Closed Bug 575486 Opened 10 years ago Closed 10 years ago

Crash [@ JSObject::getPrivate] or [@ js_SuppressDeletedProperty]

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: gal)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

(function() {
  for (l in evalcx('')) {}
})()
gc()
delete uneval;

crashes js debug shell on TM tip without -j at JSObject::getPrivate and crashes js opt shell on TM tip without -j at js_SuppressDeletedProperty

Probably a null deref but this involves gc so setting s-s and assuming [sg:critical?].

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   44269:3aaaa21012c8
user:        Jason Orendorff
date:        Wed Jun 23 16:35:10 2010 -0500
summary:     Bug 563099 - Compartments and wrappers API. r=gal.


Debug stack:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadadc
0x0011b33c in JSObject::getPrivate (this=0x1002640) at jsobj.h:401
401             JS_ASSERT(getClass()->flags & JSCLASS_HAS_PRIVATE);
(gdb) bt
#0  0x0011b33c in JSObject::getPrivate (this=0x1002640) at jsobj.h:401
#1  0x00153481 in JSObject::getNativeIterator (this=0x1002640) at jsobjinlines.h:416
#2  0x000b1978 in js_SuppressDeletedProperty (cx=0x809200, obj=0x1002000, id=16780084) at ../jsiter.cpp:724
#3  0x000c4885 in js_DeleteProperty (cx=0x809200, obj=0x1002000, id=16780084, rval=0x5000e0) at ../jsobj.cpp:5302
#4  0x0000caeb in JSObject::deleteProperty (this=0x1002000, cx=0x809200, id=16780084, rval=0x5000e0) at jsobj.h:676
#5  0x00095b3e in js_Interpret (cx=0x809200) at jsops.cpp:1138
#6  0x000ae867 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40c640, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#7  0x00016af9 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40c640, rval=0x0) at ../jsapi.cpp:4751
#8  0x0000a266 in Process (cx=0x809200, obj=0x1002000, filename=0xbffff8ae "w32-reduced.js", forceTTY=0) at ../../shell/js.cpp:429
#9  0x0000af99 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff7bc, argc=1) at ../../shell/js.cpp:843
#10 0x0000b0b2 in shell (cx=0x809200, argc=1, argv=0xbffff7bc, envp=0xbffff7c4) at ../../shell/js.cpp:5024
#11 0x0000b1d6 in main (argc=1, argv=0xbffff7bc, envp=0xbffff7c4) at ../../shell/js.cpp:5111

