MethodJIT: Assertion failure: cx->enumerators == obj, at jsiter.cpp:789

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
7 years ago
4 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
sec-bounty +
in-testsuite -

Firefox Tracking Flags

(blocking2.0 final+)

Details

(Whiteboard: [hardblocker][has patch][fixed-in-tracemonkey][sg:critical?])

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
Created attachment 507831 [details]
Test case for shell (run with -j and -m)

The attached testcase asserts on 64 bit TM tip, run in shell with "-j -m". Testcase is not minimal and might not terminate if assertion isn't triggered (sorry, didn't have more time for further minimization/rewriting).

Backtrace:

#0  0x00007ffff7bd1ebb in raise () from /lib/libpthread.so.0
#1  0x0000000000598960 in JS_Assert (s=0x736327 "cx->enumerators == obj", file=0x73626b "jsiter.cpp", ln=789) at jsutil.cpp:83
#2  0x00000000004d49e9 in js_CloseIterator (cx=0xae80c0, obj=0x7ffff689a288) at jsiter.cpp:789
#3  0x00000000006b29a5 in FindExceptionHandler (cx=0xae80c0) at ./methodjit/InvokeHelpers.cpp:159
#4  0x00000000006b3b19 in js_InternalThrow (f=...) at ./methodjit/InvokeHelpers.cpp:552
#5  0x000000000064cac8 in JaegerThrowpoline () at ./methodjit/MethodJIT.cpp:139
#6  0x00007ffff7f96400 in ?? ()
[...]

Bisect shows:

Changeset 54650:427282865362: bad
The first bad revision is:
changeset:   54650:427282865362
user:        Bill McCloskey <wmccloskey@mozilla.com>
date:        Wed Sep 29 13:21:36 2010 -0700
summary:     Bug 535912 - Eliminate blockChain from JSStackFrame (r=cdleary)

however, this revision shows a different assertion

"Assertion failure: offset < script->length, at ../methodjit/InvokeHelpers.cpp:90"

This did not crash in my tests, so no security lock. Lock if appropriate.

Updated

7 years ago
Group: core-security

Comment 1

7 years ago
Similar stacks before were exploitable because the iterator stack becomes unbalanced and the next GC can kill the objects on it.
blocking2.0: --- → ?
blocking2.0: ? → final+
Whiteboard: hardblocker
(Assignee)

Comment 2

7 years ago
The problem is that stubs::FixupArity leaves an incoherent cx->regs->pc when throwing.
Assignee: general → dvander
Status: NEW → ASSIGNED
(Assignee)

Comment 3

7 years ago
Created attachment 508298 [details] [diff] [review]
fix
Attachment #508298 - Flags: review?(lw)

Updated

7 years ago
Whiteboard: hardblocker → [hardblocker][has patch]

Comment 4

7 years ago
Comment on attachment 508298 [details] [diff] [review]
fix

r+ with the testcase.
Attachment #508298 - Flags: review?(lw) → review+
(Assignee)

Comment 5

7 years ago
http://hg.mozilla.org/tracemonkey/rev/a7a3317dac32

didn't checkin testcase since it infinite loops
Whiteboard: [hardblocker][has patch] → [hardblocker][has patch][fixed-in-tracemonkey]
Whiteboard: [hardblocker][has patch][fixed-in-tracemonkey] → [hardblocker][has patch][fixed-in-tracemonkey][sg:critical?]
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
(Reporter)

Updated

7 years ago
Blocks: 676763
(Reporter)

Comment 8

6 years ago
Fixed for a long time and not affecting old branches, opening this.
Group: core-security
(Reporter)

Updated

6 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Updated

5 years ago
Flags: in-testsuite-
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.