Closed
Bug 1314386
Opened 8 years ago
Closed 8 years ago
Crash [@ JSObject::getClass] with invalid read or Assertion failure: isObject(), at dist/include/js/Value.h:657
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox49 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | verified |
People
(Reporter: decoder, Unassigned)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
4.33 KB,
patch
|
arai
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 2c773b971672 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe): for (var i = 3; i >= 0; i--) {} Promise.all.call(class { constructor(exec) { exec(() => {}, () => {}); } static resolve() { return (new.target) * (this) + (this) + (3 - i % 4) * 8 + ("a, b"); } }, [("function")]); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000a61295 in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127 #0 0x0000000000a61295 in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127 #1 JSObject::getOpsGetProperty (this=0x7ffff0690160) at js/src/jsobj.h:139 #2 js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff695f000) at js/src/vm/NativeObject.h:1531 #3 js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:846 #4 js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:862 #5 BlockOnPromise (cx=cx@entry=0x7ffff695f000, promiseObj=promiseObj@entry=..., blockedPromise_=..., blockedPromise_@entry=..., onFulfilled=..., onFulfilled@entry=..., onRejected=..., onRejected@entry=...) at js/src/builtin/Promise.cpp:2183 #6 0x0000000000a891ee in PerformPromiseAll (reject=..., resolve=..., promiseObj=..., C=..., iterator=..., cx=0x7ffff695f000) at js/src/builtin/Promise.cpp:1661 #7 Promise_static_all (cx=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Promise.cpp:1337 #8 0x0000000000922570 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff695f000) at js/src/jscntxtinlines.h:239 #9 js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:458 #10 0x00000000009226b5 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:503 #11 0x0000000000922718 in js::Call (cx=cx@entry=0x7ffff695f000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:522 #12 0x00000000007f4d6a in js::fun_call (cx=0x7ffff695f000, argc=<optimized out>, vp=0x7ffff03b5090) at js/src/jsfun.cpp:1252 #13 0x0000000000922570 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff695f000) at js/src/jscntxtinlines.h:239 #14 js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:458 #15 0x000000000091d9c8 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:509 #16 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2922 #17 0x00000000009221dc in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:404 #18 0x0000000000927f8e in js::ExecuteKernel (cx=cx@entry=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:685 #19 0x00000000009280e5 in js::Execute (cx=cx@entry=0x7ffff695f000, script=script@entry=..., envChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:718 #20 0x000000000074db04 in ExecuteScript (cx=cx@entry=0x7ffff695f000, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4309 #21 0x0000000000753c7a in JS_ExecuteScript (cx=cx@entry=0x7ffff695f000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4342 #22 0x000000000042a0c4 in RunFile (compileOnly=false, file=0x7ffff03d4000, filename=<optimized out>, cx=0x7ffff695f000) at js/src/shell/js.cpp:650 #23 Process (cx=cx@entry=0x7ffff695f000, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1068 #24 0x0000000000435553 in ProcessArgs (op=0x7fffffffdae0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7192 #25 Shell (envp=<optimized out>, op=0x7fffffffdae0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7550 #26 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7928 rax 0x4200000040 283467841600 rbx 0x7ffff695f000 140737330409472 rcx 0x7fffffffc840 140737488341056 rdx 0x7fffffffc820 140737488341024 rsi 0x7fffffffcbe0 140737488341984 rdi 0x7ffff695f000 140737330409472 rbp 0x7fffffffc810 140737488341008 rsp 0x7fffffffc700 140737488340736 r8 0x7fffffffc740 140737488340800 r9 0x7ffff695f940 140737330411840 r10 0x0 0 r11 0x7ffff74b4740 140737342293824 r12 0x7fffffffc830 140737488341040 r13 0x7fffffffcbe0 140737488341984 r14 0x7fffffffc730 140737488340784 r15 0x0 0 rip 0xa61295 <BlockOnPromise(JSContext*, JS::HandleObject, JS::HandleObject, JS::HandleValue, JS::HandleValue)+293> => 0xa61295 <BlockOnPromise(JSContext*, JS::HandleObject, JS::HandleObject, JS::HandleValue, JS::HandleValue)+293>: mov (%rax),%rax 0xa61298 <BlockOnPromise(JSContext*, JS::HandleObject, JS::HandleObject, JS::HandleValue, JS::HandleValue)+296>: mov 0x28(%rax),%rax This looks bad, reading from a weird address, marking s-s and sec-critical.
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20161028145321" and the hash "c6587fbc2dbe99f0fabc25454dbe8a02e1eeccf4". The "bad" changeset has the timestamp "20161028151321" and the hash "72764ba31b81562e3069f6935da33cae06fe6b00". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c6587fbc2dbe99f0fabc25454dbe8a02e1eeccf4&tochange=72764ba31b81562e3069f6935da33cae06fe6b00
Till, is bug 1313049 a likely regressor?
Blocks: 1313049
Flags: needinfo?(till)
Comment 3•8 years ago
|
||
Assignee: nobody → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
Attachment #8807174 -
Flags: review?(arai.unmht)
Comment 4•8 years ago
|
||
Comment on attachment 8807174 [details] [diff] [review] Properly handle a primitive-returning Promise.resolve in Promise.all Review of attachment 8807174 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/builtin/Promise.cpp @@ +2234,5 @@ > + // In case the value to depend on isn't an object at all, there's nothing > + // more to do here: we can only add reactions to Promise objects > + // (potentially after unwrapping them), and non-object values can't be > + // Promise objects. This can happen if Promise.all is called on an object > + // with a a `resolve` method that returns primitives. with a
Attachment #8807174 -
Flags: review?(arai.unmht) → review+
Updated•8 years ago
|
status-firefox49:
--- → unaffected
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
Flags: in-testsuite+
Comment 5•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/33c17b8aae5a
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
Comment 6•8 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•