Closed Bug 457521 Opened 16 years ago Closed 16 years ago

Crash [@ js_DecompileValueGenerator]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: gkw, Assigned: igor)

References

Details

(6 keywords, Whiteboard: [sg:critical?] post 1.8-branch)

Crash Data

Attachments

(4 files, 1 obsolete file)

crash log
2.94 KB, text/plain
Details
updated fix
477 bytes, patch
igor
: review+
Details | Diff | Splinter Review
js1_6/extensions/regress-457521.js
2.19 KB, text/plain
Details
fox for 190 branch
884 bytes, patch
igor
: review+
dveditz
: approval1.9.0.7+
Details | Diff | Splinter Review
Attached file crash log 
this.__defineSetter__("x", [,,,].map)
this.watch("x", (new Function("var y, eval")))
x = true

crashes at 0x00000000fffffffc for opt and asserts debug shell on Mac 10.5.5. This occurs for both trunk and tracemonkey shells.

Console output for tracemonkey shell:

$ ./js-dbg-tm-intelmac 
js> this.__defineSetter__("x", [,,,].map)
js> this.watch("x", (new Function("var y, eval")))
js> x = true
Assertion failure: (size_t) (regs->sp - stackBase) <= StackDepth(script), at jsopcode.cpp:4988
Trace/BPT trap

$ ./js-opt-tm-intelmac 
js> this.__defineSetter__("x", [,,,].map)
js> this.watch("x", (new Function("var y, eval")))
js> x = true
Segmentation fault

===

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000fffffffc
Crashed Thread:  0

Thread 0 Crashed:
0   js-opt-tm-intelmac            	0x00059139 js_DecompileValueGenerator + 229
1   js-opt-tm-intelmac            	0x0001353f js_ReportValueErrorFlags + 55
2   js-opt-tm-intelmac            	0x0002cfca js_ReportIsNotFunction + 350
3   js-opt-tm-intelmac            	0x0002d06b js_ValueToFunction + 143
4   js-opt-tm-intelmac            	0x0002d0d6 js_ValueToFunctionObject + 84

Nominating security sensitive due to scary address of 0x00000000fffffffc.
Flags: blocking1.9.1?
Related to bug 421623?
Flags: blocking1.9.1? → blocking1.9.1+
Whiteboard: [sg:critical?]
Assignee: general → igor
this is my fault - the changes for the bug 420399 removed the detection of watch-pseudo-frames.
Blocks: 420399
Attached patch fix v1 (obsolete) — Splinter Review 
The patch adds the check for NULL fp->regs->sp - this is exactly what happens with watch-pseudo-frames.
Attachment #348766 - Flags: review?(crowder)
The bug exists on the 1.9.0 branch or later.
Flags: blocking1.9.0.6?
Attachment #348766 - Flags: review?(crowder) → review+
Attachment #348766 - Flags: approval1.9.1b2?
Comment on attachment 348766 [details] [diff] [review]
fix v1

Asking for b2 approval to increase test coverage for the security fix as it should go to 1.9.0 branch as well.
Comment on attachment 348766 [details] [diff] [review]
fix v1

The patch applies to 1.9.0 as-is so asking for approval for 1.9.0.6.
Attachment #348766 - Flags: approval1.9.0.6?
Attachment #348766 - Flags: approval1.9.1b2?
Attachment #348766 - Flags: approval1.9.1b2-
Attachment #348766 - Flags: approval1.9.1?
Comment on attachment 348766 [details] [diff] [review]
fix v1

1.9.0.6 is a ways away, so we can wait until after we branch - trying to close things down and limit risk on the b2 stuff right now.
Attached patch updated fixSplinter Review 
The trunk changes required trivial merge of the patch.
Attachment #348766 - Attachment is obsolete: true
Attachment #350153 - Flags: review+
Attachment #348766 - Flags: approval1.9.1?
Attachment #348766 - Flags: approval1.9.0.6?
landed - http://hg.mozilla.org/mozilla-central/rev/bb54a5700bca
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Flags: in-litmus-
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6?
Flags: blocking1.9.0.6+
verified mozilla-central but not tracemonkey.
Status: RESOLVED → VERIFIED
Igor, can you work up a 1.9.0 patch if the one in this bug doesn't apply?
Whiteboard: [sg:critical?] → [sg:critical?][needs 1.9.0 patch]
Strange -- the patch never landed on 1.9.0.x, but my testing shows that it no longer seems to be affected. Did any other patch on 1.9.0.x fix this issue as well?

