The default bug view has changed. See this FAQ.
Bug 542849 (CVE-2010-0165)

Assertion failure: targetObj == globalObj in TraceRecorder::traverseScopeChain

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: bc, Assigned: dmandelin)

Tracking

(Blocks: 1 bug, {assertion, regression, verified1.9.2})

1.9.2 Branch
x86
All
assertion, regression, verified1.9.2
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(status1.9.2 .2-fixed, status1.9.1 unaffected)

Details

(Whiteboard: [sg:critical], URL)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
1. http://www.vanguardia.com.mx/
2. Assertion failure: targetObj == globalObj, at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:12700

1.9.2 win/mac. couldn't reproduce on 1.9.3 mac. sensitive cause the assertion seems scary. saved version of the page didn't assert.

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x44784e "targetObj == globalObj", file=0x4442c0 "/work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp", ln=12700) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsutil.cpp:69
69	    abort();
(gdb) bt
#0  JS_Assert (s=0x44784e "targetObj == globalObj", file=0x4442c0 "/work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp", ln=12700) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsutil.cpp:69
#1  0x003cf13d in TraceRecorder::traverseScopeChain (this=0x18165b00, obj=0x155578e0, obj_ins=0x10a2d60, targetObj=0x155576c0, targetIns=@0xbfffbbb4) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:12700
#2  0x003e0963 in TraceRecorder::callProp (this=0x18165b00, obj=0x155576c0, obj2=0x155576c0, prop=0x1ed03530, id=4547668, vp=@0xbfffbd18, ins=@0xbfffbd14, nr=@0xbfffbd00) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:7750
#3  0x003e111c in TraceRecorder::scopeChainProp (this=0x18165b00, obj=0x155576c0, vp=@0xbfffbd18, ins=@0xbfffbd14, nr=@0xbfffbd00) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:7691
#4  0x003e11ef in TraceRecorder::name (this=0x18165b00, vp=@0xbfffbd18, ins=@0xbfffbd14, nr=@0xbfffbd00) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:11972
#5  0x003e1724 in TraceRecorder::record_JSOP_NAME (this=0x18165b00) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstracer.cpp:12275
#6  0x003e76bd in TraceRecorder::monitorRecording (cx=0x1e988000, tr=0x18165b00, op=JSOP_NAME) at jsopcode.tbl:180
#7  0x002f5528 in js_Interpret (cx=0x1e988000) at jsops.cpp:79
#8  0x00320cb0 in js_Invoke (cx=0x1e988000, argc=1, vp=0x1ea1a26c, flags=0) at jsinterp.cpp:1368
#9  0x002e5b24 in js_fun_apply (cx=0x1e988000, argc=1, vp=0x1ea1a234) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsfun.cpp:2046
#10 0x0030cde3 in js_Interpret (cx=0x1e988000) at jsops.cpp:2208
#11 0x0031f58b in js_Execute (cx=0x1e988000, chain=0x15099020, script=0x1eba5a00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1601
(Assignee)

Updated

7 years ago
Assignee: general → dmandelin
(Reporter)

Comment 1

7 years ago
Also http://noticias.terra.com.br/
(Assignee)

Comment 2

7 years ago
I've been bisecting this in spare moments, and I found the problem started here:

changeset:   33410:04ccc3cdaa53
user:        David Anderson <dvander@alliedmods.net>
date:        Sun Dec 20 15:02:56 2009 -0500
summary:     Fix tracer with certain scope chain layouts. 523793. r=mrbkap
Whiteboard: [sg:critical]
another site where this assertion can be seen is www.terra.cl
(Assignee)

Comment 4

7 years ago
Created attachment 427845 [details] [diff] [review]
Patch for 1.9.2

A function that calls eval indirectly isn't heavyweight. If that function calls eval to create a closure, and that closure refers to a variable in the function, then traverseScopeChain as it was didn't see the call object, because it only looks for call objects that belong to heavyweights.

In this case, I think we just want to abort, because it's rare, and it isn't obvious that the scope chain will always have the same length.
Attachment #427845 - Flags: review?(dvander)
Indirect eval is global eval now (ES5). Was it in the 1.9.2 Gecko release? I thought so. Cc'ing mrbkap.

If so, no Call objects should be searched, ever. Aborting is fine but if we can stay on trace and do global eval, even better.

/be
(Assignee)

Comment 6

7 years ago
(In reply to comment #5)
> Indirect eval is global eval now (ES5). Was it in the 1.9.2 Gecko release? I
> thought so. Cc'ing mrbkap.

It seems not. I tried the shell test case in TM tip, and it does not crash, but says 'm is not defined', as I would expect with indirect eval.

> If so, no Call objects should be searched, ever. Aborting is fine but if we can
> stay on trace and do global eval, even better.

If I change the test to have a global variable 'm', then we do trace it on trunk. So it looks like we're good.
Attachment #427845 - Flags: review?(dvander) → review+
(Assignee)

Comment 7

7 years ago
Comment on attachment 427845 [details] [diff] [review]
Patch for 1.9.2

Requesting approval because of security sensitivity.
Attachment #427845 - Flags: approval1.9.2.2?
Comment on attachment 427845 [details] [diff] [review]
Patch for 1.9.2

a1922=beltzner
Attachment #427845 - Flags: approval1.9.2.2? → approval1.9.2.2+
(Assignee)

Comment 9

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/71de40148a40

Updated

7 years ago
status1.9.2: --- → .2-fixed

Comment 10

7 years ago
dmandelin, this is FIXED, right?
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
I do not see this assert on 1.9.2 post-fix.
Keywords: verified1.9.2
Blocks: 523793
status1.9.1: --- → unaffected
Keywords: regression
Alias: CVE-2010-0165
Group: core-security
You need to log in before you can comment on or make changes to this bug.