Closed Bug 1937430 Opened 2 months ago Closed 2 months ago

segment fault in spidermonkey InlineCache

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

defect

Tracking

()

RESOLVED FIXED
135 Branch
Tracking Status
firefox135 --- fixed

People

(Reporter: neseesun, Assigned: iain)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Attachments

(3 files)

Attached file 7.js

version:

commit e219ba8a080b4c35d8243c4040095ee2bd8dabf4 (HEAD -> bookmarks/central, origin/bookmarks/central, refs/cinnabar/refs/heads/bookmarks/central)
Author: Goloman Adrian <agoloman@mozilla.com>
Date:   Wed Dec 11 21:17:56 2024 +0200

    Backed out changeset 62d0239c5141 (bug 1936381) for causing build bustages @updater.cpp. CLOSED TREE

build with:
../configure --enable-debug --enable-optimize --disable-tests

run with:
./js poc.js

will see the segment fault(oob write) in sipdermonkey InlineCache module.

Flags: sec-bounty?
Attached file gdb.txt

add gdb crash debug info

Group: firefox-core-security → javascript-core-security
Component: Security → JavaScript Engine: JIT
Product: Firefox → Core

Looks like a problem with the disblic testing function.

Flags: needinfo?(iireland)

If we GC while dumping IC chains, then we can discard stubs with weak edges to dead shapes and end up trying to dump freed stubs.

This is not security-sensitive, because it only affects a testing function.

This was reported along with another issue in bug 1937176, but we'll fix the other issue there, and this bug here.

Group: javascript-core-security
Severity: -- → S4
Flags: needinfo?(iireland)
Priority: -- → P3
See Also: → 1937176

JSSprinter provides all the same functionality as DisasmBuffer. In addition to simplifying the code, by reusing the same JSSprinter for the entirety of a decompilation, we can avoid finishing the string (potentially triggering a GC) until we're done walking the IC chains.

Assignee: nobody → iireland
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f0d83d656deb Use JSSprinter in captureDisasmText r=jandem
Flags: sec-bounty? → sec-bounty-
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch
Duplicate of this bug: 1938914
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: