Closed Bug 629650 Opened 9 years ago Closed 9 years ago

MethodJIT: Assertion failure: cx->enumerators == obj, at jsiter.cpp:789

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- final+

People

(Reporter: decoder, Assigned: dvander)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [hardblocker][has patch][fixed-in-tracemonkey][sg:critical?])

Attachments

(2 files)

The attached testcase asserts on 64 bit TM tip, run in shell with "-j -m". Testcase is not minimal and might not terminate if assertion isn't triggered (sorry, didn't have more time for further minimization/rewriting).

Backtrace:

#0  0x00007ffff7bd1ebb in raise () from /lib/libpthread.so.0
#1  0x0000000000598960 in JS_Assert (s=0x736327 "cx->enumerators == obj", file=0x73626b "jsiter.cpp", ln=789) at jsutil.cpp:83
#2  0x00000000004d49e9 in js_CloseIterator (cx=0xae80c0, obj=0x7ffff689a288) at jsiter.cpp:789
#3  0x00000000006b29a5 in FindExceptionHandler (cx=0xae80c0) at ./methodjit/InvokeHelpers.cpp:159
#4  0x00000000006b3b19 in js_InternalThrow (f=...) at ./methodjit/InvokeHelpers.cpp:552
#5  0x000000000064cac8 in JaegerThrowpoline () at ./methodjit/MethodJIT.cpp:139
#6  0x00007ffff7f96400 in ?? ()
[...]

Bisect shows:

Changeset 54650:427282865362: bad
The first bad revision is:
changeset:   54650:427282865362
user:        Bill McCloskey <wmccloskey@mozilla.com>
date:        Wed Sep 29 13:21:36 2010 -0700
summary:     Bug 535912 - Eliminate blockChain from JSStackFrame (r=cdleary)

however, this revision shows a different assertion

"Assertion failure: offset < script->length, at ../methodjit/InvokeHelpers.cpp:90"

This did not crash in my tests, so no security lock. Lock if appropriate.
Group: core-security
Similar stacks before were exploitable because the iterator stack becomes unbalanced and the next GC can kill the objects on it.
blocking2.0: --- → ?
blocking2.0: ? → final+
Whiteboard: hardblocker
The problem is that stubs::FixupArity leaves an incoherent cx->regs->pc when throwing.
Assignee: general → dvander
Status: NEW → ASSIGNED
Whiteboard: hardblocker → [hardblocker][has patch]
Comment on attachment 508298 [details] [diff] [review]
fix

r+ with the testcase.
Attachment #508298 - Flags: review?(lw) → review+
http://hg.mozilla.org/tracemonkey/rev/a7a3317dac32

didn't checkin testcase since it infinite loops
Whiteboard: [hardblocker][has patch] → [hardblocker][has patch][fixed-in-tracemonkey]
Whiteboard: [hardblocker][has patch][fixed-in-tracemonkey] → [hardblocker][has patch][fixed-in-tracemonkey][sg:critical?]
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Blocks: 676763
Fixed for a long time and not affecting old branches, opening this.
Group: core-security
Status: RESOLVED → VERIFIED
Flags: in-testsuite-
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.