Opt stack:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00067d99 in js_SuppressDeletedProperty ()
(gdb) bt
#0  0x00067d99 in js_SuppressDeletedProperty ()
#1  0x00077e89 in js_DeleteProperty ()
#2  0x00059cb4 in js_Interpret ()
#3  0x000664f6 in js_Execute ()
#4  0x00012f28 in JS_ExecuteScript ()
#5  0x00004b46 in Process ()
#6  0x00008096 in shell ()
#7  0x000085a7 in main ()
(gdb) x/i $eip
0x67d99 <js_SuppressDeletedProperty+89>:        mov    (%edx),%ecx
(gdb) x/b $edx
0x0:    Cannot access memory at address 0x0
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:investigating]
Assignee: general → gal
OS: Mac OS X → All
Hardware: x86 → All
A gc-ed object in the cx->enumerators list. Thats really bad.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
0x0000000100124afd in JSObject::getPrivate (this=0x101402c80) at jsobj.h:401
401	        JS_ASSERT(getClass()->flags & JSCLASS_HAS_PRIVATE);
(gdb) bt
#0  0x0000000100124afd in JSObject::getPrivate (this=0x101402c80) at jsobj.h:401
#1  0x000000010015e60b in JSObject::getNativeIterator (this=0x101402c80) at jsobjinlines.h:416
#2  0x00000001000b6366 in js_SuppressDeletedProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836) at ../jsiter.cpp:724
#3  0x00000001000c8d46 in js_DeleteProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836, rval=0x1010001c0) at ../jsobj.cpp:5302
#4  0x000000010000b06e in JSObject::deleteProperty (this=0x101402000, cx=0x1004123f0, id=4315956836, rval=0x1010001c0) at jsobj.h:676
#5  0x0000000100098974 in js_Interpret (cx=0x1004123f0) at jsops.cpp:1138
#6  0x00000001000b30ed in js_Execute (cx=0x1004123f0, chain=0x101402000, script=0x1004151d0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#7  0x0000000100015787 in JS_ExecuteScript (cx=0x1004123f0, obj=0x101402000, script=0x1004151d0, rval=0x0) at ../jsapi.cpp:4751
#8  0x0000000100008a40 in Process (cx=0x1004123f0, obj=0x101402000, filename=0x7fff5fbffa95 "x.js", forceTTY=0) at ../../shell/js.cpp:429
#9  0x000000010000967b in ProcessArgs (cx=0x1004123f0, obj=0x101402000, argv=0x7fff5fbff948, argc=1) at ../../shell/js.cpp:843
#10 0x0000000100009763 in shell (cx=0x1004123f0, argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5031
#11 0x000000010000985f in main (argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5118
(gdb) p getClass()
$1 = (JSClass *) 0xdadadadadadadad8
(gdb) up
#1  0x000000010015e60b in JSObject::getNativeIterator (this=0x101402c80) at jsobjinlines.h:416
416	    return (NativeIterator *) getPrivate();
(gdb) up
#2  0x00000001000b6366 in js_SuppressDeletedProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836) at ../jsiter.cpp:724
724	        NativeIterator *ni = iterobj->getNativeIterator();
(gdb) p *iterobj
$2 = {
  map = 0x101402cc0, 
  classword = 15770157678700714714, 
  proto = 0xdadadadadadadada, 
  fslots = {-2676586395008836902, -2676586395008836902, -2676586395008836902, -2676586395008836902}, 
  dslots = 0xdadadadadadadada, 
  static JSSLOT_PRIMITIVE_THIS = 1, 
  static JSSLOT_ARRAY_LENGTH = 1, 
  static JSSLOT_DENSE_ARRAY_COUNT = 2, 
  static JSSLOT_DENSE_ARRAY_MINLENCAP = 3, 
  static DENSE_ARRAY_FIXED_RESERVED_SLOTS = 3, 
  static JSSLOT_ARGS_LENGTH = 2, 
  static JSSLOT_ARGS_CALLEE = 3, 
  static ARGS_FIXED_RESERVED_SLOTS = 2, 
  static JSSLOT_DATE_UTC_TIME = 1, 
  static JSSLOT_DATE_LOCAL_TIME = 2, 
  static DATE_FIXED_RESERVED_SLOTS = 2, 
  static JSSLOT_REGEXP_LAST_INDEX = 2, 
  static REGEXP_FIXED_RESERVED_SLOTS = 1, 
  static JSSLOT_NAME_PREFIX = 1, 
  static JSSLOT_NAME_URI = 2, 
  static JSSLOT_NAMESPACE_DECLARED = 3, 
  static JSSLOT_QNAME_LOCAL_NAME = 3, 
  static NAMESPACE_FIXED_RESERVED_SLOTS = 3, 
  static QNAME_FIXED_RESERVED_SLOTS = 3
}
(gdb) up
#3  0x00000001000c8d46 in js_DeleteProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836, rval=0x1010001c0) at ../jsobj.cpp:5302
5302	    return ok && js_SuppressDeletedProperty(cx, obj, id);
(gdb) l
5297	        GC_POKE(cx, obj->lockedGetSlot(sprop->slot));
5298	
5299	    ok = scope->removeProperty(cx, id);
5300	    JS_UNLOCK_OBJ(cx, obj);
5301	
5302	    return ok && js_SuppressDeletedProperty(cx, obj, id);
5303	}
5304	
5305	JSBool
5306	js_DefaultValue(JSContext *cx, JSObject *obj, JSType hint, jsval *vp)
(gdb) p *obj
$3 = {
  map = 0x1004137a0, 
  classword = 4297530209, 
  proto = 0x101402040, 
  fslots = {0, 0, 22, 4315951776}, 
  dslots = 0x1008a3a08, 
  static JSSLOT_PRIMITIVE_THIS = 1, 
  static JSSLOT_ARRAY_LENGTH = 1, 
  static JSSLOT_DENSE_ARRAY_COUNT = 2, 
  static JSSLOT_DENSE_ARRAY_MINLENCAP = 3, 
  static DENSE_ARRAY_FIXED_RESERVED_SLOTS = 3, 
  static JSSLOT_ARGS_LENGTH = 2, 
  static JSSLOT_ARGS_CALLEE = 3, 
  static ARGS_FIXED_RESERVED_SLOTS = 2, 
  static JSSLOT_DATE_UTC_TIME = 1, 
  static JSSLOT_DATE_LOCAL_TIME = 2, 
  static DATE_FIXED_RESERVED_SLOTS = 2, 
  static JSSLOT_REGEXP_LAST_INDEX = 2, 
  static REGEXP_FIXED_RESERVED_SLOTS = 1, 
  static JSSLOT_NAME_PREFIX = 1, 
  static JSSLOT_NAME_URI = 2, 
  static JSSLOT_NAMESPACE_DECLARED = 3, 
  static JSSLOT_QNAME_LOCAL_NAME = 3, 
  static NAMESPACE_FIXED_RESERVED_SLOTS = 3, 
  static QNAME_FIXED_RESERVED_SLOTS = 3
}
(gdb) down
#2  0x00000001000b6366 in js_SuppressDeletedProperty (cx=0x1004123f0, obj=0x101402000, id=4315956836) at ../jsiter.cpp:724
724	        NativeIterator *ni = iterobj->getNativeIterator();
(gdb) l
719	js_SuppressDeletedProperty(JSContext *cx, JSObject *obj, jsid id)
720	{
721	    JSObject *iterobj = cx->enumerators;
722	    while (iterobj) {
723	      again:
724	        NativeIterator *ni = iterobj->getNativeIterator();
725	        if (ni->obj == obj && ni->props_cursor < ni->props_end) {
726	            /* Check whether id is still to come. */
727	            jsid *props_cursor = ni->props_cursor;
728	            jsid *props_end = ni->props_end;
(gdb) p cx->enumerators
$4 = (JSObject *) 0x101402c80
(gdb) p *cx->enumerators
$5 = {
  map = 0x101402cc0, 
  classword = 15770157678700714714, 
  proto = 0xdadadadadadadada, 
  fslots = {-2676586395008836902, -2676586395008836902, -2676586395008836902, -2676586395008836902}, 
  dslots = 0xdadadadadadadada, 
  static JSSLOT_PRIMITIVE_THIS = 1, 
  static JSSLOT_ARRAY_LENGTH = 1, 
  static JSSLOT_DENSE_ARRAY_COUNT = 2, 
  static JSSLOT_DENSE_ARRAY_MINLENCAP = 3, 
  static DENSE_ARRAY_FIXED_RESERVED_SLOTS = 3, 
  static JSSLOT_ARGS_LENGTH = 2, 
  static JSSLOT_ARGS_CALLEE = 3, 
  static ARGS_FIXED_RESERVED_SLOTS = 2, 
  static JSSLOT_DATE_UTC_TIME = 1, 
  static JSSLOT_DATE_LOCAL_TIME = 2, 
  static DATE_FIXED_RESERVED_SLOTS = 2, 
  static JSSLOT_REGEXP_LAST_INDEX = 2, 
  static REGEXP_FIXED_RESERVED_SLOTS = 1, 
  static JSSLOT_NAME_PREFIX = 1, 
  static JSSLOT_NAME_URI = 2, 
  static JSSLOT_NAMESPACE_DECLARED = 3, 
  static JSSLOT_QNAME_LOCAL_NAME = 3, 
  static NAMESPACE_FIXED_RESERVED_SLOTS = 3, 
  static QNAME_FIXED_RESERVED_SLOTS = 3
}
(gdb)
Whiteboard: [ccbr][sg:critical?][critsmash:investigating] → [ccbr][sg:critical]
This is a recent addition. Its not in any product we shipped.
blocking2.0: --- → ?
Very recent bug. My re-ify code makes a 2nd iterator which registers itself but doesn't get closed properly.

