Closed Bug 398085 Opened 17 years ago Closed 17 years ago

Crash with large switch statement [@ js_Interpret]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: cbook, Assigned: igor)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:critical])

Crash Data

Attachments

(9 files, 5 obsolete files)

simplified testcase
40.11 KB, text/html
Details
another testcase
36.50 KB, text/html
Details
fix v2
5.12 KB, patch
brendan
: review+
beltzner
: approvalM9+
brendan
: approval1.9+
Details | Diff | Splinter Review
js1_5/Regress/regress-398085-01.js
38.18 KB, text/plain
Details
js1_5/Regress/regress-398085-02.js
37.43 KB, text/plain
Details
fix for 1.8.1 v1
5.14 KB, patch
igor
: review+
dveditz
: approval1.8.1.12+
Details | Diff | Splinter Review
diff between trunk and 1.8.1 versions of the fix
1.15 KB, text/plain
Details
for 1.8.0
5.30 KB, patch
igor
: review+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review
1.8.1 to 1.8.0 diff (plain style)
2.14 KB, patch
Details | Diff | Splinter Review
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a9pre) Gecko/2007092705 Minefield/3.0a9pre ID:2007092705 and latest 1.8 Nightly Crash when http://www.investors.com/newsResearchAnalysis.asp is loaded http://crash-stats.mozilla.com/report/index/c621f76b-6f9a-11dc-b93c-001a4bd43ed6?date=2007-09-30-21 Stack of Crashing Thread frame signature source 0 js_Interpret mozilla/js/src/jsinterp.c:4515 1 js_Execute mozilla/js/src/jsinterp.c:1622 2 JS_EvaluateUCScriptForPrincipals mozilla/js/src/jsapi.c:4878 3 nsJSContext::EvaluateString(nsAString_internal const&, void*, nsIPrincipal*, char const*, unsigned int, unsigned int, nsAString_internal*, int*) mozilla/dom/src/base/nsJSEnvironment.cpp:1389 4 nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&) mozilla/content/base/src/nsScriptLoader.cpp:607 5 nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) mozilla/content/base/src/nsScriptLoader.cpp:521 6 nsScriptLoader::ProcessScriptElement(nsIScriptElement*) mozilla/content/base/src/nsScriptLoader.cpp:486 7 nsScriptElement::MaybeProcessScript() mozilla/content/base/src/nsScriptElement.cpp:188 8 nsHTMLScriptElement::MaybeProcessScript() mozilla/content/html/content/src/nsHTMLScriptElement.cpp:536 9 nsHTMLScriptElement::DoneAddingChildren(int) mozilla/content/html/content/src/nsHTMLScriptElement.cpp:482 10 HTMLContentSink::ProcessSCRIPTEndTag(nsGenericHTMLElement*, int) mozilla/content/html/document/src/nsHTMLContentSink.cpp:3141 11 SinkContext::CloseContainer(nsHTMLTag, int) mozilla/content/html/document/src/nsHTMLContentSink.cpp:1008 12 HTMLContentSink::CloseContainer(nsHTMLTag) mozilla/content/html/document/src/nsHTMLContentSink.cpp:2406 13 CNavDTD::CloseContainer(nsHTMLTag, int) mozilla/parser/htmlparser/src/CNavDTD.cpp:2686 14 CNavDTD::HandleEndToken(CToken*) mozilla/parser/htmlparser/src/CNavDTD.cpp:1590 15 CNavDTD::HandleToken(CToken*, nsIParser*) mozilla/parser/htmlparser/src/CNavDTD.cpp:705 16 CNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver*, nsIContentSink*) mozilla/parser/htmlparser/src/CNavDTD.cpp:331 17 nsParser::BuildModel() mozilla/parser/htmlparser/src/nsParser.cpp:1717 18 nsParser::ResumeParse(int, int, int) mozilla/parser/htmlparser/src/nsParser.cpp:1594 19 nsParser::ContinueInterruptedParsing() mozilla/parser/htmlparser/src/nsParser.cpp:1118 20 nsContentSink::ContinueInterruptedParsingIfEnabled() mozilla/content/base/src/nsContentSink.cpp:1494 21 nsRunnableMethod<nsContentSink>::Run() nsThreadUtils.h:261 22 nsThread::ProcessNextEvent(int, int*) mozilla/xpcom/threads/nsThread.cpp:490 23 NS_ProcessNextEvent_P(nsIThread*, int) nsThreadUtils.cpp:227 24 nsBaseAppShell::Run() mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:154 25 nsAppStartup::Run() mozilla/toolkit/components/startup/src/nsAppStartup.cpp:170 26 XRE_main mozilla/toolkit/xre/nsAppRunner.cpp:3114 27 main mozilla/browser/app/nsBrowserApp.cpp:153 28 WinMain mozilla/browser/app/nsBrowserApp.cpp:166 29 __tmainCRTStartup crtexe.c:589 30 kernel32.dll@0x27d29
Flags: blocking1.8.1.8?
