Closed
Bug 1126318
Opened 9 years ago
Closed 9 years ago
Assertion failure: isNative(), at c:\users\mozilla\debug-builds\mozilla-central\ js\src\jsfun.h:413
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: cbook, Assigned: jandem)
References
()
Details
(Keywords: assertion, testcase)
Attachments
(5 files)
|
776 bytes,
text/plain
|
Details | |
|
8.24 KB,
text/plain
|
Details | |
|
3.16 KB,
text/html
|
Details | |
|
6.20 KB,
patch
|
bzbarsky
:
review+
lmandel
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
3.38 KB,
patch
|
Details | Diff | Splinter Review |
found via Bughunter and classified medium exploitable on mac at least: Assertion failure: isNative(), at c:\users\mozilla\debug-builds\mozilla-central\ js\src\jsfun.h:413 Steps to reproduce: -> Load http://www.jagodnik.pl/ in a Trunk Debug Build --> Assertion failure
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
stack trace etc as requested. Jan: could you take a look, thx!
Flags: needinfo?(jdemooij)
|
||
Comment 3•9 years ago
|
||
The medium exploitable part here isn't really relevant, because this is a crash on an assertion.
Summary: Medium Exploitable Assertion failure: isNative(), at c:\users\mozilla\debug-builds\mozilla-central\ js\src\jsfun.h:413 → Assertion failure: isNative(), at c:\users\mozilla\debug-builds\mozilla-central\ js\src\jsfun.h:413
|
||
Comment 4•9 years ago
|
||
Um. So we're in js::jit::TryAttachNativeGetPropStub but callee.ptr->isInterpreted() is true. Also, cacheableCall is false and isScripted is false in this case. As in, we had a scripted function with no jitcode. Looks like the code added in bug 1007631 doesn't really handle this case. Maybe we should early-return right before we start looking for jitinfo if !cacheableCall? Or check cacheableCall && !isScripted when we're checking for a getter function here: 6542 if (!shape || !shape->hasGetterValue() || !shape->getterValue().isObject() || 6543 !shape->getterObject()->is<JSFunction>()) 6544 { 6545 return true; 6546 }
|
|
||
Updated•9 years ago
|
status-firefox37:
--- → affected
status-firefox38:
--- → affected
|
|
Reporter | |
Updated•9 years ago
|
|
|
Reporter | |
Comment 5•9 years ago
|
||
|
|
Reporter | |
Comment 6•9 years ago
|
||
seems now bughunter found this on a different site: http://www.liteonodd.com/en/service-support/download/cat_view/44-software-tool/54-utilities
|
Assignee | |
Comment 7•9 years ago
|
||
Thanks for the analysis. This patch moves the is-cacheable-native-call up, before the jitInfo check.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8556425 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 8•9 years ago
|
||
Same patch but with -w to ignore the indentation changes.
|
|
Assignee | |
Comment 9•9 years ago
|
||
I verified the patch fixes both crashes (original URL and the one in comment 6). Good find, thanks.
|
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8556425 [details] [diff] [review] Patch r=me, but could you add a testcase? Seems like all that's needed to trigger the assert is a non-cacheable scripted getter, right? Well, and I guess outerClass needs to be true too. I don't see a way to do the outerClass thing in shell (e.g. the ComplexObject stuff is dead code, afaict) but in a jsreftest or other test running in browser this: <script> Object.defineProperty(window, "foo", { get: function() { return 5; }, configurable: true } ); for (var i = 0; i < 100; ++i) window.foo; </script> reproduces the assert quite nicely for me.
Attachment #8556425 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 11•9 years ago
|
||
Added a jsreftest and verified it asserted without the patch. https://hg.mozilla.org/integration/mozilla-inbound/rev/66338a89015f Also this is not security-sensitive. If |callee| is scripted, the callee->jitInfo()->needsOuterizedThisObject() call could return a bogus value, but it doesn't matter as the is-native check below that will be false, so nothing depends on this value.
Group: core-security
|
||
Comment 12•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/66338a89015f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
|
Assignee | |
Comment 13•9 years ago
|
||
Comment on attachment 8556425 [details] [diff] [review] Patch Approval Request Comment [Feature/regressing bug #]: Bug 1007631. [User impact if declined]: Potential crashes or assertion failures in debug builds. [Describe test coverage new/current, TreeHerder]: On m-c for a few days. [Risks and why]: Very low, just moves a check up. [String/UUID change made/needed]: None.
Attachment #8556425 -
Flags: approval-mozilla-aurora?
|
||
Comment 14•9 years ago
|
||
Comment on attachment 8556425 [details] [diff] [review] Patch Aurora+
Attachment #8556425 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in
before you can comment on or make changes to this bug.
Description
•