Closed
Bug 575486
Opened 15 years ago
Closed 14 years ago
Crash [@ JSObject::getPrivate] or [@ js_SuppressDeletedProperty]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: gal)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
884 bytes,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
(function() {
for (l in evalcx('')) {}
})()
gc()
delete uneval;
crashes js debug shell on TM tip without -j at JSObject::getPrivate and crashes js opt shell on TM tip without -j at js_SuppressDeletedProperty
Probably a null deref but this involves gc so setting s-s and assuming [sg:critical?].
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 44269:3aaaa21012c8
user: Jason Orendorff
date: Wed Jun 23 16:35:10 2010 -0500
summary: Bug 563099 - Compartments and wrappers API. r=gal.
Debug stack:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadadc
0x0011b33c in JSObject::getPrivate (this=0x1002640) at jsobj.h:401
401 JS_ASSERT(getClass()->flags & JSCLASS_HAS_PRIVATE);
(gdb) bt
#0 0x0011b33c in JSObject::getPrivate (this=0x1002640) at jsobj.h:401
#1 0x00153481 in JSObject::getNativeIterator (this=0x1002640) at jsobjinlines.h:416
#2 0x000b1978 in js_SuppressDeletedProperty (cx=0x809200, obj=0x1002000, id=16780084) at ../jsiter.cpp:724
#3 0x000c4885 in js_DeleteProperty (cx=0x809200, obj=0x1002000, id=16780084, rval=0x5000e0) at ../jsobj.cpp:5302
#4 0x0000caeb in JSObject::deleteProperty (this=0x1002000, cx=0x809200, id=16780084, rval=0x5000e0) at jsobj.h:676
#5 0x00095b3e in js_Interpret (cx=0x809200) at jsops.cpp:1138
#6 0x000ae867 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40c640, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#7 0x00016af9 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40c640, rval=0x0) at ../jsapi.cpp:4751
#8 0x0000a266 in Process (cx=0x809200, obj=0x1002000, filename=0xbffff8ae "w32-reduced.js", forceTTY=0) at ../../shell/js.cpp:429
#9 0x0000af99 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff7bc, argc=1) at ../../shell/js.cpp:843
#10 0x0000b0b2 in shell (cx=0x809200, argc=1, argv=0xbffff7bc, envp=0xbffff7c4) at ../../shell/js.cpp:5024
#11 0x0000b1d6 in main (argc=1, argv=0xbffff7bc, envp=0xbffff7c4) at ../../shell/js.cpp:5111
Opt stack:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00067d99 in js_SuppressDeletedProperty ()
(gdb) bt
#0 0x00067d99 in js_SuppressDeletedProperty ()
#1 0x00077e89 in js_DeleteProperty ()
#2 0x00059cb4 in js_Interpret ()
#3 0x000664f6 in js_Execute ()
#4 0x00012f28 in JS_ExecuteScript ()
#5 0x00004b46 in Process ()
#6 0x00008096 in shell ()
#7 0x000085a7 in main ()
(gdb) x/i $eip
0x67d99 <js_SuppressDeletedProperty+89>: mov (%edx),%ecx
(gdb) x/b $edx
0x0: Cannot access memory at address 0x0
Updated•15 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:investigating]
Assignee | ||
Updated•15 years ago
|
Assignee: general → gal
Assignee | ||
Updated•15 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
Assignee | ||
Comment 1•15 years ago
|
||
A gc-ed object in the cx->enumerators list. Thats really bad.