(gdb) bt
#0  RegisterEnumerator (cx=0x1004123f0, iterobj=0x101402c80, ni=0x10041a4c0) at ../jsiter.cpp:431
#1  0x00000001000b8699 in GetIterator (cx=0x1004123f0, obj=0x1014021c0, flags=1, vp=0x101000260) at ../jsiter.cpp:540
#2  0x000000010015c335 in JSWrapper::iterate (this=0x100280c70, cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jswrapper.cpp:172
#3  0x000000010015c402 in JSCrossCompartmentWrapper::iterate (this=0x100280c70, cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jswrapper.cpp:627
#4  0x000000010010ad4e in js::JSProxy::iterate (cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jsproxy.cpp:794
#5  0x00000001000b84da in GetIterator (cx=0x1004123f0, obj=0x101402c40, flags=1, vp=0x101000260) at ../jsiter.cpp:514
#6  0x00000001000b88db in js_ValueToIterator (cx=0x1004123f0, flags=1, vp=0x101000260) at ../jsiter.cpp:661
#7  0x000000010008ea8c in js_Interpret (cx=0x1004123f0) at jsops.cpp:460
#8  0x00000001000b30ed in js_Execute (cx=0x1004123f0, chain=0x101402000, script=0x1004151d0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#9  0x0000000100015787 in JS_ExecuteScript (cx=0x1004123f0, obj=0x101402000, script=0x1004151d0, rval=0x0) at ../jsapi.cpp:4751
#10 0x0000000100008a40 in Process (cx=0x1004123f0, obj=0x101402000, filename=0x7fff5fbffa95 "x.js", forceTTY=0) at ../../shell/js.cpp:429
#11 0x000000010000967b in ProcessArgs (cx=0x1004123f0, obj=0x101402000, argv=0x7fff5fbff948, argc=1) at ../../shell/js.cpp:843
#12 0x0000000100009763 in shell (cx=0x1004123f0, argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5031
#13 0x000000010000985f in main (argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5118
(gdb) c
Continuing.
Hardware watchpoint 3: *(JSObject **) 4299237248

