TM: Crash [@ 0x000fdecb]

VERIFIED FIXED in mozilla1.9.1b4



10 years ago
7 years ago


(Reporter: gkw, Assigned: gal)


(Blocks: 1 bug, 4 keywords)

crash, regression, testcase, verified1.9.1
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
wanted1.9.0.x -
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:critical?] fixed-in-tracemonkey, crash signature)


(2 attachments)

Created attachment 369885 [details]
Mac crash log and WinXP !exploitable output

(function(){{__proto__.prop = this} __proto__= null})()
for each (let x in [function(){}, []]) { x.valueOf() }

crash both debug and opt js shells with -j only, in both Mac Leopard and WinXP. Turning security-sensitive and nominating blocking1.9.1? because it crashes at a scary memory address.

autoBisect shows bug 463238 or may be related:

The first bad revision is:
changeset:   26344:1c6be1c210b9
user:        Andreas Gal
date:        Fri Mar 20 18:52:11 2009 -0700
summary:     Support calling arbitrary JSFastNatives from trace (463238, r=brendan).
Flags: blocking1.9.1?


10 years ago
Assignee: general → gal
Flags: blocking1.9.1? → blocking1.9.1+


10 years ago
Priority: -- → P1

Comment 1

10 years ago
Confirmed with TM tip.
Target Milestone: --- → mozilla1.9.1b4

Comment 2

10 years ago
#0  0x0025bebd in ?? ()
#1  0x00000000 in ?? ()
(gdb) x/i $pc
0x25bebd:	mov    (%eax),%edx
(gdb) x/20i $pc
0x25bebd:	mov    (%eax),%edx
0x25bebf:	mov    0x4(%edx),%eax
0x25bec2:	mov    0x10(%eax),%eax
0x25bec5:	cmp    $0xa545e,%eax
0x25beca:	mov    -0xc(%ebp),%eax
0x25becd:	jne    0x2a1f55
0x25bed3:	mov    0x10(%edx),%edx
0x25bed6:	cmp    $0x82,%edx
0x25bedc:	jne    0x2a1f64
0x25bee2:	mov    0x8(%eax),%eax
0x25bee5:	test   %eax,%eax
0x25bee7:	je     0x2a1f73
0x25beed:	mov    (%eax),%eax
0x25beef:	mov    0x4(%eax),%edx
0x25bef2:	mov    (%edx),%edx
0x25bef4:	cmp    $0xa2d44,%edx
0x25befa:	jne    0x2a1f82
0x25bf00:	mov    0x10(%eax),%eax
0x25bf03:	cmp    $0xa3,%eax
0x25bf08:	jne    0x2a1f91
0x25bf0e:	mov    %ecx,0x20(%ebx)
0x25bf11:	movl   $0x296230,0x18(%ebx)
0x25bf18:	lea    -0x10(%ebp),%eax
0x25bf1b:	movl   $0x296230,-0x10(%ebp)
0x25bf22:	mov    %ecx,-0xc(%ebp)
0x25bf25:	movl   $0x25a318,0x1e0(%esi)
0x25bf2f:	sub    $0x4,%esp
0x25bf32:	push   %eax
0x25bf33:	push   $0x0
0x25bf35:	push   %esi
0x25bf36:	call   0xa9726 <_ZL11obj_valueOfP9JSContextjPl>
0x25bf3b:	add    $0x10,%esp
0x25bf3e:	movl   $0x0,0x1e0(%esi)
0x25bf48:	mov    0x1e4(%esi),%edx
0x25bf4e:	mov    -0x10(%ebp),%ecx
0x25bf51:	mov    %ecx,0x18(%ebx)
0x25bf54:	and    $0x1,%eax
0x25bf57:	xor    $0x1,%eax
0x25bf5a:	shl    $0x1,%eax
0x25bf5d:	or     %eax,%edx
(gdb) p $eax
$1 = 0

Comment 3

10 years ago
Slightly clearer example that still crashes:

__proto__.prop = this;
__proto__ = null;
for each (let x in [function(){}, []]) { x.valueOf() }

Comment 4

10 years ago
    ld2 = ld $stack2[8]
    ld3 = ld ld2[NULL]
    ops = ld ld3[4]
    ld4 = ld ops[16]
    guard(native-map) = eq ld4, OP(&js_ObjectOps)
    xf2: xf guard(native-map) -> pc=0x30dbe2 imacpc=0x0 sp+32 rp+0
              mov eax,8(ecx)                  ecx($stack2) ebx(sp) esi(cx) edi(state)
              mov -12(ebp),eax                eax(ld2) ecx($stack2) ebx(sp) esi(cx) edi(state)
              mov edx,0(eax)                  eax(ld2) ecx($stack2) ebx(sp) esi(cx) edi(state)

              *** we die here ***

              mov eax,4(edx)                  ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)
              mov eax,16(eax)                 eax(ops) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)
              cmp eax,676958                  eax(ld4) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)
              mov eax,-12(ebp)                ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)
              jne 0x2a1f55                    eax(ld2) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)

Comment 5

10 years ago
TraceRecorder::test_property_cache(JSObject* obj, LIns* obj_ins, JSObject*& obj2, jsuword& pcval)
    jsbytecode* pc = cx->fp->regs->pc;

    // Mimic the interpreter's special case for dense arrays by skipping up one                                                                                                 
    // hop along the proto chain when accessing a named (not indexed) property,                                                                                                 
    // typically to find Array.prototype methods.                                                                                                                               
    JSObject* aobj = obj;
    if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
        aobj = OBJ_GET_PROTO(cx, obj);
        obj_ins = stobj_get_fslot(obj_ins, JSSLOT_PROTO);

We are compiling with obj == dense array and emit this code, but we don't guard that obj will be a dense array at runtime. The access then fails subsequently when we run through the code with a non-dense array.

Comment 6

10 years ago
Created attachment 370104 [details] [diff] [review]
Attachment #370104 - Flags: review?(brendan)


10 years ago
Attachment #370104 - Flags: review?(brendan) → review+

Comment 7

10 years ago
Whiteboard: fixed-in-tracemonkey

Comment 8

10 years ago
Assuming this sticks, please remove security flag once this has been merged into m-c.

Comment 9

10 years ago
Last Resolved: 10 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Group: core-security
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Whiteboard: fixed-in-tracemonkey → [sg:critical?] fixed-in-tracemonkey

Comment 11

9 years ago
Flags: in-testsuite? → in-testsuite+

Comment 12

9 years ago
v 1.9.1, 1.9.2
Keywords: fixed1.9.1 → verified1.9.1

Comment 13

9 years ago
cvsroot/mozilla/js/tests/js1_8_1/trace/trace-test.js,v  <--  trace-test.js
new revision: 1.14; previous revision: 1.13

/cvsroot/mozilla/js/tests/shell.js,v  <--  shell.js
Crash Signature: [@ 0x000fdecb]
You need to log in before you can comment on or make changes to this bug.