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
0x0000000100124afd in JSObject::getPrivate (this=0x101402c80) at jsobj.h:401
401 JS_ASSERT(getClass()->flags & JSCLASS_HAS_PRIVATE);
(gdb) bt
#0 0x0000000100124afd in JSObject::getPrivate (this=0x101402c80) at jsobj.h:401
#1 0x000000010015e60b in JSObject::getNativeIterator (this=0x101402c80) at jsobjinlines.h:416
#2 0x00000001000b6366 in js_SuppressDeletedProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836) at ../jsiter.cpp:724
#3 0x00000001000c8d46 in js_DeleteProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836, rval=0x1010001c0) at ../jsobj.cpp:5302
#4 0x000000010000b06e in JSObject::deleteProperty (this=0x101402000, cx=0x1004123f0, id=4315956836, rval=0x1010001c0) at jsobj.h:676
#5 0x0000000100098974 in js_Interpret (cx=0x1004123f0) at jsops.cpp:1138
#6 0x00000001000b30ed in js_Execute (cx=0x1004123f0, chain=0x101402000, script=0x1004151d0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#7 0x0000000100015787 in JS_ExecuteScript (cx=0x1004123f0, obj=0x101402000, script=0x1004151d0, rval=0x0) at ../jsapi.cpp:4751
#8 0x0000000100008a40 in Process (cx=0x1004123f0, obj=0x101402000, filename=0x7fff5fbffa95 "x.js", forceTTY=0) at ../../shell/js.cpp:429
#9 0x000000010000967b in ProcessArgs (cx=0x1004123f0, obj=0x101402000, argv=0x7fff5fbff948, argc=1) at ../../shell/js.cpp:843
#10 0x0000000100009763 in shell (cx=0x1004123f0, argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5031
#11 0x000000010000985f in main (argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5118
(gdb) p getClass()
$1 = (JSClass *) 0xdadadadadadadad8
(gdb) up
#1 0x000000010015e60b in JSObject::getNativeIterator (this=0x101402c80) at jsobjinlines.h:416
416 return (NativeIterator *) getPrivate();
(gdb) up
#2 0x00000001000b6366 in js_SuppressDeletedProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836) at ../jsiter.cpp:724
724 NativeIterator *ni = iterobj->getNativeIterator();
(gdb) p *iterobj
$2 = {
map = 0x101402cc0,
classword = 15770157678700714714,
proto = 0xdadadadadadadada,
fslots = {-2676586395008836902, -2676586395008836902, -2676586395008836902, -2676586395008836902},
dslots = 0xdadadadadadadada,
static JSSLOT_PRIMITIVE_THIS = 1,
static JSSLOT_ARRAY_LENGTH = 1,
static JSSLOT_DENSE_ARRAY_COUNT = 2,
static JSSLOT_DENSE_ARRAY_MINLENCAP = 3,
static DENSE_ARRAY_FIXED_RESERVED_SLOTS = 3,
static JSSLOT_ARGS_LENGTH = 2,
static JSSLOT_ARGS_CALLEE = 3,
static ARGS_FIXED_RESERVED_SLOTS = 2,
static JSSLOT_DATE_UTC_TIME = 1,
static JSSLOT_DATE_LOCAL_TIME = 2,
static DATE_FIXED_RESERVED_SLOTS = 2,
static JSSLOT_REGEXP_LAST_INDEX = 2,
static REGEXP_FIXED_RESERVED_SLOTS = 1,
static JSSLOT_NAME_PREFIX = 1,
static JSSLOT_NAME_URI = 2,
static JSSLOT_NAMESPACE_DECLARED = 3,
static JSSLOT_QNAME_LOCAL_NAME = 3,
static NAMESPACE_FIXED_RESERVED_SLOTS = 3,
static QNAME_FIXED_RESERVED_SLOTS = 3
}
(gdb) up
#3 0x00000001000c8d46 in js_DeleteProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836, rval=0x1010001c0) at ../jsobj.cpp:5302
5302 return ok && js_SuppressDeletedProperty(cx, obj, id);
(gdb) l
