Closed
Bug 1186973
Opened 10 years ago
Closed 9 years ago
Crash [@ strlen] with evaluate and bytecache
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla44
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore][post-critsmash-triage][adv-main44+])
Crash Data
Attachments
(2 files)
|
3.51 KB,
patch
|
Details | Diff | Splinter Review | |
|
2.01 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 2ddec2dedced (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
test = (function () {
function f(x) {
function ifTrue() {};
function ifFalse() {};
if (x) return ifTrue();
else return ifFalse();
}
return f.toSource() + "; f((generation % 2) == 0)";
})();
evalWithCache(test, { assertEqBytecode: true, assertEqResult : true });
function evalWithCache(code, ctx) {
code = code instanceof Object ? code : cacheEntry(code);
ctx.global = newGlobal();
ctx.global.generation = 0;
var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } }));
ctx.global.generation = 1;
var res2 = evaluate(code, Object.create(ctx, {loadBytecode: { value: true }, saveBytecode: { value: true } }));
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x0000000000acffcc in js::ExpandErrorArgumentsVA (cx=0x7ffff69811c0, callback=<optimized out>, userRef=<optimized out>, errorNumber=16, messagep=0x7fffffffc760, reportp=0x7fffffffc770, argumentsType=js::ArgumentsAreASCII, ap=0x7fffffffc838) at js/src/jscntxt.cpp:609
#2 0x0000000000ad05c8 in js::ReportErrorNumberVA (cx=0x7ffff69811c0, flags=0, callback=0x47add0 <js::shell::my_GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=16, argumentsType=js::ArgumentsAreASCII, ap=0x7fffffffc838) at js/src/jscntxt.cpp:746
#3 0x0000000000ad068b in JS_ReportErrorNumberVA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=ap@entry=0x7fffffffc838) at js/src/jsapi.cpp:5350
#4 0x0000000000ad0716 in JS_ReportErrorNumber (cx=cx@entry=0x7ffff69811c0, errorCallback=errorCallback@entry=0x47add0 <js::shell::my_GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=16) at js/src/jsapi.cpp:5339
#5 0x000000000048a0de in Evaluate (cx=0x7ffff69811c0, argc=<optimized out>, vp=0x7ffff47f4148) at js/src/shell/js.cpp:1260
#6 0x00000000006cb9f2 in js::CallJSNative (cx=0x7ffff69811c0, native=0x489050 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#7 0x00000000006baef2 in js::Invoke (cx=cx@entry=0x7ffff69811c0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:720
#8 0x00000000006ad032 in Interpret (cx=cx@entry=0x7ffff69811c0, state=...) at js/src/vm/Interpreter.cpp:2972
#9 0x00000000006ba8f3 in js::RunScript (cx=cx@entry=0x7ffff69811c0, state=...) at js/src/vm/Interpreter.cpp:661
#10 0x00000000006c5606 in js::ExecuteKernel (cx=cx@entry=0x7ffff69811c0, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:902
#11 0x00000000006c78f3 in js::Execute (cx=cx@entry=0x7ffff69811c0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:936
#12 0x0000000000ac4496 in ExecuteScript (cx=cx@entry=0x7ffff69811c0, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4334
#13 0x0000000000ac460b in JS_ExecuteScript (cx=cx@entry=0x7ffff69811c0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4365
#14 0x00000000004284d1 in RunFile (compileOnly=false, file=0x7ffff699e800, filename=0x7fffffffe0da "min.js", cx=0x7ffff69811c0) at js/src/shell/js.cpp:458
#15 Process (cx=cx@entry=0x7ffff69811c0, filename=0x7fffffffe0da "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:576
#16 0x0000000000477453 in ProcessArgs (op=0x7fffffffdb90, cx=0x7ffff69811c0) at js/src/shell/js.cpp:5771
#17 Shell (envp=<optimized out>, op=0x7fffffffdb90, cx=0x7ffff69811c0) at js/src/shell/js.cpp:6040
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6384
rax 0x384 900
rbx 0x7fffffffc770 140737488340848
rcx 0x384 900
rdx 0x7fffffffc870 140737488341104
rsi 0x384 900
rdi 0x384 900
rbp 0x7fffffffc730 140737488340784
rsp 0x7fffffffc5c8 140737488340424
r8 0x0 0
r9 0xe00 3584
r10 0x4 4
r11 0x3 3
r12 0x7fffffffc838 140737488341048
r13 0x0 0
r14 0x0 0
r15 0x7ffff47c3e40 140737295171136
rip 0x7ffff6c4256a <strlen+42>
=> 0x7ffff6c4256a <strlen+42>: movdqu (%rax),%xmm12
0x7ffff6c4256f <strlen+47>: pcmpeqb %xmm8,%xmm12
Marking s-s because the crash is an unsafe out-of-bounds. Not sure if this can be triggered in the browser since the test uses evaluate with the bytecode cache.
