Closed Bug 1280884 Opened 8 years ago Closed 8 years ago

Crash [@ js::NativeObject::slotSpan] or Crash [@ js::BaseShape::slotSpan] with ES6 Classes and arguments

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1280252

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])

Crash Data

The following testcase crashes on mozilla-central revision 3ce53bd1e25b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --no-threads):

function foo() {
    function arrayContains() {
        eval();
    }
    function GetSundayInMonth() {};
    fnGlobalObject = function() {};
    function __func() {
        for (i = 0; i < 100000; ++i) 
            was_del = function() {
                class get {}
            }() || delete arguments[0];
    }
    __func("", "", 1, 2);
}
foo();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::NativeObject::slotSpan (this=0xf6500410) at js/src/vm/NativeObject.h:650
#0  js::NativeObject::slotSpan (this=0xf6500410) at js/src/vm/NativeObject.h:650
#1  0x08907bd9 in js::NativeObject::numDynamicSlots (this=0xf6500410) at js/src/vm/NativeObject.h:683
#2  js::TenuringTracer::moveSlotsToTenured (this=0xffffb428, dst=0xf64f0c30, src=0xf6500410, dstKind=js::gc::AllocKind::OBJECT0_BACKGROUND) at js/src/gc/Marking.cpp:2313
#3  0x089084be in js::TenuringTracer::moveObjectToTenured (this=0xffffb428, dst=0xf64f0c30, src=0xf6500410, dstKind=js::gc::AllocKind::OBJECT0_BACKGROUND) at js/src/gc/Marking.cpp:2272
#4  0x08908ad8 in js::TenuringTracer::moveToTenured (this=0xffffb428, src=0xf6500410) at js/src/gc/Marking.cpp:2165
#5  0x08908ff6 in js::TenuringTracer::traverse<JSObject> (this=0xffffb428, objp=0xffffb0d8) at js/src/gc/Marking.cpp:2020
#6  0x0892459a in js::TenuringTraversalFunctor<JS::Value>::operator()<JSObject> (this=<synthetic pointer>, trc=0xffffb428, t=0xf6500410) at js/src/gc/Marking.cpp:2026
#7  js::DispatchTyped<js::TenuringTraversalFunctor<JS::Value>, js::TenuringTracer*>(js::TenuringTraversalFunctor<JS::Value>, JS::Value const&, js::TenuringTracer*&&) (f=..., val=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1914
#8  0x0890a832 in js::TenuringTracer::traverse<JS::Value> (thingp=0xf6377940, this=0xffffb428) at js/src/gc/Marking.cpp:2035
#9  js::TenuringTracer::traceSlots (end=<optimized out>, vp=0xf6377940, this=0xffffb428) at js/src/gc/Marking.cpp:2241
#10 js::TenuringTracer::traceObjectSlots (this=0xffffb428, nobj=0xf64a1eb0, start=0, length=1) at js/src/gc/Marking.cpp:2234
#11 0x0890aa06 in js::gc::StoreBuffer::SlotsEdge::trace (this=0xf6332434, mover=...) at js/src/gc/Marking.cpp:2086
#12 0x089247aa in js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::SlotsEdge>::trace (this=0xf7941414, owner=0xf7941374, mover=...) at js/src/gc/Marking.cpp:2048
#13 0x0890c7f7 in js::gc::StoreBuffer::traceSlots (mover=..., this=0xf7941374) at js/src/gc/StoreBuffer.h:442
#14 js::Nursery::collect (this=0xf794125c, rt=0xf7941000, reason=JS::gcreason::FULL_STORE_BUFFER, pretenureGroups=0x0) at js/src/gc/Nursery.cpp:431
#15 0x08563a94 in js::gc::GCRuntime::minorGCImpl (this=0xf7941230, reason=JS::gcreason::FULL_STORE_BUFFER, pretenureGroups=0x0) at js/src/jsgc.cpp:6518
#16 0x0859e4c7 in js::gc::GCRuntime::minorGC (reason=JS::gcreason::FULL_STORE_BUFFER, this=0xf7941230) at js/src/gc/GCRuntime.h:612
#17 js::gc::GCRuntime::gcIfRequested (this=0xf7941230, cx=0x0) at js/src/jsgc.cpp:6579
#18 0x0873de64 in InvokeInterruptCallback (cx=0xf794b380) at js/src/vm/Runtime.cpp:576
#19 0x0873e542 in JSRuntime::handleInterrupt (this=0xf7941000, cx=0xf794b380) at js/src/vm/Runtime.cpp:683
#20 0x0812a0da in js::CheckForInterrupt (cx=0xf794b380) at js/src/jscntxt.h:651
#21 0x086f46b2 in Interpret (cx=0xf794b380, state=...) at js/src/vm/Interpreter.cpp:1960
#22 0x086fe506 in js::RunScript (cx=0xf794b380, state=...) at js/src/vm/Interpreter.cpp:398
#23 0x086fe852 in js::InternalCallOrConstruct (cx=0xf794b380, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#24 0x086fea9d in InternalCall (cx=cx@entry=0xf794b380, args=...) at js/src/vm/Interpreter.cpp:497
#25 0x086fec2b in js::Call (cx=0xf794b380, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:516
#26 0x08466b4f in js::jit::InvokeFunction (cx=0xf794b380, obj=..., constructing=false, argc=0, argv=0xffffbf00, rval=...) at js/src/jit/VMFunctions.cpp:111
#27 0xf7fc903c in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax	0xa0f64540	-1594473152
ebx	0x8bdeff4	146665460
ecx	0xf7be778c	-138512500
edx	0xf646f7f1	-163121167
esi	0xf7957800	-141199360
edi	0xf6500410	-162528240
ebp	0xffffaf18	4294946584
esp	0xffffaf10	4294946576
eip	0x8314080 <js::NativeObject::slotSpan() const+80>
=> 0x8314080 <js::NativeObject::slotSpan() const+80>:	testb  $0x1,0x8(%eax)
   0x8314084 <js::NativeObject::slotSpan() const+84>:	je     0x83140b8 <js::NativeObject::slotSpan() const+136>


Crash shows access to a random looking address and GC is also involved, marking s-s.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
I'm pretty sure this is the same issue as bug 1280950 which is triggered by |delete arguments[0]|.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.