Closed
Bug 1259490
Opened 8 years ago
Closed 8 years ago
Crash involving gczeal(8) with Interpret on the stack
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox47 | --- | unaffected |
firefox48 | --- | verified |
firefox-esr45 | --- | unaffected |
People
(Reporter: gkw, Assigned: terrence)
References
Details
(5 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(1 file)
2.75 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 24c5fbde4488 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): gczeal(8); for (var k = 0; k < 99; ++k) { uneval(-(0 ** (Object | 0 * Object))) } Backtrace: 0 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x00000001007e9338 js::CompartmentChecker::check(JS::Value const&) + 120 (jscntxtinlines.h:95) 1 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x00000001007df720 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 288 (jscntxtinlines.h:162) 2 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x00000001007a66de js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 702 (Interpreter.cpp:464) 3 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x00000001007c4f01 Interpret(JSContext*, js::RunState&) + 48897 (Interpreter.cpp:2809) 4 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x00000001007b8f37 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 5 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x00000001007d1254 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:684) 6 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x00000001007d15d5 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667) 7 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x0000000100595f61 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4373) 8 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x00000001005961d2 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667) 9 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x0000000100021099 Process(JSContext*, char const*, bool, FileKind) + 3609 (js.cpp:530) 10 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x0000000100006754 main + 12404 (js.cpp:6732) 11 js-dbg-64-dm-clang-darwin-24c5fbde4488 0x0000000100001724 start + 52 This testcase seems to involve gczeal, so setting s-s as a start. Also setting [fuzzblocker] because this seems to happen quite often.
Reporter | ||
Comment 1•8 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160323062544" and the hash "56d3ab31480a27c4e6063f635f78625b8ce4d220". The "bad" changeset has the timestamp "20160323062840" and the hash "36c1fd35d9959fa380d07521b210ba315772d683". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=56d3ab31480a27c4e6063f635f78625b8ce4d220&tochange=36c1fd35d9959fa380d07521b210ba315772d683 Jon, is bug 1258453 a likely regressor?
Blocks: 1258453
Flags: needinfo?(jcoppeard)
Comment 2•8 years ago
|
||
Yes, this look like me.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Comment 3•8 years ago
|
||
This is causing major problems in fuzzing. We either need a fix soon or backout.
Flags: needinfo?(jdemooij)
Comment 4•8 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3) > This is causing major problems in fuzzing. We either need a fix soon or > backout. Jon, Terrence: should we disable the compacting GC code for strings for now, to unblock fuzzing? (I noticed there's also a topcrash in AssignJSString on Nightly. #1 if you select "3 days".)
Flags: needinfo?(terrence)
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
Reporter | ||
Comment 5•8 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #4) > Jon, Terrence: should we disable the compacting GC code for strings for now, > to unblock fuzzing? > > (I noticed there's also a topcrash in AssignJSString on Nightly. #1 if you > select "3 days".) I'm all for this. Apparently I filed this Thursday evening in Europe time - some countries are out till Tuesday due to Easter weekend. Basically fuzzing is super noisy with variations of this bug now.
Assignee | ||
Comment 6•8 years ago
|
||
Update the DtoA cache after compacting GC. This cache only stores pointers to strings, so it was not already in the set of caches we update.
Assignee: jcoppeard → terrence
Status: NEW → ASSIGNED
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
Attachment #8735489 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 7•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/595ba913eb8375a11365d6053301c9b56adc8fbe Bug 1259490 - Update the DtoA cache after compacting GC; r=jandem
Assignee | ||
Comment 8•8 years ago
|
||
Comment on attachment 8735489 [details] [diff] [review] bug-1259490-v0.diff r=jandem via IRC so that we can get this on m-i sooner.
Attachment #8735489 -
Flags: review?(jcoppeard) → review+
Comment 9•8 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #7) Thanks for picking this up.
Comment 10•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/595ba913eb83
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
Comment 12•8 years ago
|
||
I'm going to mark this sec-critical because it sounds easily discoverable.
status-firefox47:
--- → unaffected
status-firefox-esr45:
--- → unaffected
Keywords: csectype-uaf,
sec-critical
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
Comment 13•8 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
You need to log in
before you can comment on or make changes to this bug.
Description
•