The default bug view has changed. See this FAQ.

Crash [@ nanojit::LIns::opcode] with non-native __proto__

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: gal)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 final+, blocking1.9.2 .7+, status1.9.2 .7-fixed, status1.9.1 unaffected)

Details

(Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey, crash signature)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
this.__proto__ = Proxy.create({has:function(){return false}});
(function(){
  eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()

Triggers one of the following (all in a debug build):
* Crash [@ nanojit::LIns::opcode]
* Crash [@ nanojit::LirWriter::insImmI]
* Assertion failed: 0 (../nanojit/LIR.cpp:996)
* Assertion failure: status == ARECORD_COMPLETED || status == ARECORD_ABORTED || status == ARECORD_ERROR, at ../jstracer.cpp:7139

The proliferation of assertions and crashes may make this annoying for jsfunfuzz.
(Assignee)

Updated

7 years ago
Summary: Crash [@ nanojit::LIns::opcode] with __proto__ proxy → Crash [@ nanojit::LIns::opcode] with non-native __proto__
(Assignee)

Comment 1

7 years ago
This can be triggered via liveconnect as well, and might affect branches.
js> this.__proto__ = Proxy.create({has:function(){return false}});
js> (function(){
  eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000003a
0x001601f5 in nanojit::CseFilter::insLoad ()
(gdb) 
(gdb) bt
#0  0x001601f5 in nanojit::CseFilter::insLoad ()
#1  0x0012cd95 in js::TraceRecorder::traverseScopeChain ()
#2  0x00138575 in js::TraceRecorder::record_JSOP_BINDNAME ()
#3  0x00155618 in js::TraceRecorder::monitorRecording ()
#4  0x0005bc76 in js_Interpret ()
#5  0x000665a0 in js_Execute ()
#6  0x0000f67c in JS_ExecuteScript ()
#7  0x00004cfc in Process ()
#8  0x000090ba in main ()
(gdb) x/i $eip
0x1601f5 <_ZN7nanojit9CseFilter7insLoadENS_7LOpcodeEPNS_4LInsEih+629>:  call   *0x30(%ecx)
(gdb) x/b $ecx
0xa:    Cannot access memory at address 0xa
Whiteboard: [sg:critical?] → [ccbr][sg:critical?]
blocking2.0: --- → ?
Keywords: regression
(Assignee)

Updated

7 years ago
Assignee: general → gal
(Assignee)

Comment 3

7 years ago
This is not a recent regression. And it affects branches. Keep this closed please.
Keywords: regression

Updated

7 years ago
blocking2.0: ? → final+
(Assignee)

Comment 4

7 years ago
Created attachment 448142 [details] [diff] [review]
patch

Existing bug in js_FindIdentifierBase usage here. It can deep abort. Static analysis would be nice here.
Attachment #448142 - Flags: review?
(Assignee)

Updated

7 years ago
Attachment #448142 - Flags: review? → review?(lw)
(Assignee)

Updated

7 years ago
Attachment #448142 - Flags: review?(lw) → review?(dvander)
Attachment #448142 - Flags: review?(dvander) → review+

Updated

7 years ago
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:patch]

Updated

7 years ago
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Whiteboard: [ccbr][sg:critical?][critsmash:patch] → [ccbr][sg:critical?]
blocking1.9.1: ? → .11+
blocking1.9.2: ? → .5+
status1.9.1: --- → wanted
status1.9.2: --- → wanted
(This was checked in to TM)

http://hg.mozilla.org/tracemonkey/rev/3e86dbfb0814
Keywords: regression
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey

Comment 6

7 years ago
http://hg.mozilla.org/mozilla-central/rev/3e86dbfb0814
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
blocking1.9.2: .5+ → .6+

Comment 7

7 years ago
Any hope for branch patches for this?
(Assignee)

Comment 8

7 years ago
Created attachment 455263 [details] [diff] [review]
patch for 1.9.2
(Assignee)

Updated

7 years ago
Attachment #455263 - Flags: review?(dvander)
Attachment #455263 - Flags: approval1.9.2.7?
Attachment #455263 - Flags: review?(dvander) → review+

Comment 9

7 years ago
Comment on attachment 455263 [details] [diff] [review]
patch for 1.9.2

a=LegNeato for 1.9.2.7. Please land on mozilla-1.9.2 default.

Thanks for getting to this!
Attachment #455263 - Flags: approval1.9.2.7? → approval1.9.2.7+
(Assignee)

Comment 10

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/fb26dff2f09e

Comment 11

7 years ago
This affects 1.9.1 as well, yes?

Updated

7 years ago
status1.9.2: wanted → .7-fixed
(Assignee)

Comment 12

7 years ago
1.9.1 is not affected. We didn't trace this case back then.

Comment 13

7 years ago
Thanks for confirming!

Updated

7 years ago
blocking1.9.1: .11+ → ---
status1.9.1: wanted → unaffected
Group: core-security
Crash Signature: [@ nanojit::LIns::opcode]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.