Flags: blocking-firefox3?
I see this crash on Mac as well - Changing to all and noting that is crashes the latest Bon Echo branch as well.
OS: Windows Server 2003 → All
Hardware: PC → All
I don't think we can block 1.8.1.8 on this since we don't even have the beginnings of a fix. Can you try to save the page locally (complete) and see if the crash is still reproducible? If so then zip that and attach to the bug, just in case the investorsdaily page changes. Reproducible testcases are like gold, don't lose this one.
Flags: blocking1.8.1.8? → wanted1.8.1.x+
Attached file saved webpage (obsolete) —
Attachment #283078 - Attachment is obsolete: true
Attached file smaller testcase (crashes on load) (obsolete) —
I'm not sure whether this is minimal, but reducing the size of the switch statement any further seems to cause the crash to disappear.
Attachment #283079 - Attachment is obsolete: true
I crash with relatively recent trunk and 1.8 branch builds, on Windows.
Assignee: nobody → general
Component: General → JavaScript Engine
Flags: blocking-firefox3?
Product: Firefox → Core
QA Contact: general → general
Flags: blocking1.9?
Keywords: testcase
I don't crash if I pass arguments to long_switch that don't match a "case" in the switch, or if I remove some of the duplicated statements inside the switches.
Summary: Crash on Load [@ js_Interpret] → Crash with large switch statement [@ js_Interpret]
Regressed when? /be
(In reply to comment #10) > Regressed when? > > /be > I'll look for that later today
sorry, i'm unable to reproduce the crash on either of the 2 pages so i can't get a regressionwindow. I tried with both my daily and a new profile, no crash.
the 3rd testcase crashes on all my builds, all the way back till 20060401
Attached file simplified testcase
I've looked at the disassembly of this testcase and the previous one and here's what happening AFAICS: 1. During compilation, if a JSOP_LOOKUPSWITCH is generated inside a JSOP_LOOKUPSWITCHX more than 32KB after the JSOP_LOOKUPSWITCHX opcode, then SpiderMonkey will erronously emit 32-bit offsets for the JSOP_LOOKUPSWITCH! 2. When the interpreter executes this JSOP_LOOKUPSWITCH and finds the match, these 32 bit offsets are looked up with GET_JUMP_OFFSET (the 16-bit version). 3. This leads to len == 0 in jsinterp.c line 4534. 4. len is added to the current PC, which means the same JSOP_LOOKUPSWITCH is executed again, but this time it will pop some random garbage from the stack and use that garbage as its lval. This crashes sooner or later... I could try to locate the bug in the emitter but I don't know this code at all so don't hold your breath; it could take ages. Perhaps this information is enough for one of the regulars to come up with a quick fix.
That analysis was a bit wrong, let's try again. If the switch statement (doesn't matter if it uses lookupswitch or tableswitch) comes more than 32K after the start of the function, then all jump offsets are 0. These 32K code can be anything, it's only important that cg->spanDeps is not null, then js_SetJumpOffset generates 0 offsets.
