1788535 - Records-and-Tuples crash in ToBoolean / v.isObject()

Status: RESOLVED DUPLICATE of bug 1765477

(Core :: JavaScript Engine, defect, P2)

Description

[Ted Campbell [:tcampbell]]

Crash with Records/Tuples and ToBoolean:

!#[]

Assertion:

Assertion failure: v.isObject(), at /home/tcampbell/projects/gecko.dev/js/src/builtin/Boolean.cpp:170

Stack:

#0  0x000055555742fa69 in js::ToBooleanSlow (v=...) at /home/tcampbell/projects/gecko.dev/js/src/builtin/Boolean.cpp:170
#1  0x000055555723e28f in JS::ToBoolean (v=...) at /home/tcampbell/projects/gecko.dev/obj-dbg-spidermonkey/dist/include/js/Conversions.h:128
#2  0x00005555573d6504 in Interpret (cx=0x7ffff692a100, state=...) at /home/tcampbell/projects/gecko.dev/js/src/vm/Interpreter.cpp:2869
#3  0x00005555573cef51 in js::RunScript (cx=0x7ffff692a100, state=...) at /home/tcampbell/projects/gecko.dev/js/src/vm/Interpreter.cpp:430
#4  0x00005555573e8831 in js::ExecuteKernel (cx=0x7ffff692a100, script=..., envChainArg=..., evalInFrame=..., result=...) at /home/tcampbell/projects/gecko.dev/js/src/vm/Interpreter.cpp:824
#5  0x00005555573e8ba4 in js::Execute (cx=0x7ffff692a100, script=..., envChain=..., rval=...) at /home/tcampbell/projects/gecko.dev/js/src/vm/Interpreter.cpp:856
#6  0x00005555575dd94e in ExecuteScript (cx=0x7ffff692a100, envChain=..., script=..., rval=...) at /home/tcampbell/projects/gecko.dev/js/src/vm/CompilationAndEvaluation.cpp:520
#7  0x00005555575dd70d in JS_ExecuteScript (cx=0x7ffff692a100, scriptArg=..., rval=...) at /home/tcampbell/projects/gecko.dev/js/src/vm/CompilationAndEvaluation.cpp:537
#8  0x000055555722a813 in EvalUtf8AndPrint (cx=0x7ffff692a100, bytes=0x7fffffffd630 "!#[]\n", '\252' <repeats 27 times>, length=5, lineno=1, compileOnly=false)
    at /home/tcampbell/projects/gecko.dev/js/src/shell/js.cpp:1512
#9  0x0000555557229ddf in ReadEvalPrintLoop (cx=0x7ffff692a100, in=0x7ffff7c3aaa0 <_IO_2_1_stdin_>, compileOnly=false) at /home/tcampbell/projects/gecko.dev/js/src/shell/js.cpp:1589
#10 0x00005555572291df in Process (cx=0x7ffff692a100, filename=0x0, forceTTY=false, kind=FileScript) at /home/tcampbell/projects/gecko.dev/js/src/shell/js.cpp:1679
#11 0x0000555557201a31 in ProcessArgs (cx=0x7ffff692a100, op=0x7fffffffdc28) at /home/tcampbell/projects/gecko.dev/js/src/shell/js.cpp:10601
#12 0x00005555571f42fb in Shell (cx=0x7ffff692a100, op=0x7fffffffdc28) at /home/tcampbell/projects/gecko.dev/js/src/shell/js.cpp:11352
#13 0x00005555571eeeec in main (argc=1, argv=0x7fffffffdee8) at /home/tcampbell/projects/gecko.dev/js/src/shell/js.cpp:12452

Comment 1

[Ted Campbell [:tcampbell]]

To be clear, this is with ac_add_options --enable-record-tuple which is disabled by default.

Comment 2

[Andrew McCreight [:mccr8]]

I'll assume this is some kind of type confusion...

Comment 3

[Iain Ireland [:iain]]

Looks like this was fixed in bug 1765477. (See comment 5: "In addition, js::ToBooleanSlow() was missing a case for ExtendedPrimitives, which would also cause an assertion failure in the same scenario.")

I don't think the type confusion was exploitable; in a release build, we would xor an ExtendedPrimitiveValue with the Object tag (leaving some high bits above bit 48 set) and try to dereference it, which would immediately crash.