Closed
Bug 1468792
Opened 6 years ago
Closed 6 years ago
Assertion failure: isAtom(), at js/src/vm/StringType.h:500 or Assertion failure: JSString::isFlat(), at vm/StringType.h:913
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
2.44 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 87b46cd1c941 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-eager): loadFile(` gczeal(2,9); evaluate(\` reportCompare(expect, actual, summary); \`); `); function loadFile(lfVarx) { try { evaluate(lfVarx); } catch (lfVare) {} } eval("(function(){({6953421313:0})})")(); function f() { x[6953421313] = "a"; } f(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000a2d358 in JSString::asAtom (this=0x7ffff58abba0) at js/src/vm/StringType.h:500 #0 0x0000000000a2d358 in JSString::asAtom (this=0x7ffff58abba0) at js/src/vm/StringType.h:500 #1 INTERNED_STRING_TO_JSID (cx=<optimized out>, str=0x7ffff58abba0) at js/src/jsapi.cpp:5849 #2 0x0000000000a35563 in js::detail::IdMatchesAtom (id=id@entry=..., atom=atom@entry=0x7ffff58abba0) at js/src/jsfriendapi.cpp:1391 #3 0x000000000073622a in NON_INTEGER_ATOM_TO_JSID (atom=0x7ffff58abba0) at js/src/jsfriendapi.h:2688 #4 0x0000000000757211 in js::NameToId (name=0x7ffff5fa2f68) at js/src/vm/StringType.h:1424 #5 js::jit::IonBuilder::setPropTryUnboxed (this=this@entry=0x7ffff5fa21c0, emitted=emitted@entry=0x7fffffffbd7e, obj=0x7ffff5fa2ec0, name=name@entry=0x7ffff58abba0, value=0x7ffff5fa2f68, barrier=barrier@entry=false) at js/src/jit/IonBuilder.cpp:11887 #6 0x00000000007a1dc7 in js::jit::IonBuilder::jsop_setprop (this=this@entry=0x7ffff5fa21c0, name=0x7ffff58abba0) at js/src/jit/IonBuilder.cpp:11496 #7 0x000000000079a272 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff5fa21c0, op=op@entry=JSOP_SETPROP) at js/src/jit/IonBuilder.cpp:2228 #8 0x000000000079b758 in js::jit::IonBuilder::visitBlock (this=this@entry=0x7ffff5fa21c0, cfgblock=cfgblock@entry=0x7ffff5574600, mblock=<optimized out>) at js/src/jit/IonBuilder.cpp:1563 #9 0x000000000079c12d in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff5fa21c0) at js/src/jit/IonBuilder.cpp:1480 #10 0x000000000079cef2 in js::jit::IonBuilder::build (this=this@entry=0x7ffff5fa21c0) at js/src/jit/IonBuilder.cpp:863 #11 0x00000000007aa458 in js::jit::IonCompile (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=osrPc@entry=0x0, recompile=<optimized out>, optimizationLevel=<optimized out>) at js/src/jit/Ion.cpp:2116 #12 0x00000000007aae66 in js::jit::Compile (cx=cx@entry=0x7ffff5f17000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2399 #13 0x00000000007aaf8c in js::jit::CanEnterIon (cx=cx@entry=0x7ffff5f17000, state=...) at js/src/jit/Ion.cpp:2483 #14 0x00000000007d6259 in js::jit::MaybeEnterJit (cx=cx@entry=0x7ffff5f17000, state=...) at js/src/jit/Jit.cpp:140 #15 0x00000000005aeac4 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:406 #16 0x00000000005af2a7 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:493 #17 0x00000000005af55d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:520 #18 0x00000000005af6aa in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:526 #19 0x00000000006982f3 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffffcb38, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcaf8, res=...) at js/src/jit/BaselineIC.cpp:2372 #20 0x00003f2dbd6ab5ac in ?? () [...] #30 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff58abba0 140737312897952 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffbca0 140737488338080 rsp 0x7fffffffbc90 140737488338064 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4780 140737354024832 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x7fffffffbd7e 140737488338302 r13 0x7ffff5fa2ec0 140737320201920 r14 0x7ffff5fa2f68 140737320202088 r15 0x7ffff5fa2568 140737320199528 rip 0xa2d358 <INTERNED_STRING_TO_JSID(JSContext*, JSString*)+168> => 0xa2d358 <INTERNED_STRING_TO_JSID(JSContext*, JSString*)+168>: movl $0x0,0x0 0xa2d363 <INTERNED_STRING_TO_JSID(JSContext*, JSString*)+179>: ud2 Marking this s-s because the test involves GC and both assertions can indicate security problems.
Comment 1•6 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6d741e95201a user: Jon Coppeard date: Mon Jun 04 15:25:45 2018 +0100 summary: Bug 1466171 - Allow collection of atoms while the main thread is parsing r=sfink This iteration took 318.680 seconds to run.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•6 years ago
|
||
A very similar testcase crashes with 0x4b4b4b4b so this is likely use-after-free, marking sec-high. Needinfo from Jon based on comment 1.
Flags: needinfo?(jcoppeard)
Keywords: csectype-uaf,
sec-high
Assignee | ||
Comment 3•6 years ago
|
||
This is almost certainly my fault. I'll investigate next week when I have access to a machine I can run rr on.
Assignee | ||
Comment 4•6 years ago
|
||
We need to purge the dtoa cache at the same time as we purge the atom cache as this can also give out pointers to atoms. Purging the dtoa cache forces atoms to be re-added/looked up and hence added to the atom cache.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8985941 -
Flags: review?(sphink)
Comment 5•6 years ago
|
||
Comment on attachment 8985941 [details] [diff] [review] bug1468792-atom-cache Review of attachment 8985941 [details] [diff] [review]: ----------------------------------------------------------------- Subtle. I can't offhand think of an easy way to catch this sort of thing in the type system.
Attachment #8985941 -
Flags: review?(sphink) → review+
Assignee | ||
Comment 6•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7aaaed1a9ef133175a7f18054302e890e451f9eb
Comment 7•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7aaaed1a9ef1
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox60:
--- → unaffected
status-firefox61:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Comment 8•6 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•