Attachment #283125 - Attachment is obsolete: true
Attached file another testcase
Switch statements in large functions is quite broken. In this testcase the switch can't be reached but its mere presence causes the emitter to generate the wrong bytecode for the 'if' statement. It should be 'ifeqx 32804', but it is 'ifeq 14' instead. With this trick an attacker could get the engine to execute arbitrary bytecodes so this might be security sensitive?
(In reply to comment #17) > With this trick an attacker could get the engine to execute arbitrary bytecodes > so this might be security sensitive? Yes, this is a security hazard.
Assignee: general → igor
Group: security
Flags: blocking1.8.1.10+
Whiteboard: [sg:critical]
here is a test case for the shell: var N = 6000; // Array(N).join('a.x;') generates (N+1)*(5+1) bytes in bytecode // where 5 comes getargprop and one from pop. var src = 'if (a) {'+Array(N).join('a.x;')+'return "Bug"; }'+ 'return 1; '+ ' switch (a) { case 1: ; case 2: return; }'; var f = Function('a', src); var result = f(false); if (result !== 1) throw "Bogus compilation is detected";
Attached patch fix v1 (obsolete) — Splinter Review
The reason for the bug is that EmitSwitch from jsemit.c calls js_SetJumpOffset on the switch jumps without making sure that span dependencies are added for the jumps. js_SetJumpOffset only adds span dependencies for the already emitted code on the first big jump when cg->spanDeps is null. Thus when cg->spanDeps is not null before the switch (this is exactly the situation that the test case triggers) the code must call AddSpanDep on all the jumps. Without the fix the code will treat 0 recorded at the jump offset as an index into the first span dependency record eventually overwriting it with the relative jumps for the switch.
Attachment #287014 - Flags: review?(brendan)
Attachment #287014 - Flags: approvalM9?
Attachment #287014 - Flags: approval1.9?
(In reply to comment #17) > Created an attachment (id=286699) [details] > another testcase Thanks for the test cases! With them fixing the bug was just a matter of spending time.
Status: NEW → ASSIGNED
Comment on attachment 287014 [details] [diff] [review] fix v1 Can't approve unreviewed patches :(
Attachment #287014 - Flags: approvalM9?
Attachment #287014 - Flags: approval1.9?
Would it be too optimistic to leave the request flags, in the hopes that brendan -will- approve this patch soon? :)
(In reply to comment #23) > Would it be too optimistic to leave the request flags, in the hopes that > brendan -will- approve this patch soon? :) Clearing the flag allows drivers to keep the outstanding request list minimal, which makes it easier to notice new additions and track progress of approval triage.
(In reply to comment #24) > Clearing the flag allows drivers to keep the outstanding request list minimal, > which makes it easier to notice new additions and track progress of approval > triage. So the right thing to do is to set blocking flags for the bug which has already been done.
Comment on attachment 287014 [details] [diff] [review] fix v1 >+AddSwitchSpanDep(JSContext *cx, JSCodeGenerator *cg, jsbytecode *pc) Call this AddSwitchSpanDeps. >+{ >+ JSOp op; >+ jsbytecode *pc2; >+ ptrdiff_t off; >+ jsint low, high; >+ uintN njumps, indexLen; Nutty style consistency rule would favor indexlen (since Len is not a word, it's not Length) here. > /* > * After this point, all control flow involving JSOP_TABLESWITCH > * must set ok and goto out to exit this function. To keep things > * simple, all switchOp cases exit that way. > */ >+ Not sure that blank line is worth it. >+ if (cg->spanDeps) { >+ /* >+ * We already generated at least one big jump so we must >+ * explicitly add span dependencies for the switch jumps. >+ * Called below js_SetJumpOffset can only do it when patching Comma aftert "Called below", could even say "When called below, ..." here. r/a=me. /be
Attachment #287014 - Flags: review?(brendan)
Attachment #287014 - Flags: review+
Attachment #287014 - Flags: approval1.9+
Attached patch fix v2Splinter Review
The previous version of my patch has a bug in AddSwitchSpanDeps where it returns JS_FALSE, not -1, to indicate a failure. In the new version I, besides addressing the nits, use jsbytecode * as a return type for the function to simplify BuildSpanDepTable.
