Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash [@ FindWatchPoint] involving new Script('') and GC

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
11 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: brendan)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9alpha1
crash, testcase, verified1.8.0.9, verified1.8.1.1
Points:
---
Bug Flags:
blocking1.8.1.1 +
blocking1.8.0.9 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

11 years ago
In a debug js shell:

js> this.__defineSetter__('x', gc); this.watch('x', new Script('')); x = 3;
Bus error

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   js 	0x00023de0 FindWatchPoint + 72 (jsdbgapi.c:305)
1   js 	0x00023e6c js_FindWatchPoint + 48 (jsdbgapi.c:316)
2   js 	0x00072bb0 js_AddScopeProperty + 2424 (jsscope.c:1139)
3   js 	0x000731a4 js_ChangeScopePropertyAttrs + 840 (jsscope.c:1284)
4   js 	0x00048b24 js_ChangeNativePropertyAttrs + 124 (jsobj.c:2906)
5   js 	0x00024e9c JS_SetWatchPoint + 1864 (jsdbgapi.c:562)
6   js 	0x00043754 obj_watch + 308 (jsobj.c:1453)
7   js 	0x00095124 js_Invoke + 3912 (jsinterp.c:1396)
8   js 	0x000a8178 js_Interpret + 69376 (jsinterp.c:3948)
9   js 	0x00095d40 js_Execute + 960 (jsinterp.c:1643)
10  js 	0x00021564 JS_ExecuteScript + 64 (jsapi.c:4194)
...

Security-sensitive because some of the other FindWatchPoint crashes were trying to access addresses like 0xdbdbdbdb.
(Reporter)

Updated

11 years ago
Summary: Crash [@ FindWatchPoint] involving new Script('') → Crash [@ FindWatchPoint] involving new Script('') and GC
(Assignee)

Comment 1

11 years ago
Created attachment 246340 [details] [diff] [review]
fix

obj_watch allows any callable, and so does JS_SetWatchPoint.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #246340 - Flags: review?(mrbkap)
(Assignee)

Updated

11 years ago
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 246340 [details] [diff] [review]
fix

>Index: jsdbgapi.c
>+                if (clasp == &js_FunctionClass)
>+                    fun = (JSFunction *) JS_GetPrivate(cx, closure);
>+                else if (clasp == &js_ScriptClass)
>+                    script = (JSScript *) JS_GetPrivate(cx, closure);

If we're dealing with a function, then we'll never set script.
(Assignee)

Comment 3

11 years ago
Created attachment 246407 [details] [diff] [review]
fix, v2

Fixed, thanks.

/be
Attachment #246340 - Attachment is obsolete: true
Attachment #246407 - Flags: review?(mrbkap)
Attachment #246340 - Flags: review?(mrbkap)
(Assignee)

Comment 4

11 years ago
Reminder to land assertion fix from bug 361558 along with this bug's patch on the 1.8 branch.

/be
Comment on attachment 246407 [details] [diff] [review]
fix, v2

Looks great.
Attachment #246407 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 6

11 years ago
Fixed on trunk:

Checking in jsdbgapi.c;
/cvsroot/mozilla/js/src/jsdbgapi.c,v  <--  jsdbgapi.c
new revision: 3.77; previous revision: 3.76
done
Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.303; previous revision: 3.302
done

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Resolution: --- → FIXED
(Assignee)

Comment 7

11 years ago
Created attachment 246421 [details] [diff] [review]
1.8 branch version of fix

This syncs jsdbgapi.c on the 1.8 branch with the top trunk revision.

/be
Attachment #246421 - Flags: review+
Attachment #246421 - Flags: approval1.8.1.1?
Created attachment 246499 [details]
js1_5/Regress/regress-361552.js

reliably crashes shell before fixes but not browser.
Flags: in-testsuite+
verified fixed 20061125 1.9 windows/linux
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Whiteboard: [sg:critical?]
Comment on attachment 246421 [details] [diff] [review]
1.8 branch version of fix

approved for 1.8 branch, a=dveditz for drivers
Do we need a separate 1.8.0 patch?
Attachment #246421 - Flags: approval1.8.1.1? → approval1.8.1.1+
(Assignee)

Comment 11

11 years ago
Fixed on the 1.8 branch:

Checking in jsdbgapi.c;
/cvsroot/mozilla/js/src/jsdbgapi.c,v  <--  jsdbgapi.c
new revision: 3.56.2.11; previous revision: 3.56.2.10
done
Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.43; previous revision: 3.208.2.42
done

1.8.0 branch patch next.

/be
Keywords: fixed1.8.1.1
(Assignee)

Comment 12

11 years ago
Created attachment 246699 [details] [diff] [review]
1.8.0 branch version of patch

Deserves a re-review by mrbkap, and testing by anyone who can help.  Blake, note that lacking JSOP_STOP on the old branch, I just made frame.pc point to the first bytecode.

/be
Attachment #246699 - Flags: review?(mrbkap)
Attachment #246699 - Flags: approval1.8.0.9?

Updated

11 years ago
Attachment #246699 - Flags: review?(mrbkap) → review+
Comment on attachment 246699 [details] [diff] [review]
1.8.0 branch version of patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #246699 - Flags: approval1.8.0.9? → approval1.8.0.9+
(Assignee)

Comment 14

11 years ago
Checked into the 1.8.0 branch:

Checking in jsdbgapi.c;
/cvsroot/mozilla/js/src/jsdbgapi.c,v  <--  jsdbgapi.c
new revision: 3.56.2.1.4.5; previous revision: 3.56.2.1.4.4
done
Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.12.2.18; previous revision: 3.208.2.12.2.17
done

/be
Keywords: fixed1.8.0.9
verified fixed 20061128 1.8.0.9 windows/linux/mac*, 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Keywords: fixed1.8.0.9, fixed1.8.1.1 → verified1.8.0.9, verified1.8.1.1
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-361552.js,v  <--  regress-361552.js
(Reporter)

Updated

10 years ago
No longer blocks: 349611
(Reporter)

Updated

10 years ago
Blocks: 349611
Crash Signature: [@ FindWatchPoint]
You need to log in before you can comment on or make changes to this bug.