Closed Bug 584578 Opened 14 years ago Closed 14 years ago

"Assertion failure: watchpoint access check failed" with proxy, watch

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: jorendorff)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

patch
822 bytes, patch
jorendorff
: review-
Details | Diff | Splinter Review 
TM branch, debug shell, no JITs.

var x = Proxy.create( {get:function(r,name){return {}[name]}} );
x.watch('e', function(){});

Assertion failure: watchpoint access check failed, at ../jsobj.cpp:1328

This assertion was added in rev c5e31473b1a6 (bug 583850).  Since it's a security-related assertion, and I don't know whether it affects older versions, I'm filing it as security-sensitive.
Assignee: general → gal
Blocks: harmony:proxies
blocking2.0: --- → betaN+
Whiteboard: [sg:critical]
Whiteboard: [sg:critical] → [sg:critical][critsmash:investigating]
#0  0x0000000100167795 in JS_Assert (s=0x10020b4c0 "watchpoint access check failed", file=0x10020a11b "../jsobj.cpp", ln=1326) at ../jsutil.cpp:80
#1  0x00000001000d83b8 in obj_watch (cx=0x1005126b0, argc=2, vp=0x1010001b8) at ../jsobj.cpp:1326
#2  0x00000001000a5ba0 in js::Interpret (cx=0x1005126b0) at ../jsinterp.cpp:4709
#3  0x00000001000b97a3 in js::Execute (cx=0x1005126b0, chain=0x101503000, script=0x100514680, down=0x0, flags=0, result=0x0) at jsinterp.cpp:907
#4  0x00000001000160df in JS_ExecuteScript (cx=0x1005126b0, obj=0x101503000, script=0x100514680, rval=0x0) at ../jsapi.cpp:4730
#5  0x000000010000a3e5 in Process (cx=0x1005126b0, obj=0x101503000, filename=0x7fff5fbffa95 "x.js", forceTTY=0) at ../../shell/js.cpp:440
#6  0x000000010000b01b in ProcessArgs (cx=0x1005126b0, obj=0x101503000, argv=0x7fff5fbff948, argc=1) at ../../shell/js.cpp:854
#7  0x000000010000b103 in shell (cx=0x1005126b0, argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5047
#8  0x000000010000b1ff in main (argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5134
(gdb)
This is a bogus assert. CheckAccess can fail (the proxy handler throws a regular exception here). We can't intercept proxies here, because the failure could also come from the proto chain. I think this can already fail in other cases too.
Group: core-security
Severity: critical → minor
Whiteboard: [sg:critical][critsmash:investigating]
Attached patch patchSplinter Review 

    
  

        Attachment #464722 -
        Flags: review?(jorendorff)

    
    

    
  
Comment on attachment 464722 [details] [diff] [review]
patch

>diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
>--- a/js/src/jsobj.cpp
>+++ b/js/src/jsobj.cpp
>@@ -1320,20 +1320,18 @@ obj_watch(JSContext *cx, uintN argc, Val
> 
>     JSObject *obj = ComputeThisFromVp(cx, vp);
>     if (!obj)
>         return false;
> 
>     /* Legacy security check. This can't fail. See bug 583850. */
>     Value tmp;
>     uintN attrs;
>-    if (!CheckAccess(cx, obj, propid, JSACC_WATCH, &tmp, &attrs)) {
>-        JS_NOT_REACHED("watchpoint access check failed");
>+    if (!CheckAccess(cx, obj, propid, JSACC_WATCH, &tmp, &attrs))
>         return false;
>-    }
> 
>     vp->setUndefined();
> 
>     if (attrs & JSPROP_READONLY)
>         return true;
>     if (obj->isDenseArray() && !obj->makeDenseArraySlow(cx))
>         return false;
>     return JS_SetWatchPoint(cx, obj, propid, obj_watch_handler, callable);

        Attachment #464722 -
        Attachment is private: false

    
    

    
  
(In reply to comment #2)
> This is a bogus assert. CheckAccess can fail (the proxy handler throws a
> regular exception here). We can't intercept proxies here, because the failure
> could also come from the proto chain.

OK, but doesn't this basically mean the whole patch in bug 583850 should be backed out and we should try again later with a different approach?

    
    

    
  
Comment on attachment 464722 [details] [diff] [review]
patch

Actually I think this is the wrong kind of fix -- let me give it a shot real quick.

        Attachment #464722 -
        Flags: review?(jorendorff) → review-

    
    

    
  
Sure, sounds good.
Assignee: gal → jorendorff

    
    

    
  
It turns out the assertions were discovering places where we really do need the security checks.

So the assertions are wrong. Backed them out (Friday morning).

http://hg.mozilla.org/tracemonkey/rev/d796055d5465

Pushed the test just now.

http://hg.mozilla.org/tracemonkey/rev/9fb00422e957

    
    

    
  
Adding fixed-in-tracemonkey per comment 8..
Whiteboard: fixed-in-tracemonkey

    
  
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
A testcase for this bug was automatically identified at js/src/tests/js1_8_5/regress/regress-584578.js.
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: