Closed Bug 631219 Opened 9 years ago Closed 9 years ago

Segmentation fault when assigning to arguments.__proto__

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jandem, Assigned: dmandelin)

References

Details

(Keywords: crash, reproducible, testcase, Whiteboard: [sg:dos][softblocker][fixed-in-tracemonkey])

Attachments

(1 file)

This segfaults in debug and release builds (does not need any jit flags):
--
function g(o) {
    o.__proto__ = arguments;
    o.length = 123;
}
function f() {
    g(arguments);
}
f();
--
A backtrace in GDB has thousands of frames; the following lines are repeated many times:
--
#99 0x0010d6d5 in js_SetProperty (cx=0x70b540, obj=0x1408038, id={asBits = 20973600}, vp=0xbfffebd8, strict=0) at ../jsobj.cpp:5785
#100 0x000a2b61 in ArgSetter (cx=0x70b540, obj=0x1408038, id={asBits = 20973600}, vp=0xbfffebd8) at ../jsfun.cpp:590
#101 0x00074b19 in js::CallJSPropertyOpSetter (cx=0x70b540, op=0xa2983 <ArgSetter(JSContext*, JSObject*, jsid, js::Value*)>, obj=0x1408038, id={asBits = 20973600}, vp=0xbfffebd8) at jscntxtinlines.h:751
#102 0x0011a376 in js::Shape::set (this=0x8aa2c8, cx=0x70b540, obj=0x1408038, vp=0xbfffebd8) at jsscopeinlines.h:275
#103 0x00106e10 in js_NativeSet (cx=0x70b540, obj=0x1408038, shape=0x8aa2c8, added=true, vp=0xbfffebd8) at ../jsobj.cpp:5297
#104 0x0010d67e in js_SetPropertyHelper (cx=0x70b540, obj=0x1408038, id={asBits = 20973600}, defineHow=0, vp=0xbfffebd8, strict=0) at ../jsobj.cpp:5774
--
blocking2.0: --- → ?
Also crashes in Firefox 3.6.13
Simpler test case:
--
function f() { 
    return arguments; 
}
args = f(); 
args.__proto__ = f();
args.length = 0;
--
Attached patch PatchSplinter Review
I think this is an easy one. The problem is that ArgSetter calls js_SetProperty. If the proto has changed to something that has a setter for that id, js_SetProperty will call that setter, which is wrong. Further, if the new proto is an arguments object, the setter is ArgSetter, hence infinite recursion.

An alternate fix would be to ban setting the prototype for arguments object. That seems like a more disciplined fix, but has more web regression risk.
Assignee: general → dmandelin
Status: NEW → ASSIGNED
Attachment #509523 - Flags: review?(brendan)
blocking2.0: ? → betaN+
Whiteboard: softblocker
Regression from bug 495061 patch, I think.

/be
Blocks: 495061
Attachment #509523 - Flags: review?(brendan) → review+
Whiteboard: softblocker → [sg:dos] softblocker
http://hg.mozilla.org/tracemonkey/rev/13ddee17c691
Whiteboard: [sg:dos] softblocker → [sg:dos][softblocker][fixed-in-tracemonkey]
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.