Crash [@ void js::CheckTracedThing<js::Shape>] with [@ js::ProxyObject::trace] on the stack

RESOLVED DUPLICATE of bug 1282746

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1282746
2 years ago
10 months ago

People

(Reporter: gkw, Assigned: Waldo)

Tracking

(Blocks: 2 bugs, {crash, sec-critical, testcase})

Trunk
x86_64
Mac OS X
crash, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox49 affected, firefox50 affected)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 14c5bf11d37b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Debugger-debuggees-25.js
var x = newGlobal();
// jsfunfuzz-generated
Object = x.Object;
// Adapted from randomly chosen test: js/src/tests/ecma_5/strict/primitive-this-getter.js
var y = Object.getPrototypeOf(0);
var z = new Proxy({}, {});
Object.setPrototypeOf(y, z);
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1252453.js
gczeal(8, 2);
throw Error();

Backtrace:

0   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a8dace3 void js::CheckTracedThing<js::Shape>(JSTracer*, js::Shape*) + 51 (jsgc.h:1171)
1   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a912f57 js::Shape* DoCallback<js::Shape*>(JS::CallbackTracer*, js::Shape**, char const*) + 39 (TracingAPI.h:234)
2   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a5163f8 js::ProxyObject::trace(JSTracer*, JSObject*) + 56 (TracingAPI.h:57)
3   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a473a39 JSObject::traceChildren(JSTracer*) + 425 (jsobj.cpp:3891)
4   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a4447f9 js::gc::UpdatePointersTask::updateArenas() + 729 (jsgc.cpp:2231)
5   js-dbg-64-dm-clang-darwin-14c5bf11d37b	0x000000010a445678 js::gc::UpdatePointersTask::run() + 24 (jsgc.cpp:2385)
/snip

For detailed crash information, see attachment.

In opt builds this seems to be accessing weird memory addresses, e.g. 0x000000010508d820. Locking s-s as a start.
(Reporter)

Comment 1

2 years ago
Created attachment 8762903 [details]
Detailed Crash Information
(Reporter)

Comment 2

2 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   295158:6cfb92e3d2c7
user:        Jeff Walden
date:        Tue Feb 23 13:42:30 2016 -0800
summary:     Bug 888969 - Make the getPrototypeOf/setPrototypeOf traps scriptable.  r=efaust, r=bholley

Waldo, is bug 888969 a likely regressor?
Blocks: 888969
Crash Signature: [@ void js::CheckTracedThing<js::Shape>] → [@ void js::CheckTracedThing<js::Shape>] [@ js::ProxyObject::trace]
Flags: needinfo?(jwalden+bmo)
(Reporter)

Updated

2 years ago
status-firefox49: --- → affected
(Assignee)

Comment 3

2 years ago
Created attachment 8762971 [details] [diff] [review]
Tentative patch

The setDelegate calls for these things look a bit bogus.  If such relationship should hold, it *should* have been ensured by the prototype-relationship-creation operation.  And it looks to me like all isDelegate calls don't work on proxies, so setting this doesn't matter.  But I should investigate harder.
(Assignee)

Updated

2 years ago
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
Sounds kind of bad, so I'll just mark it high. Feel free to adjust as appropriate.
Keywords: sec-high
(Assignee)

Updated

2 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(jwalden+bmo)
Keywords: sec-high → sec-critical
Resolution: --- → DUPLICATE
Duplicate of bug: 1282746

Updated

10 months ago
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.