5297 GC_POKE(cx, obj->lockedGetSlot(sprop->slot));
5298
5299 ok = scope->removeProperty(cx, id);
5300 JS_UNLOCK_OBJ(cx, obj);
5301
5302 return ok && js_SuppressDeletedProperty(cx, obj, id);
5303 }
5304
5305 JSBool
5306 js_DefaultValue(JSContext *cx, JSObject *obj, JSType hint, jsval *vp)
(gdb) p *obj
$3 = {
map = 0x1004137a0,
classword = 4297530209,
proto = 0x101402040,
fslots = {0, 0, 22, 4315951776},
dslots = 0x1008a3a08,
static JSSLOT_PRIMITIVE_THIS = 1,
static JSSLOT_ARRAY_LENGTH = 1,
static JSSLOT_DENSE_ARRAY_COUNT = 2,
static JSSLOT_DENSE_ARRAY_MINLENCAP = 3,
static DENSE_ARRAY_FIXED_RESERVED_SLOTS = 3,
static JSSLOT_ARGS_LENGTH = 2,
static JSSLOT_ARGS_CALLEE = 3,
static ARGS_FIXED_RESERVED_SLOTS = 2,
static JSSLOT_DATE_UTC_TIME = 1,
static JSSLOT_DATE_LOCAL_TIME = 2,
static DATE_FIXED_RESERVED_SLOTS = 2,
static JSSLOT_REGEXP_LAST_INDEX = 2,
static REGEXP_FIXED_RESERVED_SLOTS = 1,
static JSSLOT_NAME_PREFIX = 1,
static JSSLOT_NAME_URI = 2,
static JSSLOT_NAMESPACE_DECLARED = 3,
static JSSLOT_QNAME_LOCAL_NAME = 3,
static NAMESPACE_FIXED_RESERVED_SLOTS = 3,
static QNAME_FIXED_RESERVED_SLOTS = 3
}
(gdb) down
#2 0x00000001000b6366 in js_SuppressDeletedProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836) at ../jsiter.cpp:724
724 NativeIterator *ni = iterobj->getNativeIterator();
(gdb) l
719 js_SuppressDeletedProperty(JSContext *cx, JSObject *obj, jsid id)
720 {
721 JSObject *iterobj = cx->enumerators;
722 while (iterobj) {
723 again:
724 NativeIterator *ni = iterobj->getNativeIterator();
725 if (ni->obj == obj && ni->props_cursor < ni->props_end) {
726 /* Check whether id is still to come. */
727 jsid *props_cursor = ni->props_cursor;
728 jsid *props_end = ni->props_end;
(gdb) p cx->enumerators
$4 = (JSObject *) 0x101402c80
(gdb) p *cx->enumerators
$5 = {
map = 0x101402cc0,
classword = 15770157678700714714,
proto = 0xdadadadadadadada,
fslots = {-2676586395008836902, -2676586395008836902, -2676586395008836902, -2676586395008836902},
dslots = 0xdadadadadadadada,
static JSSLOT_PRIMITIVE_THIS = 1,
static JSSLOT_ARRAY_LENGTH = 1,
static JSSLOT_DENSE_ARRAY_COUNT = 2,
static JSSLOT_DENSE_ARRAY_MINLENCAP = 3,
static DENSE_ARRAY_FIXED_RESERVED_SLOTS = 3,
static JSSLOT_ARGS_LENGTH = 2,
static JSSLOT_ARGS_CALLEE = 3,
static ARGS_FIXED_RESERVED_SLOTS = 2,
static JSSLOT_DATE_UTC_TIME = 1,
static JSSLOT_DATE_LOCAL_TIME = 2,
static DATE_FIXED_RESERVED_SLOTS = 2,
static JSSLOT_REGEXP_LAST_INDEX = 2,
static REGEXP_FIXED_RESERVED_SLOTS = 1,
static JSSLOT_NAME_PREFIX = 1,
static JSSLOT_NAME_URI = 2,
static JSSLOT_NAMESPACE_DECLARED = 3,
static JSSLOT_QNAME_LOCAL_NAME = 3,
static NAMESPACE_FIXED_RESERVED_SLOTS = 3,
static QNAME_FIXED_RESERVED_SLOTS = 3
}
(gdb)
Assignee | ||
Updated•15 years ago
|
Whiteboard: [ccbr][sg:critical?][critsmash:investigating] → [ccbr][sg:critical]
Assignee | ||
Comment 2•15 years ago
|
||
This is a recent addition. Its not in any product we shipped.
Assignee | ||
Updated•15 years ago
|
blocking2.0: --- → ?
Assignee | ||
Comment 3•15 years ago
|
||
Very recent bug. My re-ify code makes a 2nd iterator which registers itself but doesn't get closed properly.