Old value = (JSObject *) 0x101402c80
New value = (JSObject *) 0x101402cc0
RegisterEnumerator (cx=0x1004123f0, iterobj=0x101402cc0, ni=0x10041a510) at ../jsiter.cpp:431
431	}
(gdb) bt
#0  RegisterEnumerator (cx=0x1004123f0, iterobj=0x101402cc0, ni=0x10041a510) at ../jsiter.cpp:431
#1  0x00000001000b7927 in IdVectorToIterator (cx=0x1004123f0, obj=0x101402c40, flags=1, props=@0x7fff5fbfe6f0, vp=0x101000260) at ../jsiter.cpp:458
#2  0x000000010015bd2a in Reify (cx=0x1004123f0, origin=0x1004135b0, vp=0x101000260) at ../jswrapper.cpp:621
#3  0x000000010015c493 in JSCrossCompartmentWrapper::iterate (this=0x100280c70, cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jswrapper.cpp:627
#4  0x000000010010ad4e in js::JSProxy::iterate (cx=0x1004123f0, proxy=0x101402c40, flags=1, vp=0x101000260) at ../jsproxy.cpp:794
#5  0x00000001000b84da in GetIterator (cx=0x1004123f0, obj=0x101402c40, flags=1, vp=0x101000260) at ../jsiter.cpp:514
#6  0x00000001000b88db in js_ValueToIterator (cx=0x1004123f0, flags=1, vp=0x101000260) at ../jsiter.cpp:661
#7  0x000000010008ea8c in js_Interpret (cx=0x1004123f0) at jsops.cpp:460
#8  0x00000001000b30ed in js_Execute (cx=0x1004123f0, chain=0x101402000, script=0x1004151d0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#9  0x0000000100015787 in JS_ExecuteScript (cx=0x1004123f0, obj=0x101402000, script=0x1004151d0, rval=0x0) at ../jsapi.cpp:4751
#10 0x0000000100008a40 in Process (cx=0x1004123f0, obj=0x101402000, filename=0x7fff5fbffa95 "x.js", forceTTY=0) at ../../shell/js.cpp:429
#11 0x000000010000967b in ProcessArgs (cx=0x1004123f0, obj=0x101402000, argv=0x7fff5fbff948, argc=1) at ../../shell/js.cpp:843
#12 0x0000000100009763 in shell (cx=0x1004123f0, argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5031
#13 0x000000010000985f in main (argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5118
(gdb)
Attached patch patchSplinter Review
Easy fix. Kudos to the fuzzer team.
Attachment #454940 - Flags: review?(mrbkap)
Attachment #454940 - Flags: review?(mrbkap) → review+
http://hg.mozilla.org/tracemonkey/rev/03f3c7efaa5e
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical], fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/03f3c7efaa5e
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
blocking2.0: ? → betaN+
Crash Signature: [@ JSObject::getPrivate] [@ js_SuppressDeletedProperty]
Group: core-security
You need to log in before you can comment on or make changes to this bug.