Updated•10 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Updated•10 years ago
|
Keywords: sec-moderate
Updated•10 years ago
|
Group: core-security → javascript-core-security
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/f25e7176b9d6
user: Boris Zbarsky
date: Wed Apr 01 12:05:29 2015 -0400
summary: Bug 679939 part 8. Drop the now-unused compileAndGo from CompileOptions. r=luke
This iteration took 171.800 seconds to run.
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 2•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 473aefe5bd85).
Comment 3•9 years ago
|
||
Attachment #8676944 -
Flags: review?(hv1989)
Updated•9 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Comment 4•9 years ago
|
||
Comment on attachment 8676944 [details] [diff] [review]
Do not use template for error messages involving numbers.
Review of attachment 8676944 [details] [diff] [review]:
-----------------------------------------------------------------
Can you explain the issue and why not using JS_ReportErrorNumber fixes it?
Attachment #8676944 -
Flags: review?(hv1989)
Comment 5•9 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #4)
> Comment on attachment 8676944 [details] [diff] [review]
> Do not use template for error messages involving numbers.
>
> Review of attachment 8676944 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> Can you explain the issue and why not using JS_ReportErrorNumber fixes it?
The issue is that the numbers were surprisingly inferred as being pointers, instead of numbers.
Thus this patch replace them by %u .
Updated•9 years ago
|
Attachment #8676944 -
Flags: review?(hv1989)
Comment 6•9 years ago
|
||
Comment on attachment 8676944 [details] [diff] [review]
Do not use template for error messages involving numbers.
Review of attachment 8676944 [details] [diff] [review]:
-----------------------------------------------------------------
Ah now I see. Instead of moving the values out of .msg,
can you do something like: https://dxr.mozilla.org/mozilla-central/source/js/src/ctypes/CTypes.cpp#1102
Attachment #8676944 -
Flags: review?(hv1989)
Comment 7•9 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #0)
> Marking s-s because the crash is an unsafe out-of-bounds. Not sure if this
> can be triggered in the browser since the test uses evaluate with the
> bytecode cache.
This cannot be triggered in the browser, this is an issue with the way the error message is printed.
Comment 8•9 years ago
|
||
Attachment #8679490 -
Flags: review?(hv1989)
Comment 9•9 years ago
|
||
Comment on attachment 8679490 [details] [diff] [review]
Evaluate assertEqBytecode: Print length as numbers.
Review of attachment 8679490 [details] [diff] [review]:
-----------------------------------------------------------------
Nice
Attachment #8679490 -
Flags: review?(hv1989) → review+
Comment 10•9 years ago
|
||
([:nbp] impersonating PulseBot)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/5326cb59d6a6
Comment 11•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Updated•9 years ago
|
Group: javascript-core-security → core-security-release
Updated•9 years ago
|
Status: RESOLVED → VERIFIED
status-firefox45:
--- → verified
Comment 12•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][post-critsmash-triage]
Updated•9 years ago
|
status-firefox43:
--- → wontfix
Whiteboard: [jsbugmon:update,ignore][post-critsmash-triage] → [jsbugmon:update,ignore][post-critsmash-triage][adv-main44+]
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•