Closed Bug 1314386 Opened 3 years ago Closed 3 years ago

Crash [@ JSObject::getClass] with invalid read or Assertion failure: isObject(), at dist/include/js/Value.h:657

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla52
Tracking Status
firefox49 --- unaffected
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- verified

People

(Reporter: decoder, Assigned: till)

References

(Blocks 1 open bug)

Details

(6 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 2c773b971672 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe):

for (var i = 3; i >= 0; i--) {}
Promise.all.call(class {
    constructor(exec) {
        exec(() => {}, () => {});
    }
    static resolve() {
        return (new.target) * (this) + (this) + (3 - i % 4) * 8 + ("a, b");
    }
}, [("function")]);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000a61295 in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127
#0  0x0000000000a61295 in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127
#1  JSObject::getOpsGetProperty (this=0x7ffff0690160) at js/src/jsobj.h:139
#2  js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff695f000) at js/src/vm/NativeObject.h:1531
#3  js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:846
#4  js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:862
#5  BlockOnPromise (cx=cx@entry=0x7ffff695f000, promiseObj=promiseObj@entry=..., blockedPromise_=..., blockedPromise_@entry=..., onFulfilled=..., onFulfilled@entry=..., onRejected=..., onRejected@entry=...) at js/src/builtin/Promise.cpp:2183
#6  0x0000000000a891ee in PerformPromiseAll (reject=..., resolve=..., promiseObj=..., C=..., iterator=..., cx=0x7ffff695f000) at js/src/builtin/Promise.cpp:1661
#7  Promise_static_all (cx=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Promise.cpp:1337
#8  0x0000000000922570 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff695f000) at js/src/jscntxtinlines.h:239
#9  js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:458
#10 0x00000000009226b5 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:503
#11 0x0000000000922718 in js::Call (cx=cx@entry=0x7ffff695f000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:522
#12 0x00000000007f4d6a in js::fun_call (cx=0x7ffff695f000, argc=<optimized out>, vp=0x7ffff03b5090) at js/src/jsfun.cpp:1252
#13 0x0000000000922570 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff695f000) at js/src/jscntxtinlines.h:239
#14 js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:458
#15 0x000000000091d9c8 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:509
#16 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2922
#17 0x00000000009221dc in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:404
#18 0x0000000000927f8e in js::ExecuteKernel (cx=cx@entry=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:685
#19 0x00000000009280e5 in js::Execute (cx=cx@entry=0x7ffff695f000, script=script@entry=..., envChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:718
#20 0x000000000074db04 in ExecuteScript (cx=cx@entry=0x7ffff695f000, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4309
#21 0x0000000000753c7a in JS_ExecuteScript (cx=cx@entry=0x7ffff695f000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4342
#22 0x000000000042a0c4 in RunFile (compileOnly=false, file=0x7ffff03d4000, filename=<optimized out>, cx=0x7ffff695f000) at js/src/shell/js.cpp:650
#23 Process (cx=cx@entry=0x7ffff695f000, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1068
#24 0x0000000000435553 in ProcessArgs (op=0x7fffffffdae0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7192
#25 Shell (envp=<optimized out>, op=0x7fffffffdae0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7550
#26 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7928
rax	0x4200000040	283467841600
rbx	0x7ffff695f000	140737330409472
rcx	0x7fffffffc840	140737488341056
rdx	0x7fffffffc820	140737488341024
rsi	0x7fffffffcbe0	140737488341984
rdi	0x7ffff695f000	140737330409472
rbp	0x7fffffffc810	140737488341008
rsp	0x7fffffffc700	140737488340736
r8	0x7fffffffc740	140737488340800
r9	0x7ffff695f940	140737330411840
r10	0x0	0
r11	0x7ffff74b4740	140737342293824
r12	0x7fffffffc830	140737488341040
r13	0x7fffffffcbe0	140737488341984
r14	0x7fffffffc730	140737488340784
r15	0x0	0
rip	0xa61295 <BlockOnPromise(JSContext*, JS::HandleObject, JS::HandleObject, JS::HandleValue, JS::HandleValue)+293>
=> 0xa61295 <BlockOnPromise(JSContext*, JS::HandleObject, JS::HandleObject, JS::HandleValue, JS::HandleValue)+293>:	mov    (%rax),%rax
   0xa61298 <BlockOnPromise(JSContext*, JS::HandleObject, JS::HandleObject, JS::HandleValue, JS::HandleValue)+296>:	mov    0x28(%rax),%rax


This looks bad, reading from a weird address, marking s-s and sec-critical.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20161028145321" and the hash "c6587fbc2dbe99f0fabc25454dbe8a02e1eeccf4".
The "bad" changeset has the timestamp "20161028151321" and the hash "72764ba31b81562e3069f6935da33cae06fe6b00".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c6587fbc2dbe99f0fabc25454dbe8a02e1eeccf4&tochange=72764ba31b81562e3069f6935da33cae06fe6b00
Till, is bug 1313049 a likely regressor?
Blocks: 1313049
Flags: needinfo?(till)
Assignee: nobody → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
Attachment #8807174 - Flags: review?(arai.unmht)
Comment on attachment 8807174 [details] [diff] [review]
Properly handle a primitive-returning Promise.resolve in Promise.all

Review of attachment 8807174 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/builtin/Promise.cpp
@@ +2234,5 @@
> +    // In case the value to depend on isn't an object at all, there's nothing
> +    // more to do here: we can only add reactions to Promise objects
> +    // (potentially after unwrapping them), and non-object values can't be
> +    // Promise objects. This can happen if Promise.all is called on an object
> +    // with a a `resolve` method that returns primitives.

with a
Attachment #8807174 - Flags: review?(arai.unmht) → review+
https://hg.mozilla.org/mozilla-central/rev/33c17b8aae5a
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.