Crash [@ NativeSetExistingDataProperty] or [@ GetExistingProperty] or [@ js::NativeGetProperty]

RESOLVED DUPLICATE of bug 1189744

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1189744
3 years ago
a year ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
Mac OS X
crash, regression, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 affected)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
function f(z) {
    eval(z)
}
function g(z) {
    f(z, {
        n: true
    })
}
g("");
g("");
g("x = arguments")
g("Array.prototype.shift.call(x)");
g("");
g("");
g("Array.prototype.unshift.call(x, 1)");
g("");
g("");
g("Array.prototype.shift.call(x)");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("");
g("\
    Object.defineProperty(x[0], 9, {\
        set: function(){}\
    });\
    Array.prototype.unshift.call(x[0], 1);\
    Array.prototype.shift.call(x[0]);\
")

crashes js debug shell on m-c changeset 7ec3e4b2a45f with --fuzzing-safe --no-threads --no-baseline --no-ion at NativeSetExistingDataProperty. (js opt shell also crashes)

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f

Opt configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/71457f81430a
user:        Jason Orendorff
date:        Fri May 29 17:31:43 2015 -0500
summary:     Bug 1125624, part 2 - Change js::StandardDefineProperty to forward to js::DefineProperty. r=Waldo.

Jason, is bug 1125624 a likely regressor?

Setting s-s in case the lock instruction is doing anything weird at $rcx memory address 0x00007fff5fbfc8e0.
Flags: needinfo?(jorendorff)
(Reporter)

Comment 1

3 years ago
Created attachment 8633255 [details]
opt stack

(lldb) bt 5
* thread #1: tid = 0x224d04, 0x0000000101b71200, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x101b71200)
  * frame #0: 0x0000000101b71200
    frame #1: 0x00000001001b22a2 js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) [inlined] js::CallJSSetterOp(cx=0x0000000101aa90f0, op=0x0000000101b71200, result=0x00007fff5fbfca78)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&) + 210 at jscntxtinlines.h:320
    frame #2: 0x00000001001b2296 js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(cx=<unavailable>, obj=<unavailable>, shape=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=<unavailable>) + 198 at NativeObject.cpp:2032
    frame #3: 0x00000001001b2dea js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 16 at NativeObject.cpp:2261
    frame #4: 0x00000001001b2dda js-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(cx=0x0000000101aa90f0, obj=<unavailable>, id=<unavailable>, value=<unavailable>, receiver=<unavailable>, qualified=<unavailable>, result=<unavailable>) + 2410 at NativeObject.cpp:2322
(lldb)
(Reporter)

Comment 2

3 years ago
Created attachment 8633256 [details]
debug stack

(lldb) bt 5
* thread #1: tid = 0x224973, 0x0000000103971500, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x103971500)
  * frame #0: 0x0000000103971500
    frame #1: 0x00000001002ddb6c js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) [inlined] js::CallJSSetterOp(cx=0x00000001028a3180, op=0x0000000103971500, result=0x00007fff5fbfc228)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&) + 748 at jscntxtinlines.h:320
    frame #2: 0x00000001002ddb46 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`NativeSetExistingDataProperty(cx=<unavailable>, obj=<unavailable>, shape=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=<unavailable>) + 710 at NativeObject.cpp:2032
    frame #3: 0x00000001002de855 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 5 at NativeObject.cpp:2261
    frame #4: 0x00000001002de850 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::NativeSetProperty(cx=0x00000001028a3180, obj=<unavailable>, id=<unavailable>, value=<unavailable>, receiver=<unavailable>, qualified=Qualified, result=<unavailable>) + 2320 at NativeObject.cpp:2322
(lldb)
(Reporter)

Comment 3

3 years ago
x = [];
for (var i = 0; i < 99; ++i) {
    x = {
        x
    };
}
Object.defineProperty(x, "", {
    get: Array.lastIndexOf
}).toString = {};
delete x.w;
print(x);

crashes js debug shell on m-c changeset 5856a328963d with --fuzzing-safe --no-threads --ion-eager at a weird memory address with GetExistingProperty on the stack.

It also crashes js opt shell at js::NativeGetProperty with the pc being the following lock instruction as well:

(lldb) dis -p
->  0x101c62b50: lock
    0x101c62b51: xchgl  %ecx, %eax
(lldb) register read $ecx
     ecx = 0x5fbfe810
(lldb) register read $eax
     eax = 0x01a67000
(lldb)
Crash Signature: [@ NativeSetExistingDataProperty] → [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty]
Summary: Crash [@ NativeSetExistingDataProperty] → Crash [@ NativeSetExistingDataProperty] or [@ GetExistingProperty] or [@ js::NativeGetProperty]
I'm going to assume this is bad...
Keywords: sec-high
Crash Signature: [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty] → [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8781f437a5d4).
(Reporter)

Comment 6

3 years ago
=== Treeherder Build Bisection Results by autoBisect ===

The "bad" changeset has the timestamp "20150813200339" and the hash "8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c".
The "good" changeset has the timestamp "20150813201139" and the hash "03b1eb0b1f9bcb470c1996dedc45992eb4acef59".

Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c&tochange=03b1eb0b1f9bcb470c1996dedc45992eb4acef59

Jason, is bug 1189744 a likely fix?
Crash Signature: [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty] → [@ NativeSetExistingDataProperty] [@ GetExistingProperty] [@ js::NativeGetProperty]
(Reporter)

Comment 7

3 years ago
> Setting s-s in case the lock instruction is doing anything weird at $rcx
> memory address 0x00007fff5fbfc8e0.

This should be changed to sec-critical if it is indeed a dupe of bug 1189744. Going forward, this symptom should then be regarded as bad because it would map to an EXPLOITABLE rating in !exploitable as per that bug.

Also, this was found by fuzzers >2 weeks before the other bug! It would be nice to stop these from falling through the cracks again.
Yes, it's a dup.
Flags: needinfo?(jorendorff)
(Reporter)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Keywords: sec-high → sec-critical
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Duplicate of bug: 1189744

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.