Closed Bug 568855 Opened 14 years ago Closed 14 years ago

Crash [@ nanojit::LIns::opcode] with non-native __proto__

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- .7+
status1.9.2 --- .7-fixed
status1.9.1 --- unaffected

People

(Reporter: jruderman, Assigned: gal)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey)

Crash Data

Attachments

(2 files)

this.__proto__ = Proxy.create({has:function(){return false}});
(function(){
  eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()

Triggers one of the following (all in a debug build):
* Crash [@ nanojit::LIns::opcode]
* Crash [@ nanojit::LirWriter::insImmI]
* Assertion failed: 0 (../nanojit/LIR.cpp:996)
* Assertion failure: status == ARECORD_COMPLETED || status == ARECORD_ABORTED || status == ARECORD_ERROR, at ../jstracer.cpp:7139

The proliferation of assertions and crashes may make this annoying for jsfunfuzz.
Summary: Crash [@ nanojit::LIns::opcode] with __proto__ proxy → Crash [@ nanojit::LIns::opcode] with non-native __proto__
This can be triggered via liveconnect as well, and might affect branches.
js> this.__proto__ = Proxy.create({has:function(){return false}});
js> (function(){
  eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000003a
0x001601f5 in nanojit::CseFilter::insLoad ()
(gdb) 
(gdb) bt
#0  0x001601f5 in nanojit::CseFilter::insLoad ()
#1  0x0012cd95 in js::TraceRecorder::traverseScopeChain ()
#2  0x00138575 in js::TraceRecorder::record_JSOP_BINDNAME ()
#3  0x00155618 in js::TraceRecorder::monitorRecording ()
#4  0x0005bc76 in js_Interpret ()
#5  0x000665a0 in js_Execute ()
#6  0x0000f67c in JS_ExecuteScript ()
#7  0x00004cfc in Process ()
#8  0x000090ba in main ()
(gdb) x/i $eip
0x1601f5 <_ZN7nanojit9CseFilter7insLoadENS_7LOpcodeEPNS_4LInsEih+629>:  call   *0x30(%ecx)
(gdb) x/b $ecx
0xa:    Cannot access memory at address 0xa
Whiteboard: [sg:critical?] → [ccbr][sg:critical?]
blocking2.0: --- → ?
Keywords: regression
Assignee: general → gal
This is not a recent regression. And it affects branches. Keep this closed please.
Keywords: regression
blocking2.0: ? → final+
Attached patch patchSplinter Review
Existing bug in js_FindIdentifierBase usage here. It can deep abort. Static analysis would be nice here.
Attachment #448142 - Flags: review?
Attachment #448142 - Flags: review? → review?(lw)
Attachment #448142 - Flags: review?(lw) → review?(dvander)
Attachment #448142 - Flags: review?(dvander) → review+
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:patch]
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Whiteboard: [ccbr][sg:critical?][critsmash:patch] → [ccbr][sg:critical?]
blocking1.9.1: ? → .11+
blocking1.9.2: ? → .5+
(This was checked in to TM)

http://hg.mozilla.org/tracemonkey/rev/3e86dbfb0814
Keywords: regression
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/3e86dbfb0814
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
blocking1.9.2: .5+ → .6+
Any hope for branch patches for this?
Attached patch patch for 1.9.2Splinter Review
Attachment #455263 - Flags: review?(dvander)
Attachment #455263 - Flags: approval1.9.2.7?
Attachment #455263 - Flags: review?(dvander) → review+
Comment on attachment 455263 [details] [diff] [review]
patch for 1.9.2

a=LegNeato for 1.9.2.7. Please land on mozilla-1.9.2 default.

Thanks for getting to this!
Attachment #455263 - Flags: approval1.9.2.7? → approval1.9.2.7+
This affects 1.9.1 as well, yes?
1.9.1 is not affected. We didn't trace this case back then.
Thanks for confirming!
blocking1.9.1: .11+ → ---
Group: core-security
Crash Signature: [@ nanojit::LIns::opcode]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.