Attachment #287014 - Attachment is obsolete: true
Attachment #287339 - Flags: review?(brendan)
Comment on attachment 287339 [details] [diff] [review] fix v2 Good for M9 if there's time. /be
Attachment #287339 - Flags: review?(brendan)
Attachment #287339 - Flags: review+
Attachment #287339 - Flags: approvalM9?
Attachment #287339 - Flags: approval1.9+
Comment on attachment 287339 [details] [diff] [review] fix v2 a=endgame drivers for M9
Attachment #287339 - Flags: approvalM9? → approvalM9+
I checked in the patch from comment 27 to the CVS trunk: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1194378060&maxdate=1194378091&who=igor%mir2.org
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Flags: in-litmus-
verified fixed 1.9.0 linux|mac|win
Status: RESOLVED → VERIFIED
Do we need a separate patch for the 1.8 branch or does this one apply? If this one works please ask for approval1.8.1.12 on it, or else please create the branch version of this patch.
Whiteboard: [sg:critical] → [sg:critical] need patch for 1.8
Attached patch fix for 1.8.1 v1Splinter Review
This is hand-merge of the trunk fix.
1.8.1 version of the fix required a hand merge as a trunk version uses UINT16_LEN and INDEX_LEN constants that do not exist on 1.8.1 branch.
Comment on attachment 294254 [details] [diff] [review] fix for 1.8.1 v1 r+ is based on triviality of hand-merge.
Attachment #294254 - Flags: review+
Attachment #294254 - Flags: approval1.8.1.12?
Comment on attachment 294254 [details] [diff] [review] fix for 1.8.1 v1 approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #294254 - Flags: approval1.8.1.12? → approval1.8.1.12+
I checked in the patch from comment 35 to MOZILLA_1_8_BRANCH: Checking in jsemit.c; /cvsroot/mozilla/js/src/jsemit.c,v <-- jsemit.c new revision: 3.128.2.74; previous revision: 3.128.2.73 done
Keywords: fixed1.8.1.12
Whiteboard: [sg:critical] need patch for 1.8 → [sg:critical]
verified fixed 1.8.1 linux/mac/win
Keywords: fixed1.8.1.12verified1.8.1.12
Group: security
distro patch block 1.8.0.15
Flags: blocking1.8.0.15+
Attached patch for 1.8.0Splinter Review
igor, please review if this patch still makes sense on the 1.8.0 branch.
Attachment #308877 - Flags: review?(igor)
(In reply to comment #42) > Created an attachment (id=308877) [details] > for 1.8.0 > > igor, please review if this patch still makes sense on the 1.8.0 branch. Could you attach a plain diff between 1.8.1 and 1.8.0 versions?
Comment on attachment 310208 [details] [diff] [review] diff between 1.8.1 and 1.8.0 version of this patch if that helps i can also post an excerpt of the diffed code section _after_ applying the 1.8.0 patch
Attachment #310208 - Flags: review?(igor)
ok, now i see what you ment by _plain_ diff.
Attachment #310208 - Attachment is obsolete: true
Attachment #310213 - Flags: review?(igor)
Attachment #310208 - Flags: review?(igor)
Attachment #308877 - Flags: review?(igor) → review+
Comment on attachment 310213 [details] [diff] [review] 1.8.1 to 1.8.0 diff (plain style) This is a helper attachment and should not bear any flags.
Attachment #310213 - Flags: review?(igor)
Comment on attachment 308877 [details] [diff] [review] for 1.8.0 a=asac for 1.8.0.15
Attachment #308877 - Flags: approval1.8.0.15+
Committed to the 1.8.0 branch
Keywords: fixed1.8.0.15
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-398085-01.js,v <-- regress-398085-01.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/Regress/regress-398085-02.js,v <-- regress-398085-02.js initial revision: 1.1
Crash Signature: [@ js_Interpret]
Flags: blocking1.9?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: