Closed
Bug 568855
Opened 13 years ago
Closed 13 years ago
Crash [@ nanojit::LIns::opcode] with non-native __proto__
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
| blocking1.9.2 | --- | .7+ |
| status1.9.2 | --- | .7-fixed |
| status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Assigned: gal)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey)
Crash Data
Attachments
(2 files)
|
1.03 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
|
1.03 KB,
patch
|
dvander
:
review+
christian
:
approval1.9.2.7+
|
Details | Diff | Splinter Review |
this.__proto__ = Proxy.create({has:function(){return false}});
(function(){
eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()
Triggers one of the following (all in a debug build):
* Crash [@ nanojit::LIns::opcode]
* Crash [@ nanojit::LirWriter::insImmI]
* Assertion failed: 0 (../nanojit/LIR.cpp:996)
* Assertion failure: status == ARECORD_COMPLETED || status == ARECORD_ABORTED || status == ARECORD_ERROR, at ../jstracer.cpp:7139
The proliferation of assertions and crashes may make this annoying for jsfunfuzz.
|
Assignee | |
Updated•13 years ago
|
Summary: Crash [@ nanojit::LIns::opcode] with __proto__ proxy → Crash [@ nanojit::LIns::opcode] with non-native __proto__
|
|
Assignee | |
Comment 1•13 years ago
|
||
This can be triggered via liveconnect as well, and might affect branches.
|
||
Comment 2•13 years ago
|
||
js> this.__proto__ = Proxy.create({has:function(){return false}});
js> (function(){
eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000003a
0x001601f5 in nanojit::CseFilter::insLoad ()
(gdb)
(gdb) bt
#0 0x001601f5 in nanojit::CseFilter::insLoad ()
#1 0x0012cd95 in js::TraceRecorder::traverseScopeChain ()
#2 0x00138575 in js::TraceRecorder::record_JSOP_BINDNAME ()
#3 0x00155618 in js::TraceRecorder::monitorRecording ()
#4 0x0005bc76 in js_Interpret ()
#5 0x000665a0 in js_Execute ()
#6 0x0000f67c in JS_ExecuteScript ()
#7 0x00004cfc in Process ()
#8 0x000090ba in main ()
(gdb) x/i $eip
0x1601f5 <_ZN7nanojit9CseFilter7insLoadENS_7LOpcodeEPNS_4LInsEih+629>: call *0x30(%ecx)
(gdb) x/b $ecx
0xa: Cannot access memory at address 0xaWhiteboard: [sg:critical?] → [ccbr][sg:critical?]
|
|
||
Updated•13 years ago
|
blocking2.0: --- → ?
Keywords: regression
|
|
Assignee | |
Updated•13 years ago
|
Assignee: general → gal
|
|
Assignee | |
Comment 3•13 years ago
|
||
This is not a recent regression. And it affects branches. Keep this closed please.
Keywords: regression
|
||
Updated•13 years ago
|
blocking2.0: ? → final+
|
|
Assignee | |
Comment 4•13 years ago
|
||
Existing bug in js_FindIdentifierBase usage here. It can deep abort. Static analysis would be nice here.
Attachment #448142 -
Flags: review?
|
|
Assignee | |
Updated•13 years ago
|
Attachment #448142 -
Flags: review? → review?(lw)
|
|
Assignee | |
Updated•13 years ago
|
Attachment #448142 -
Flags: review?(lw) → review?(dvander)
|
|
||
Updated•13 years ago
|
Attachment #448142 -
Flags: review?(dvander) → review+
|
||
Updated•13 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:patch]
|
|
||
Updated•13 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Whiteboard: [ccbr][sg:critical?][critsmash:patch] → [ccbr][sg:critical?]
|
||
Updated•13 years ago
|
|
|
||
Comment 5•13 years ago
|
||
(This was checked in to TM) http://hg.mozilla.org/tracemonkey/rev/3e86dbfb0814
Keywords: regression
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey
|
|
||
Comment 6•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/3e86dbfb0814
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Updated•13 years ago
|
blocking1.9.2: .5+ → .6+
|
|
Assignee | |
Comment 8•13 years ago
|
||
|
|
Assignee | |
Updated•13 years ago
|
Attachment #455263 -
Flags: review?(dvander)
Attachment #455263 -
Flags: approval1.9.2.7?
|
|
||
Updated•13 years ago
|
Attachment #455263 -
Flags: review?(dvander) → review+
Comment on attachment 455263 [details] [diff] [review] patch for 1.9.2 a=LegNeato for 1.9.2.7. Please land on mozilla-1.9.2 default. Thanks for getting to this!
Attachment #455263 -
Flags: approval1.9.2.7? → approval1.9.2.7+
|
|
Assignee | |
Comment 10•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/fb26dff2f09e
|
||
Comment 11•13 years ago
|
||
This affects 1.9.1 as well, yes?
|
|
Assignee | |
Comment 12•13 years ago
|
||
1.9.1 is not affected. We didn't trace this case back then.
|
|
||
Comment 13•13 years ago
|
||
Thanks for confirming!
blocking1.9.1: .11+ → ---
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Updated•12 years ago
|
Crash Signature: [@ nanojit::LIns::opcode]
|
||
Comment 14•10 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•