Crash [@ js::NewDenseCopiedArray] or [@ JSObject::getClass]

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
9 years ago
4 years ago

People

(Reporter: gkw, Assigned: paul.biggar)

Tracking

(Blocks 1 bug, {crash, regression, testcase})

Trunk
x86
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 betaN+)

Details

(Whiteboard: [ccbr][softblocker][fixed-in-tracemonkey], crash signature)

Attachments

(1 attachment)

(function() {
  Iterator((function() {
    switch ((7)) {
    default:
      return (Float32Array).call([], 4300018)
    case Proxy.create((function() {
        return {
          e:
          function() {}
        }
      })):
    }
  })())
})()

crashes js opt shell at js::NewDenseCopiedArray and debug shell at JSObject::getClass on TM changeset ca11457ed5fe without -m nor -j.

also s-s because no idea what the testcase is doing.

===

opt console output:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000001c
0x00025ecc in js::NewDenseCopiedArray ()
(gdb) bt
#0  0x00025ecc in js::NewDenseCopiedArray ()
#1  0x0009a0e1 in Enumerate<ValueEnumeration> ()
#2  0x0009d6b7 in js::GetIterator ()
#3  0x0009dfc0 in Iterator ()
#4  0x0008bd89 in js::Interpret ()
#5  0x00096492 in js::Execute ()
#6  0x00018e18 in JS_ExecuteScript ()
#7  0x00006774 in Process ()
#8  0x0000af22 in Shell ()
#9  0x0000b4bf in main ()
(gdb) x/i $eip
0x25ecc <_ZN2js19NewDenseCopiedArrayEP9JSContextjPNS_5ValueEP8JSObject+140>:    mov    %esi,0x1c(%eax)
(gdb) x/b $esi
0x2:    Cannot access memory at address 0x2

debug console output:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x0019b465 in JSObject::getClass (this=0x0) at jsobj.h:391
391         js::Class *getClass() const { return clasp; }
(gdb) bt
#0  0x0019b465 in JSObject::getClass (this=0x0) at jsobj.h:391
#1  0x00038da4 in JSObject::isDenseArray (this=0x0) at jsarray.h:146
#2  0x00038dfd in JSObject::isArray (this=0x0) at jsarray.h:158
#3  0x00111d50 in JSObject::setArrayLength (this=0x0, length=2) at jsobjinlines.h:298
#4  0x0004323b in js::NewArray<true> (cx=0x70f8b0, length=2, proto=0x0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsarray.cpp:3000
#5  0x00043290 in js::NewDenseCopiedArray (cx=0x70f8b0, length=2, vp=0xbfffe518, proto=0x0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsarray.cpp:3029
#6  0x000eb5de in NewKeyValuePair (cx=0x70f8b0, id={asBits = 5896797}, val=@0xe97e970, rval=0xe97e970) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:168
#7  0x000f20e9 in ValueEnumeration::append (cx=0x70f8b0, vals=@0xbfffe790, obj=0x15026e0, id={asBits = 5896797}, flags=14) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:203
#8  0x000eb806 in Enumerate<ValueEnumeration> (cx=0x70f8b0, obj=0x15026e0, pobj=0x15026e0, id={asBits = 5896797}, enumerable=true, sharedPermanent=false, flags=14, ht=@0xbfffe620, props=0xbfffe790) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:247
#9  0x000ec61e in Snapshot<ValueEnumeration> (cx=0x70f8b0, obj=0x15026e0, flags=14, props=0xbfffe790) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:358
#10 0x000efc8d in js::GetIterator (cx=0x70f8b0, obj=0x15026e0, flags=14, vp=0x10100a0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:721
#11 0x000f005c in js_ValueToIterator (cx=0x70f8b0, flags=14, vp=0x10100a0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:839
#12 0x000f00fd in Iterator (cx=0x70f8b0, argc=1, vp=0x10100a0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:760
#13 0x000e94da in js::CallJSNative (cx=0x70f8b0, native=0xf006b <Iterator(JSContext*, unsigned int, js::Value*)>, argc=1, vp=0x10100a0) at jscntxtinlines.h:692
#14 0x000d25b5 in js::Interpret () at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsinterp.cpp:4806
#15 0x000e6084 in js::RunScript (cx=0x70f8b0, script=0x713370, fp=0x1010030) at jsinterp.cpp:657
#16 0x000e661b in js::Execute (cx=0x70f8b0, chain=0x1502028, script=0x713370, prev=0x0, flags=0, result=0xbffff6c0) at jsinterp.cpp:1024
#17 0x00023e9f in JS_ExecuteScript (cx=0x70f8b0, obj=0x1502028, script=0x713370, rval=0xbffff6c0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsapi.cpp:4932
#18 0x000168c8 in Process (cx=0x70f8b0, obj=0x1502028, filename=0x0, forceTTY=0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:548
#19 0x00017386 in ProcessArgs (cx=0x70f8b0, obj=0x1502028, argv=0xbffff858, argc=0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:951
#20 0x000174c4 in Shell (cx=0x70f8b0, argc=0, argv=0xbffff858, envp=0xbffff85c) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:5464
#21 0x0001762b in main (argc=0, argv=0xbffff858, envp=0xbffff85c) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:5572
blocking2.0: --- → ?
I'm going softblocker for now, since we don't know yet if this affects the web. Is autobisect running on this? A regressing changeset would help with triage.
blocking2.0: ? → betaN+
Whiteboard: [ccbr] → [ccbr][softblocker]
The first bad revision is:
changeset:   aae231781a45
user:        Paul Biggar
date:        Mon Dec 13 16:22:59 2010 -0800
summary:     Bug 612292 - Rename array allocation functions (r=lw)
Blocks: 612292
blocking2.0: betaN+ → ?
Jesse, by the renom are you saying you think this shouldn't block?
Assignee: general → pbiggar
The renom was an unintentional change. Sorry.
blocking2.0: ? → betaN+
I missed two OOM checks in the original refactoring, which this check triggered.
Attachment #502112 - Flags: review?(lw)
Comment on attachment 502112 [details] [diff] [review]
Check for missing OOM conditions

>+    if (!obj)
>+      return NULL;

4 spaces of indent here.
Attachment #502112 - Flags: review?(lw) → review+
http://hg.mozilla.org/tracemonkey/rev/6ca3394a3aa2
Whiteboard: [ccbr][softblocker] → [ccbr][softblocker][fixed-in-tracemonkey]
http://hg.mozilla.org/mozilla-central/rev/6ca3394a3aa2
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::NewDenseCopiedArray] [@ JSObject::getClass]
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.