsStrict=false) at js/src/vm/NativeObject.cpp:1266
#17 0x087006f3 in js::DefineNativeProperty (cx=0x9674aa8, obj=..., id=..., value=..., getter=0x0, setter=0x0, attrs=<optimized out>) at js/src/vm/NativeObject.cpp:1559
#18 0x0859ca4a in JSObject::defineGeneric (cx=0x9674aa8, obj=..., id=..., value=..., getter=0x0, setter=0x0, attrs=5) at js/src/jsobj.cpp:2902
#19 0x085a5ac4 in JSObject::defineProperty (cx=0x9674aa8, obj=..., name=0xf60559c0, value=..., getter=0x0, setter=0x0, attrs=5) at js/src/jsobj.cpp:2911
#20 0x08705c93 in js::DefFunOperation (cx=0x9674aa8, script=..., scopeChain=..., funArg=...) at js/src/vm/Interpreter.cpp:3702
#21 0x086e7367 in Interpret (cx=0x9674aa8, state=...) at js/src/vm/Interpreter.cpp:2982
#22 0x086ef072 in js::RunScript (cx=0x9674aa8, state=...) at js/src/vm/Interpreter.cpp:432
[...]
eax 0x0 0
ebx 0x962fff4 157482996
ecx 0x0 0
edx 0x0 0
esi 0xf6059580 -167406208
edi 0x0 0
ebp 0xffffb438 4294947896
esp 0xffffb410 4294947856
eip 0x81620f5 <js::NativeObject::getReservedSlot(unsigned int) const+37>
=> 0x81620f5 <js::NativeObject::getReservedSlot(unsigned int) const+37>: movzbl 0x5(%eax),%eax
0x81620f9 <js::NativeObject::getReservedSlot(unsigned int) const+41>: cmp %edi,%eax
Marking s-s because the bug involves gczeal.
|
||
Comment 1•10 years ago
|
||
This crashes with various signatures on Mac as well quite often, so setting [fuzzblocker].
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/46ae5134ab00
user: Brian Hackett
date: Fri Dec 12 13:36:56 2014 -0700
summary: Bug 1107226 - Share prototype objects for typed object arrays with the same element type, r=nmatsakis.
Brian, is bug 1107226 a likely regressor?
Blocks: 1107226
Crash Signature: [@ js::NativeObject::getReservedSlot] → [@ js::NativeObject::getReservedSlot]
[@ js::jit::TypedObjectPrediction::addDescr]
[@ js::OutlineTypedObject::obj_trace]
Flags: needinfo?(bhackett1024)
OS: Linux → All
Hardware: x86 → All
Summary: Crash [@ js::NativeObject::getReservedSlot] → Crash [@ js::NativeObject::getReservedSlot] or [@ js::jit::TypedObjectPrediction::addDescr] or [@ js::OutlineTypedObject::obj_trace]
Whiteboard: [jsbugmon:update,bisect] → [fuzzblocker][jsbugmon:update]
|
Reporter | |
Comment 2•10 years ago
|
||
I'm also seeing similar crashes with a 0x4b4b4b4b pattern, assuming use-after-free.
Keywords: csectype-uaf,
sec-critical
|
||
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•