Closed Bug 542849 (CVE-2010-0165) Opened 15 years ago Closed 15 years ago

Assertion failure: targetObj == globalObj in TraceRecorder::traverseScopeChain

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.2 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- .2-fixed
status1.9.1 --- unaffected

People

(Reporter: bc, Assigned: dmandelin)

References

(
URL
)

Details

(Keywords: assertion, regression, verified1.9.2, Whiteboard: [sg:critical])

Attachments

(1 file)

Patch for 1.9.2
1.70 KB, patch
dvander
: review+
beltzner
: approval1.9.2.2+
Details | Diff | Splinter Review 
1. http://www.vanguardia.com.mx/
2. Assertion failure: targetObj == globalObj, at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:12700

1.9.2 win/mac. couldn't reproduce on 1.9.3 mac. sensitive cause the assertion seems scary. saved version of the page didn't assert.

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x44784e "targetObj == globalObj", file=0x4442c0 "/work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp", ln=12700) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsutil.cpp:69
69	    abort();
(gdb) bt
#0  JS_Assert (s=0x44784e "targetObj == globalObj", file=0x4442c0 "/work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp", ln=12700) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsutil.cpp:69
#1  0x003cf13d in TraceRecorder::traverseScopeChain (this=0x18165b00, obj=0x155578e0, obj_ins=0x10a2d60, targetObj=0x155576c0, targetIns=@0xbfffbbb4) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:12700
#2  0x003e0963 in TraceRecorder::callProp (this=0x18165b00, obj=0x155576c0, obj2=0x155576c0, prop=0x1ed03530, id=4547668, vp=@0xbfffbd18, ins=@0xbfffbd14, nr=@0xbfffbd00) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:7750
#3  0x003e111c in TraceRecorder::scopeChainProp (this=0x18165b00, obj=0x155576c0, vp=@0xbfffbd18, ins=@0xbfffbd14, nr=@0xbfffbd00) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:7691
#4  0x003e11ef in TraceRecorder::name (this=0x18165b00, vp=@0xbfffbd18, ins=@0xbfffbd14, nr=@0xbfffbd00) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:11972
#5  0x003e1724 in TraceRecorder::record_JSOP_NAME (this=0x18165b00) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:12275
#6  0x003e76bd in TraceRecorder::monitorRecording (cx=0x1e988000, tr=0x18165b00, op=JSOP_NAME) at jsopcode.tbl:180
#7  0x002f5528 in js_Interpret (cx=0x1e988000) at jsops.cpp:79
#8  0x00320cb0 in js_Invoke (cx=0x1e988000, argc=1, vp=0x1ea1a26c, flags=0) at jsinterp.cpp:1368
#9  0x002e5b24 in js_fun_apply (cx=0x1e988000, argc=1, vp=0x1ea1a234) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsfun.cpp:2046
#10 0x0030cde3 in js_Interpret (cx=0x1e988000) at jsops.cpp:2208
#11 0x0031f58b in js_Execute (cx=0x1e988000, chain=0x15099020, script=0x1eba5a00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1601
Assignee: general → dmandelin
I've been bisecting this in spare moments, and I found the problem started here:

changeset:   33410:04ccc3cdaa53
user:        David Anderson <dvander@alliedmods.net>
date:        Sun Dec 20 15:02:56 2009 -0500
summary:     Fix tracer with certain scope chain layouts. 523793. r=mrbkap
Whiteboard: [sg:critical]
another site where this assertion can be seen is www.terra.cl
Attached patch Patch for 1.9.2Splinter Review 
A function that calls eval indirectly isn't heavyweight. If that function calls eval to create a closure, and that closure refers to a variable in the function, then traverseScopeChain as it was didn't see the call object, because it only looks for call objects that belong to heavyweights.

In this case, I think we just want to abort, because it's rare, and it isn't obvious that the scope chain will always have the same length.
Attachment #427845 - Flags: review?(dvander)
Indirect eval is global eval now (ES5). Was it in the 1.9.2 Gecko release? I thought so. Cc'ing mrbkap.

If so, no Call objects should be searched, ever. Aborting is fine but if we can stay on trace and do global eval, even better.

/be
(In reply to comment #5)
> Indirect eval is global eval now (ES5). Was it in the 1.9.2 Gecko release? I
> thought so. Cc'ing mrbkap.

It seems not. I tried the shell test case in TM tip, and it does not crash, but says 'm is not defined', as I would expect with indirect eval.

> If so, no Call objects should be searched, ever. Aborting is fine but if we can
> stay on trace and do global eval, even better.

If I change the test to have a global variable 'm', then we do trace it on trunk. So it looks like we're good.
Attachment #427845 - Flags: review?(dvander) → review+
Comment on attachment 427845 [details] [diff] [review]
Patch for 1.9.2

Requesting approval because of security sensitivity.
Attachment #427845 - Flags: approval1.9.2.2?
Comment on attachment 427845 [details] [diff] [review]
Patch for 1.9.2

a1922=beltzner
Attachment #427845 - Flags: approval1.9.2.2? → approval1.9.2.2+
status1.9.2: --- → .2-fixed
dmandelin, this is FIXED, right?
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
I do not see this assert on 1.9.2 post-fix.
Keywords: verified1.9.2
Blocks: 523793
status1.9.1: --- → unaffected
Keywords: regression
Alias: CVE-2010-0165
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: