Closed Bug 1183448 Opened 5 years ago Closed 5 years ago

Crash [@ NativeSetExistingDataProperty] or [@ GetExistingProperty] or [@ js::NativeGetProperty]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1189744
Tracking Status
firefox42 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

function f(z) {
    eval(z)
}
function g(z) {
    f(z, {
        n: true
    })
}
g("");
g("");
g("x = arguments")
g("Array.prototype.shift.call(x)");
g("");
g("");
g("Array.prototype.unshift.call(x, 1)");
g("");
g("");
g("Array.prototype.shift.call(x)");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("\
    Object.defineProperty(x[0], 9, {\
        set: function(){}\
    });\
    Array.prototype.unshift.call(x[0], 1);\
    Array.prototype.shift.call(x[0]);\
")

crashes js debug shell on m-c changeset 7ec3e4b2a45f with --fuzzing-safe --no-threads --no-baseline --no-ion at NativeSetExistingDataProperty. (js opt shell also crashes)

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f

Opt configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/71457f81430a
user:        Jason Orendorff
date:        Fri May 29 17:31:43 2015 -0500
summary:     Bug 1125624, part 2 - Change js::StandardDefineProperty to forward to js::DefineProperty. r=Waldo.

Jason, is bug 1125624 a likely regressor?

Setting s-s in case the lock instruction is doing anything weird at $rcx memory address 0x00007fff5fbfc8e0.
Flags: needinfo?(jorendorff)
Attached file opt stack
(lldb) bt 5
* thread #1: tid = 0x224d04, 0x0000000101b71200, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x101b71200)
  * frame #0: 0x0000000101b71200
    frame #1: 0x00000001001b22a2 js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) [inlined] js::CallJSSetterOp(cx=0x0000000101aa90f0, op=0x0000000101b71200, result=0x00007fff5fbfca78)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&) + 210 at jscntxtinlines.h:320
    frame #2: 0x00000001001b2296 js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(cx=<unavailable>, obj=<unavailable>, shape=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=<unavailable>) + 198 at NativeObject.cpp:2032
    frame #3: 0x00000001001b2dea js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 16 at NativeObject.cpp:2261
    frame #4: 0x00000001001b2dda js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(cx=0x0000000101aa90f0, obj=<unavailable>, id=<unavailable>, value=<unavailable>, receiver=<unavailable>, qualified=<unavailable>, result=<unavailable>) + 2410 at NativeObject.cpp:2322
(lldb)
Attached file debug stack
(lldb) bt 5
* thread #1: tid = 0x224973, 0x0000000103971500, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x103971500)
  * frame #0: 0x0000000103971500
    frame #1: 0x00000001002ddb6c js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) [inlined] js::CallJSSetterOp(cx=0x00000001028a3180, op=0x0000000103971500, result=0x00007fff5fbfc228)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&) + 748 at jscntxtinlines.h:320
    frame #2: 0x00000001002ddb46 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(cx=<unavailable>, obj=<unavailable>, shape=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=<unavailable>) + 710 at NativeObject.cpp:2032
    frame #3: 0x00000001002de855 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 5 at NativeObject.cpp:2261
    frame #4: 0x00000001002de850 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(cx=0x00000001028a3180, obj=<unavailable>, id=<unavailable>, value=<unavailable>, receiver=<unavailable>, qualified=Qualified, result=<unavailable>) + 2320 at NativeObject.cpp:2322
(lldb)
x = [];
for (var i = 0; i < 99; ++i) {
    x = {
        x
    };
}
Object.defineProperty(x, "", {
    get: Array.lastIndexOf
}).toString = {};
delete x.w;
print(x);

crashes js debug shell on m-c changeset 5856a328963d with --fuzzing-safe --no-threads --ion-eager at a weird memory address with GetExistingProperty on the stack.

It also crashes js opt shell at js::NativeGetProperty with the pc being the following lock instruction as well:

(lldb) dis -p
->  0x101c62b50: lock
    0x101c62b51: xchgl  %ecx, %eax
(lldb) register read $ecx
     ecx = 0x5fbfe810
(lldb) register read $eax
     eax = 0x01a67000
(lldb)
Crash Signature: [@ NativeSetExistingDataProperty] → [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty]
Summary: Crash [@ NativeSetExistingDataProperty] → Crash [@ NativeSetExistingDataProperty] or [@ GetExistingProperty] or [@ js::NativeGetProperty]
I'm going to assume this is bad...
Keywords: sec-high
Crash Signature: [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty] → [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8781f437a5d4).
=== Treeherder Build Bisection Results by autoBisect ===

The "bad" changeset has the timestamp "20150813200339" and the hash "8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c".
The "good" changeset has the timestamp "20150813201139" and the hash "03b1eb0b1f9bcb470c1996dedc45992eb4acef59".

Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c&tochange=03b1eb0b1f9bcb470c1996dedc45992eb4acef59

Jason, is bug 1189744 a likely fix?
Crash Signature: [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty] → [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty]
> Setting s-s in case the lock instruction is doing anything weird at $rcx
> memory address 0x00007fff5fbfc8e0.

This should be changed to sec-critical if it is indeed a dupe of bug 1189744. Going forward, this symptom should then be regarded as bad because it would map to an EXPLOITABLE rating in !exploitable as per that bug.

Also, this was found by fuzzers >2 weeks before the other bug! It would be nice to stop these from falling through the cracks again.
Yes, it's a dup.
Flags: needinfo?(jorendorff)
Status: NEW → RESOLVED
Closed: 5 years ago
Keywords: sec-highsec-critical
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Duplicate of bug: 1189744
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.