Crash [@ JSObject::getClass] with invalid read or Assertion failure: isObject(), at dist/include/js/Value.h:657

VERIFIED FIXED in Firefox 52

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
a year ago
a year ago

People

(Reporter: decoder, Assigned: till)

Tracking

(Blocks: 1 bug, 6 keywords)

Trunk
mozilla52
x86_64
Linux
assertion, crash, jsbugmon, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox49 unaffected, firefox50 unaffected, firefox51 unaffected, firefox52 verified)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

a year ago
The following testcase crashes on mozilla-central revision 2c773b971672 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe):

for (var i = 3; i >= 0; i--) {}
Promise.all.call(class {
    constructor(exec) {
        exec(() => {}, () => {});
    }
    static resolve() {
        return (new.target) * (this) + (this) + (3 - i % 4) * 8 + ("a, b");
    }
}, [("function")]);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000a61295 in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127
#0  0x0000000000a61295 in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127
#1  JSObject::getOpsGetProperty (this=0x7ffff0690160) at js/src/jsobj.h:139
#2  js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff695f000) at js/src/vm/NativeObject.h:1531
#3  js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:846
#4  js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:862
#5  BlockOnPromise (cx=cx@entry=0x7ffff695f000, promiseObj=promiseObj@entry=..., blockedPromise_=..., blockedPromise_@entry=..., onFulfilled=..., onFulfilled@entry=..., onRejected=..., onRejected@entry=...) at js/src/builtin/Promise.cpp:2183
#6  0x0000000000a891ee in PerformPromiseAll (reject=..., resolve=..., promiseObj=..., C=..., iterator=..., cx=0x7ffff695f000) at js/src/builtin/Promise.cpp:1661
#7  Promise_static_all (cx=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Promise.cpp:1337
#8  0x0000000000922570 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff695f000) at js/src/jscntxtinlines.h:239
#9  js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:458
#10 0x00000000009226b5 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:503
#11 0x0000000000922718 in js::Call (cx=cx@entry=0x7ffff695f000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:522
#12 0x00000000007f4d6a in js::fun_call (cx=0x7ffff695f000, argc=<optimized out>, vp=0x7ffff03b5090) at js/src/jsfun.cpp:1252
#13 0x0000000000922570 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff695f000) at js/src/jscntxtinlines.h:239
#14 js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:458
#15 0x000000000091d9c8 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:509
#16 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2922
#17 0x00000000009221dc in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:404
#18 0x0000000000927f8e in js::ExecuteKernel (cx=cx@entry=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:685
#19 0x00000000009280e5 in js::Execute (cx=cx@entry=0x7ffff695f000, script=script@entry=..., envChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:718
#20 0x000000000074db04 in ExecuteScript (cx=cx@entry=0x7ffff695f000, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4309
#21 0x0000000000753c7a in JS_ExecuteScript (cx=cx@entry=0x7ffff695f000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4342
#22 0x000000000042a0c4 in RunFile (compileOnly=false, file=0x7ffff03d4000, filename=<optimized out>, cx=0x7ffff695f000) at js/src/shell/js.cpp:650
#23 Process (cx=cx@entry=0x7ffff695f000, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1068
#24 0x0000000000435553 in ProcessArgs (op=0x7fffffffdae0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7192
#25 Shell (envp=<optimized out>, op=0x7fffffffdae0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7550
#26 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7928
rax	0x4200000040	283467841600
rbx	0x7ffff695f000	140737330409472
rcx	0x7fffffffc840	140737488341056
rdx	0x7fffffffc820	140737488341024
rsi	0x7fffffffcbe0	140737488341984
rdi	0x7ffff695f000	140737330409472
rbp	0x7fffffffc810	140737488341008
rsp	0x7fffffffc700	140737488340736
r8	0x7fffffffc740	140737488340800
r9	0x7ffff695f940	140737330411840
r10	0x0	0
r11	0x7ffff74b4740	140737342293824
r12	0x7fffffffc830	140737488341040
r13	0x7fffffffcbe0	140737488341984
r14	0x7fffffffc730	140737488340784
r15	0x0	0
rip	0xa61295 <BlockOnPromise(JSContext*, JS::HandleObject, JS::HandleObject, JS::HandleValue, JS::HandleValue)+293>
=> 0xa61295 <BlockOnPromise(JSContext*, JS::HandleObject, JS::HandleObject, JS::HandleValue, JS::HandleValue)+293>:	mov    (%rax),%rax
   0xa61298 <BlockOnPromise(JSContext*, JS::HandleObject, JS::HandleObject, JS::HandleValue, JS::HandleValue)+296>:	mov    0x28(%rax),%rax


This looks bad, reading from a weird address, marking s-s and sec-critical.

Updated

a year ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

a year ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20161028145321" and the hash "c6587fbc2dbe99f0fabc25454dbe8a02e1eeccf4".
The "bad" changeset has the timestamp "20161028151321" and the hash "72764ba31b81562e3069f6935da33cae06fe6b00".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c6587fbc2dbe99f0fabc25454dbe8a02e1eeccf4&tochange=72764ba31b81562e3069f6935da33cae06fe6b00
Till, is bug 1313049 a likely regressor?
Blocks: 1313049
Flags: needinfo?(till)
(Assignee)

Comment 3

a year ago
Created attachment 8807174 [details] [diff] [review]
Properly handle a primitive-returning Promise.resolve in Promise.all
Assignee: nobody → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
Attachment #8807174 - Flags: review?(arai.unmht)
Comment on attachment 8807174 [details] [diff] [review]
Properly handle a primitive-returning Promise.resolve in Promise.all

Review of attachment 8807174 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/builtin/Promise.cpp
@@ +2234,5 @@
> +    // In case the value to depend on isn't an object at all, there's nothing
> +    // more to do here: we can only add reactions to Promise objects
> +    // (potentially after unwrapping them), and non-object values can't be
> +    // Promise objects. This can happen if Promise.all is called on an object
> +    // with a a `resolve` method that returns primitives.

with a
Attachment #8807174 - Flags: review?(arai.unmht) → review+
status-firefox49: --- → unaffected
status-firefox50: --- → unaffected
status-firefox51: --- → unaffected
Flags: in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/33c17b8aae5a
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
status-firefox52: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52

Updated

a year ago
Status: RESOLVED → VERIFIED
status-firefox52: fixed → verified

Comment 6

a year ago
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.