==============

pre-patch:

$ ./js
js> this.__defineSetter__("x", [,,,].map)
js> this.watch("x", (new Function("var y, eval")))
js> x = true
typein:2: TypeError: (void 0) is not a function
js> 

$ cat ../jsopcode.c | grep -B 5 -C 5 "if (\!fp || \!fp->regs"
              spindex == JSDVG_IGNORE_STACK ||
              spindex == JSDVG_SEARCH_STACK);

    for (fp = cx->fp; fp && !fp->script; fp = fp->down)
        continue;
    if (!fp || !fp->regs)
        goto do_fallback;

    script = fp->script;
    regs = fp->regs;
    pc = regs->pc;

==============

post patch: (I de-bitrotted Igor's patch)

$ ./js
js> this.__defineSetter__("x", [,,,].map)
js> this.watch("x", (new Function("var y, eval")))
js> x = true
typein:2: TypeError: (void 0) is not a function
js> 

$ cat ../jsopcode.c | grep -B 5 -C 5 "if (\!fp || \!fp->regs"
              spindex == JSDVG_IGNORE_STACK ||
              spindex == JSDVG_SEARCH_STACK);

    for (fp = cx->fp; fp && !fp->script; fp = fp->down)
        continue;
    if (!fp || !fp->regs || !fp->regs->sp)
        goto do_fallback;

    script = fp->script;
    regs = fp->regs;
    pc = regs->pc;
the testcase never failed for me on 1.9.0.
(In reply to comment #14)
> the testcase never failed for me on 1.9.0.

(In reply to comment #4)
> The bug exists on the 1.9.0 branch or later.

Igor seems to have thought otherwise in comment #4?
I didn't say the bug didn't exist on 1.9.0. Only that the test never failed on 1.9.0.
(In reply to comment #16)
> I didn't say the bug didn't exist on 1.9.0. Only that the test never failed on
> 1.9.0.

Ah, thanks, bc. Sorry for my mis-interpretation.
Flags: blocking1.9.0.6+ → blocking1.9.0.7?
Flags: blocking1.9.0.7? → blocking1.9.0.7+
Keywords: regression
v 1.9.1, 1.9.2
Keywords: fixed1.9.1verified1.9.1
This is the 1.9.1 patch with jsopcode.cpp renamed to jsopcode.c.
Attachment #358400 - Flags: review+
Attachment #358400 - Flags: approval1.9.0.7?
Comment on attachment 358400 [details] [diff] [review]
fox for 190 branch

Approved for 1.9.0.7, a=dveditz for release-drivers.
Attachment #358400 - Flags: approval1.9.0.7? → approval1.9.0.7+
Whiteboard: [sg:critical?][needs 1.9.0 patch] → [sg:critical?]
Whiteboard: [sg:critical?] → [sg:critical?] [needs 1.9.0 checkin]
CVS HEAD:

Checking in js/src/jsopcode.c;
/cvsroot/mozilla/js/src/jsopcode.c,v  <--  jsopcode.c
new revision: 3.320; previous revision: 3.319
done
Keywords: checkin-neededfixed1.9.0.7
Whiteboard: [sg:critical?] [needs 1.9.0 checkin] → [sg:critical?]
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch
The unit test doesn't exist for 1.9.0 and the test case doesn't seem to fail. Is there any way to validate that this is truly fixed (or was broken in a way that affected anything) for 1.9.0.7?
Group: core-security
http://hg.mozilla.org/tracemonkey/rev/00c50dfb0e92
/cvsroot/mozilla/js/tests/js1_6/extensions/regress-457521.js,v  <--  regress-457521.js
initial revision: 1.1
Crash Signature: [@ js_DecompileValueGenerator]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: