1183448 - Crash [@ NativeSetExistingDataProperty] or [@ GetExistingProperty] or [@ js::NativeGetProperty]

Status: RESOLVED DUPLICATE of bug 1189744

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

function f(z) {
    eval(z)
}
function g(z) {
    f(z, {
        n: true
    })
}
g("");
g("");
g("x = arguments")
g("Array.prototype.shift.call(x)");
g("");
g("");
g("Array.prototype.unshift.call(x, 1)");
g("");
g("");
g("Array.prototype.shift.call(x)");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("\
    Object.defineProperty(x[0], 9, {\
        set: function(){}\
    });\
    Array.prototype.unshift.call(x[0], 1);\
    Array.prototype.shift.call(x[0]);\
")

crashes js debug shell on m-c changeset 7ec3e4b2a45f with --fuzzing-safe --no-threads --no-baseline --no-ion at NativeSetExistingDataProperty. (js opt shell also crashes)

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f

Opt configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/71457f81430a
user:        Jason Orendorff
date:        Fri May 29 17:31:43 2015 -0500
summary:     Bug 1125624, part 2 - Change js::StandardDefineProperty to forward to js::DefineProperty. r=Waldo.

Jason, is bug 1125624 a likely regressor?

Setting s-s in case the lock instruction is doing anything weird at $rcx memory address 0x00007fff5fbfc8e0.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: opt stack

(lldb) bt 5
* thread #1: tid = 0x224d04, 0x0000000101b71200, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x101b71200)
  * frame #0: 0x0000000101b71200
    frame #1: 0x00000001001b22a2 js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) [inlined] js::CallJSSetterOp(cx=0x0000000101aa90f0, op=0x0000000101b71200, result=0x00007fff5fbfca78)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&) + 210 at jscntxtinlines.h:320
    frame #2: 0x00000001001b2296 js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(cx=<unavailable>, obj=<unavailable>, shape=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=<unavailable>) + 198 at NativeObject.cpp:2032
    frame #3: 0x00000001001b2dea js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 16 at NativeObject.cpp:2261
    frame #4: 0x00000001001b2dda js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(cx=0x0000000101aa90f0, obj=<unavailable>, id=<unavailable>, value=<unavailable>, receiver=<unavailable>, qualified=<unavailable>, result=<unavailable>) + 2410 at NativeObject.cpp:2322
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

(lldb) bt 5
* thread #1: tid = 0x224973, 0x0000000103971500, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x103971500)
  * frame #0: 0x0000000103971500
    frame #1: 0x00000001002ddb6c js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) [inlined] js::CallJSSetterOp(cx=0x00000001028a3180, op=0x0000000103971500, result=0x00007fff5fbfc228)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&) + 748 at jscntxtinlines.h:320
    frame #2: 0x00000001002ddb46 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(cx=<unavailable>, obj=<unavailable>, shape=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=<unavailable>) + 710 at NativeObject.cpp:2032
    frame #3: 0x00000001002de855 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 5 at NativeObject.cpp:2261
    frame #4: 0x00000001002de850 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(cx=0x00000001028a3180, obj=<unavailable>, id=<unavailable>, value=<unavailable>, receiver=<unavailable>, qualified=Qualified, result=<unavailable>) + 2320 at NativeObject.cpp:2322
(lldb)

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

x = [];
for (var i = 0; i < 99; ++i) {
    x = {
        x
    };
}
Object.defineProperty(x, "", {
    get: Array.lastIndexOf
}).toString = {};
delete x.w;
print(x);

crashes js debug shell on m-c changeset 5856a328963d with --fuzzing-safe --no-threads --ion-eager at a weird memory address with GetExistingProperty on the stack.

It also crashes js opt shell at js::NativeGetProperty with the pc being the following lock instruction as well:

(lldb) dis -p
->  0x101c62b50: lock
    0x101c62b51: xchgl  %ecx, %eax
(lldb) register read $ecx
     ecx = 0x5fbfe810
(lldb) register read $eax
     eax = 0x01a67000
(lldb)

Comment 4

[Andrew McCreight [:mccr8]]

I'm going to assume this is bad...

Comment 5

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8781f437a5d4).

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

=== Treeherder Build Bisection Results by autoBisect ===

The "bad" changeset has the timestamp "20150813200339" and the hash "8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c".
The "good" changeset has the timestamp "20150813201139" and the hash "03b1eb0b1f9bcb470c1996dedc45992eb4acef59".

Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c&tochange=03b1eb0b1f9bcb470c1996dedc45992eb4acef59

Jason, is bug 1189744 a likely fix?

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

> Setting s-s in case the lock instruction is doing anything weird at $rcx
> memory address 0x00007fff5fbfc8e0.

This should be changed to sec-critical if it is indeed a dupe of bug 1189744. Going forward, this symptom should then be regarded as bad because it would map to an EXPLOITABLE rating in !exploitable as per that bug.

Also, this was found by fuzzers >2 weeks before the other bug! It would be nice to stop these from falling through the cracks again.

Comment 8

[Jason Orendorff [:jorendorff]]

Yes, it's a dup.