Closed Bug 1500255 Opened 2 years ago Closed 2 years ago

Crash [@ ??] with Array.prototype.__proto__

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla65
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- unaffected
firefox65 --- verified

People

(Reporter: decoder, Assigned: djvj)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,origRev=c29f681979ee,testComment=3])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 8f709fd4aa46 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=100):

Array.prototype.__proto__ = function() {};
var LENGTH = 1024;
var big = [];
for (var i = 0; i < LENGTH; i++)
  big[i] = i;


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00007ffff4e003e0 in ?? ()
#0  0x00007ffff4e003e0 in ?? ()
#1  0x00007ffff4e003e0 in ?? ()
#2  0x00007ffff4e003e0 in ?? ()
#3  0x00007ffff4e003e0 in ?? ()
#4  0x00007ffff4e003e0 in ?? ()
[...]
#127 0x00007ffff4e003e0 in ?? ()
rax	0x400	1024
rbx	0xfff88000000003ff	-2111062325328897
rcx	0xfff9800000000000	-1829587348619264
rdx	0x3ff	1023
rsi	0x0	0
rdi	0x7fffffffb230	140737488335408
rbp	0x7fffffffc718	140737488340760
rsp	0x7fffffffb398	140737488335768
r8	0x7fffffffb2a8	140737488335528
r9	0x400	1024
r10	0x7fffffffb328	140737488335656
r11	0x7ffff4d8a060	140737301225568
r12	0x0	0
r13	0x0	0
r14	0x7ffff4e003e0	140737301709792
r15	0x7ffff4833028	140737295626280
rip	0x7ffff4e003e0	140737301709792
=> 0x7ffff4e003e0:	sarb   -0x28(%rcx)
   0x7ffff4e003e3:	hlt
Could be a variant of bug 1500255 due to similar testcases.
(In reply to Christian Holler (:decoder) from comment #1)
> Could be a variant of bug 1500255 due to similar testcases.

I meant bug 1500254 (doh!).
This is an automated crash issue comment:

Summary: Crash [@ js::ObjectMayHaveExtraIndexedProperties]
Build version: mozilla-central revision 8f709fd4aa46
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off --ion-eager

Testcase:

Array.prototype.__proto__ = null;
Array.prototype[1] = 'bar';

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::ObjectMayHaveExtraIndexedProperties (obj=0x0) at js/src/builtin/Array.cpp:1053
#0  js::ObjectMayHaveExtraIndexedProperties (obj=0x0) at js/src/builtin/Array.cpp:1053
#1  0x0000555555b6bbae in js::jit::SetPropIRGenerator::tryAttachAddOrUpdateSparseElement (this=this@entry=0x7fffffffc890, obj=..., obj@entry=..., objId=objId@entry=..., index=<optimized out>, indexId=..., rhsId=..., rhsId@entry=...) at js/src/jit/CacheIR.cpp:4118
#2  0x0000555555b6c0c2 in js::jit::SetPropIRGenerator::tryAttachStub (this=this@entry=0x7fffffffc890) at js/src/jit/CacheIR.cpp:3453
#3  0x0000555555ae25ef in js::jit::DoSetElemFallback (cx=<optimized out>, frame=0x7fffffffcb68, stub_=<optimized out>, stack=0x7fffffffcb50, objv=..., index=..., rhs=...) at js/src/jit/BaselineIC.cpp:1984
#4  0x000025509a2a9a6d in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x38	56
rcx	0x1	1
rdx	0x7fffffffc5e0	140737488340448
rsi	0x7fffffffca20	140737488341536
rdi	0x0	0
rbp	0x7fffffffc5a0	140737488340384
rsp	0x7fffffffc550	140737488340304
r8	0x3	3
r9	0x2	2
r10	0x7fffffffc5e0	140737488340448
r11	0x7ffff4dae040	140737301372992
r12	0x1	1
r13	0x7fffffffc6e0	140737488340704
r14	0x0	0
r15	0x0	0
rip	0x55555598429a <js::ObjectMayHaveExtraIndexedProperties(JSObject*)+42>
=> 0x55555598429a <js::ObjectMayHaveExtraIndexedProperties(JSObject*)+42>:	mov    (%rdi),%rax
   0x55555598429d <js::ObjectMayHaveExtraIndexedProperties(JSObject*)+45>:	cmp    %r12,0x8(%rax)


Probably also related to this.
Marking as fuzzblocker due to the amount of different signatures.
Flags: needinfo?(tcampbell)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Blocks: 1494537
Flags: needinfo?(tcampbell)
Priority: -- → P1
Assigning :djvj so he can fix original patch and handle these testcases.
Assignee: nobody → kvijayan
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,origRev=c29f681979ee,testComment=3]
The testcase in comment 3 still reproduces as of m-c rev c29f681979ee even after the re-landing of bug 1494537.
Flags: needinfo?(kvijayan)
Looking at it now.
Flags: needinfo?(kvijayan)
This is not a high-sec bug, but a pretty obvious DOS bug.  Simple fix.
Attachment #9019741 - Flags: review?(tcampbell)
Comment on attachment 9019741 [details] [diff] [review]
fix-bug-1500255.patch

Review of attachment 9019741 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/CacheIR.cpp
@@ +4099,2 @@
>      // Indexed properties on the prototype chain aren't handled by the helper.
>      if (ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype())) {

if (aobj->staticPrototype() != nullptr &&
    ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype()))
{

If we don't have a prototype it is fine to continue. (Note that a non-static prototype doesn't return nullptr here but rather asserts)
Attachment #9019741 - Flags: review?(tcampbell) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/5671f49a7aa58b30a557cb965fe422a285613a2b
https://hg.mozilla.org/mozilla-central/rev/5671f49a7aa5
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.