Last Comment Bug 371292 - Crash [@ js_AtomToPrintableString]
: Crash [@ js_AtomToPrintableString]
: crash, regression, verified1.8.1.15
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
-- critical (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
: Jason Orendorff [:jorendorff]
: 431409 (view as bug list)
Depends on:
Blocks: 326633 365869
  Show dependency treegraph
Reported: 2007-02-22 12:06 PST by Jesse Ruderman
Modified: 2011-06-13 10:01 PDT (History)
9 users (show)
dveditz: blocking1.8.1.15+
dveditz: wanted1.8.1.x+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Fix (1001 bytes, patch)
2007-02-22 12:28 PST, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval1.8.1.15+
Details | Diff | Splinter Review

Description User image Jesse Ruderman 2007-02-22 12:06:34 PST
This crash occurred about 5 times last night (out of about a hundred tests related to bug 326633).  I can't reproduce it on demand so I can't make a reduced testcase.

Regression from bug 365869?

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000009

Thread 0 Crashed:
0   libmozjs.dylib           	0x01023ff0 js_AtomToPrintableString + 15 (jsatom.c:63)
1   libmozjs.dylib           	0x0105e5fb js_CheckRedeclaration + 740 (jsinterp.c:1814)
2   libmozjs.dylib           	0x01074fdf js_Interpret + 91003 (jsinterp.c:5290)
3   libmozjs.dylib           	0x0105d41a js_Invoke + 3423 (jsinterp.c:1367)
4   libmozjs.dylib           	0x0105d7b0 js_InternalInvoke + 309 (jsinterp.c:1442)
5   libmozjs.dylib           	0x0101d53b JS_CallFunctionValue + 60 (jsapi.c:4368)
6   libgklayout.dylib        	0x18781e2a nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 1228 (nsJSEnvironment.cpp:1774)
7   libgklayout.dylib        	0x187a4574 nsGlobalWindow::RunTimeout(nsTimeout*) + 1778 (nsGlobalWindow.cpp:6772)
8   libgklayout.dylib        	0x187a4a62 nsGlobalWindow::TimerCallback(nsITimer*, void*) + 54 (nsGlobalWindow.cpp:7103)
9   libxpcom_core.dylib      	0x0134c7f4 nsTimerImpl::Fire() + 892 (nsTimerImpl.cpp:384)
10  libxpcom_core.dylib      	0x0134c9a1 nsTimerEvent::Run() + 191 (nsTimerImpl.cpp:458)
11  libxpcom_core.dylib      	0x01348a58 nsThread::ProcessNextEvent(int, int*) + 556 (nsThread.cpp:483)
Comment 1 User image Blake Kaplan (:mrbkap) 2007-02-22 12:27:25 PST
Oops, this is all me.
Comment 2 User image Blake Kaplan (:mrbkap) 2007-02-22 12:28:53 PST
Created attachment 256066 [details] [diff] [review]
Comment 3 User image Blake Kaplan (:mrbkap) 2007-02-22 12:29:24 PST
Oh, and the reduced testcase is:
js> ({1:1,1:2})
typein:1: strict warning: redeclaration of property 1
Comment 4 User image Brendan Eich [:brendan] 2007-02-22 12:51:36 PST
Comment on attachment 256066 [details] [diff] [review]

Yoiks. Should have seen this too. Did I ever file that bug on eliminating jsid by making it be jsval?

Comment 5 User image Blake Kaplan (:mrbkap) 2007-02-22 13:06:50 PST
Fix checked in.
Comment 6 User image Bob Clary [:bc:] 2007-03-20 01:47:25 PDT
Back in the day, I couldn't reproduce the crash in this bug but I've added the reduced testcase in comment 3 to 

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-365869.js,v  <--  regress-365869.js
new revision: 1.2; previous revision: 1.1
Comment 7 User image Bob Clary [:bc:] 2007-03-21 15:35:31 PDT
verified fixed 1.9.0 20070320 win/mac*/linux
Comment 8 User image Igor Bukanov 2008-05-30 00:40:40 PDT
*** Bug 431409 has been marked as a duplicate of this bug. ***
Comment 9 User image Igor Bukanov 2008-05-30 00:46:30 PDT
The bug exists on the 1.8 branch and leads to branch crashes with the following example:

"012345".__defineSetter__(5, function(){});

Comment 10 User image Igor Bukanov 2008-05-30 00:48:05 PDT
I nominate this bug to as the bug 431409 (marked as a dup of this bug) is blocking .15 release.
Comment 11 User image Igor Bukanov 2008-05-30 00:49:30 PDT
Comment on attachment 256066 [details] [diff] [review]

The patch applies as-is to the 1.8 branch.
Comment 12 User image Daniel Veditz [:dveditz] 2008-05-30 11:32:07 PDT
Comment on attachment 256066 [details] [diff] [review]

Approved for, a=dveditz for release-drivers
Comment 13 User image Daniel Veditz [:dveditz] 2008-05-30 14:16:48 PDT
Is this really a regression? It appears to affect the 1.8 branch as well, but the proposed regressing bug 365869 didn't land there.
Comment 14 User image Daniel Veditz [:dveditz] 2008-05-30 14:18:27 PDT
And how bad is it as a security bug? so far we've only seen accesses (not execution) of small offsets from null.
Comment 15 User image Igor Bukanov 2008-05-31 01:51:28 PDT
(In reply to comment #14)
> And how bad is it as a security bug? so far we've only seen accesses (not
> execution) of small offsets from null.

Just replace the number 5 in the example from the bug 431409 (also duplicated in the comment 9 here) by any other number and the access can be made at the arbitrary odd address from 0..2**32 range. Since the code then accesses a word at that address that is feed to js_ValueToPrintableString, one can prepare a pointer there that resembles JSObject* with the toString converter pointing to a script-prepared native code. 
Comment 16 User image Daniel Veditz [:dveditz] 2008-05-31 23:55:56 PDT
I'd like to say that sounds impossible to exploit in practice, but given recent amazingly hacks -- like -- I wouldn't want to stake my life on it.
Comment 17 User image Daniel Veditz [:dveditz] 2008-06-01 00:06:44 PDT
mrbkap's out for the month and I can't check in to mozilla/js -- Igor, Gavin or Crowder, could any of you check this in on the 1.8 branch please? Thanks
Comment 18 User image Daniel Veditz [:dveditz] 2008-06-01 00:07:29 PDT
I can verify that the patch in the bug does nicely stop the crash.
Comment 19 User image Jeff Walden [:Waldo] (remove +bmo to email) 2008-06-01 16:45:40 PDT
random-three-o-eight:~/moz/branch18/mozilla/js/src jwalden$ cvs st jsinterp.c 
File: jsinterp.c        Status: Locally Modified

   Working revision:
   Repository revision:      /cvsroot/mozilla/js/src/jsinterp.c,v
   Sticky Tag:          MOZILLA_1_8_BRANCH (branch: 3.181.2)
   Sticky Date:         (none)
   Sticky Options:      (none)

random-three-o-eight:~/moz/branch18/mozilla/js/src jwalden$ cvs ci -m "Bug 371292 - p=igor, r=brendan, a=dveditz" jsinterp.c
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision:; previous revision:
Comment 20 User image Bob Clary [:bc:] 2008-06-10 17:10:43 PDT linux/mac/win tested with comment 9 added to js1_5/extensions/regress-365869.js with no crashes.

Note You need to log in before you can comment on or make changes to this bug.