(gdb) bt
#0 RegisterEnumerator (cx=0x1004123f0, iterobj=0x101402c80, ni=0x10041a4c0) at ../jsiter.cpp:431
#1 0x00000001000b8699 in GetIterator (cx=0x1004123f0, obj=0x1014021c0, flags=1, vp=0x101000260) at ../jsiter.cpp:540
#2 0x000000010015c335 in JSWrapper::iterate (this=0x100280c70, cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jswrapper.cpp:172
#3 0x000000010015c402 in JSCrossCompartmentWrapper::iterate (this=0x100280c70, cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jswrapper.cpp:627
#4 0x000000010010ad4e in js::JSProxy::iterate (cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jsproxy.cpp:794
#5 0x00000001000b84da in GetIterator (cx=0x1004123f0, obj=0x101402c40, flags=1, vp=0x101000260) at ../jsiter.cpp:514
#6 0x00000001000b88db in js_ValueToIterator (cx=0x1004123f0, flags=1, vp=0x101000260) at ../jsiter.cpp:661
#7 0x000000010008ea8c in js_Interpret (cx=0x1004123f0) at jsops.cpp:460
#8 0x00000001000b30ed in js_Execute (cx=0x1004123f0, chain=0x101402000, script=0x1004151d0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#9 0x0000000100015787 in JS_ExecuteScript (cx=0x1004123f0, obj=0x101402000, script=0x1004151d0, rval=0x0) at ../jsapi.cpp:4751
#10 0x0000000100008a40 in Process (cx=0x1004123f0, obj=0x101402000, filename=0x7fff5fbffa95 "x.js", forceTTY=0) at ../../shell/js.cpp:429
#11 0x000000010000967b in ProcessArgs (cx=0x1004123f0, obj=0x101402000, argv=0x7fff5fbff948, argc=1) at ../../shell/js.cpp:843
#12 0x0000000100009763 in shell (cx=0x1004123f0, argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5031
#13 0x000000010000985f in main (argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5118
(gdb) c
Continuing.
Hardware watchpoint 3: *(JSObject **) 4299237248
Old value = (JSObject *) 0x101402c80
New value = (JSObject *) 0x101402cc0
RegisterEnumerator (cx=0x1004123f0, iterobj=0x101402cc0, ni=0x10041a510) at ../jsiter.cpp:431
431 }
(gdb) bt
#0 RegisterEnumerator (cx=0x1004123f0, iterobj=0x101402cc0, ni=0x10041a510) at ../jsiter.cpp:431
#1 0x00000001000b7927 in IdVectorToIterator (cx=0x1004123f0, obj=0x101402c40, flags=1, props=@0x7fff5fbfe6f0, vp=0x101000260) at ../jsiter.cpp:458
#2 0x000000010015bd2a in Reify (cx=0x1004123f0, origin=0x1004135b0, vp=0x101000260) at ../jswrapper.cpp:621
#3 0x000000010015c493 in JSCrossCompartmentWrapper::iterate (this=0x100280c70, cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jswrapper.cpp:627
#4 0x000000010010ad4e in js::JSProxy::iterate (cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jsproxy.cpp:794
#5 0x00000001000b84da in GetIterator (cx=0x1004123f0, obj=0x101402c40, flags=1, vp=0x101000260) at ../jsiter.cpp:514
#6 0x00000001000b88db in js_ValueToIterator (cx=0x1004123f0, flags=1, vp=0x101000260) at ../jsiter.cpp:661
#7 0x000000010008ea8c in js_Interpret (cx=0x1004123f0) at jsops.cpp:460
#8 0x00000001000b30ed in js_Execute (cx=0x1004123f0, chain=0x101402000, script=0x1004151d0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#9 0x0000000100015787 in JS_ExecuteScript (cx=0x1004123f0, obj=0x101402000, script=0x1004151d0, rval=0x0) at ../jsapi.cpp:4751
#10 0x0000000100008a40 in Process (cx=0x1004123f0, obj=0x101402000, filename=0x7fff5fbffa95 "x.js", forceTTY=0) at ../../shell/js.cpp:429
#11 0x000000010000967b in ProcessArgs (cx=0x1004123f0, obj=0x101402000, argv=0x7fff5fbff948, argc=1) at ../../shell/js.cpp:843
#12 0x0000000100009763 in shell (cx=0x1004123f0, argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5031
#13 0x000000010000985f in main (argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5118
(gdb)
Assignee | ||
Comment 4•15 years ago
|
||
Easy fix. Kudos to the fuzzer team.
Attachment #454940 -
Flags: review?(mrbkap)
Updated•15 years ago
|
Attachment #454940 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 5•15 years ago
|
||
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical], fixed-in-tracemonkey
Comment 6•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → betaN+
Updated•14 years ago
|
Crash Signature: [@ JSObject::getPrivate]
[@ js_SuppressDeletedProperty]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•