Closed
Bug 1280246
Opened 9 years ago
Closed 9 years ago
Crash [@ void js::CheckTracedThing<js::Shape>] with [@ js::ProxyObject::trace] on the stack
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1282746
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
35.02 KB,
text/plain
|
Details | |
|
1.82 KB,
patch
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 14c5bf11d37b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Debugger-debuggees-25.js
var x = newGlobal();
// jsfunfuzz-generated
Object = x.Object;
// Adapted from randomly chosen test: js/src/tests/ecma_5/strict/primitive-this-getter.js
var y = Object.getPrototypeOf(0);
var z = new Proxy({}, {});
Object.setPrototypeOf(y, z);
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1252453.js
gczeal(8, 2);
throw Error();
Backtrace:
0 js-dbg-64-dm-clang-darwin-14c5bf11d37b 0x000000010a8dace3 void js::CheckTracedThing<js::Shape>(JSTracer*, js::Shape*) + 51 (jsgc.h:1171)
1 js-dbg-64-dm-clang-darwin-14c5bf11d37b 0x000000010a912f57 js::Shape* DoCallback<js::Shape*>(JS::CallbackTracer*, js::Shape**, char const*) + 39 (TracingAPI.h:234)
2 js-dbg-64-dm-clang-darwin-14c5bf11d37b 0x000000010a5163f8 js::ProxyObject::trace(JSTracer*, JSObject*) + 56 (TracingAPI.h:57)
3 js-dbg-64-dm-clang-darwin-14c5bf11d37b 0x000000010a473a39 JSObject::traceChildren(JSTracer*) + 425 (jsobj.cpp:3891)
4 js-dbg-64-dm-clang-darwin-14c5bf11d37b 0x000000010a4447f9 js::gc::UpdatePointersTask::updateArenas() + 729 (jsgc.cpp:2231)
5 js-dbg-64-dm-clang-darwin-14c5bf11d37b 0x000000010a445678 js::gc::UpdatePointersTask::run() + 24 (jsgc.cpp:2385)
/snip
For detailed crash information, see attachment.
In opt builds this seems to be accessing weird memory addresses, e.g. 0x000000010508d820. Locking s-s as a start.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 295158:6cfb92e3d2c7
user: Jeff Walden
date: Tue Feb 23 13:42:30 2016 -0800
summary: Bug 888969 - Make the getPrototypeOf/setPrototypeOf traps scriptable. r=efaust, r=bholley
Waldo, is bug 888969 a likely regressor?
Blocks: 888969
Crash Signature: [@ void js::CheckTracedThing<js::Shape>] → [@ void js::CheckTracedThing<js::Shape>]
[@ js::ProxyObject::trace]
Flags: needinfo?(jwalden+bmo)
|
|
Reporter | |
Updated•9 years ago
|
status-firefox49:
--- → affected
|
Assignee | |
Comment 3•9 years ago
|
||
The setDelegate calls for these things look a bit bogus. If such relationship should hold, it *should* have been ensured by the prototype-relationship-creation operation. And it looks to me like all isDelegate calls don't work on proxies, so setting this doesn't matter. But I should investigate harder.
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
|
||
Comment 4•9 years ago
|
||
Sounds kind of bad, so I'll just mark it high. Feel free to adjust as appropriate.
Keywords: sec-high
|
|
Assignee | |
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jwalden+bmo)
Keywords: sec-high → sec-critical
Resolution: --- → DUPLICATE
|
||
Updated•8 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•