Closed
Bug 633890
Opened 13 years ago
Closed 13 years ago
Assertion failure: prop == (JSProperty*) shape
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | .x+ |
People
(Reporter: bc, Assigned: jorendorff)
References
()
Details
(Keywords: assertion, Whiteboard: [fixed-in-tracemonkey])
Attachments
(1 file)
1.41 KB,
patch
|
brendan
:
review+
jst
:
approval2.0+
|
Details | Diff | Splinter Review |
1. http://www.msnbc.msn.com/id/41540062/ns/business-retail/?gt1=43001 2. Assertion failure: prop == (JSProperty*) shape, at /work/mozilla/builds/2.0.0/mozilla/js/src/jstracer.cpp:12859 Reproducble on Windows, Mac, Linux. If it doesn't assert, try reloading. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x06790c87 in JS_Assert (s=0x6ca3d25 "prop == (JSProperty*) shape", file=0x6ca1d3c "/work/mozilla/builds/2.0.0/mozilla/js/src/jstracer.cpp", ln=12859) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsutil.cpp:80 80 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */ (gdb) bt #0 0x06790c87 in JS_Assert (s=0x6ca3d25 "prop == (JSProperty*) shape", file=0x6ca1d3c "/work/mozilla/builds/2.0.0/mozilla/js/src/jstracer.cpp", ln=12859) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsutil.cpp:80 #1 0x067be09b in js::GetPropertyWithNativeGetter (cx=0x23754960, obj=0x25b7d7e0, shape=0x250ab0a8, vp=0xbfffb6c8) at /work/mozilla/builds/2.0.0/mozilla/js/src/jstracer.cpp:12859 #2 0x20047afc in ?? () #3 0x067b4488 in js::ExecuteTrace (cx=0x23754960, tm=0xdf3280, f=0x256a6c9c, state=@0xbfffb7d8) at /work/mozilla/builds/2.0.0/mozilla/js/src/jstracer.cpp:6555 #4 0x067c2746 in js::ExecuteTree (cx=0x23754960, tm=0xdf3280, f=0x256a6c9c, inlineCallCount=@0xbfffb9c4, innermostNestedGuardp=0xbfffb8dc, lrp=0xbfffb8e0) at /work/mozilla/builds/2.0.0/mozilla/js/src/jstracer.cpp:6663 #5 0x067d3ddf in js::RecordTracePoint (cx=0x23754960, tm=0xdf3280, inlineCallCount=@0xbfffb9c4, blacklist=0xbfffb9cb, execAllowed=true) at /work/mozilla/builds/2.0.0/mozilla/js/src/jstracer.cpp:16803 #6 0x067d42b0 in js::MonitorTracePoint (cx=0x23754960, inlineCallCount=@0xbfffb9c4, blacklist=0xbfffb9cb, traceData=0x255f6128, traceEpoch=0x255f612c, loopCounter=0x255f6130, hits=1) at /work/mozilla/builds/2.0.0/mozilla/js/src/jstracer.cpp:17046 #7 0x068aea40 in RunTracer (f=@0xbfffba30, ic=@0x255f6114) at /work/mozilla/builds/2.0.0/mozilla/js/src/methodjit/InvokeHelpers.cpp:1024 #8 0x068aed30 in js::mjit::stubs::InvokeTracer (f=@0xbfffba30, ic=0x255f6114) at /work/mozilla/builds/2.0.0/mozilla/js/src/methodjit/InvokeHelpers.cpp:1115 #9 0x2008abde in ?? () #10 0x0683c775 in js::mjit::EnterMethodJIT (cx=0x23754960, fp=0x1000070, code=0x1f6cf000, stackLimit=0x108cab0) at /work/mozilla/builds/2.0.0/mozilla/js/src/methodjit/MethodJIT.cpp:748 #11 0x0683c894 in CheckStackAndEnterMethodJIT (cx=0x23754960, fp=0x1000070, code=0x1f6cf000) at /work/mozilla/builds/2.0.0/mozilla/js/src/methodjit/MethodJIT.cpp:774 #12 0x0683c9b4 in js::mjit::JaegerShot (cx=0x23754960) at /work/mozilla/builds/2.0.0/mozilla/js/src/methodjit/MethodJIT.cpp:791 #13 0x066b24ee in js::Interpret () at /work/mozilla/builds/2.0.0/mozilla/js/src/jsinterp.cpp:4700 #14 0x066c459f in js::RunScript (cx=0x23754960, script=0x256b1600, fp=0x1000030) at jsinterp.cpp:640 #15 0x066c65ca in js::Execute (cx=0x23754960, chain=0x23d300a0, script=0x256b1600, prev=0x0, flags=0, result=0x0) at jsinterp.cpp:1006 locally saved versions of the page don't assert due to (I think) security errors trying to run from disk. So, I can't yet get a reproducible test case. 1.9.2 asserts with Assertion failure: prop == (JSProperty*) sprop. See Bug 522521
Updated•13 years ago
|
Group: core-security
Comment 1•13 years ago
|
||
Hidden for investigation. This sounds bad.
Doesn't assert for me on x64 Linux after reloading a few times.
Reporter | ||
Comment 3•13 years ago
|
||
(In reply to comment #2) > Doesn't assert for me on x64 Linux after reloading a few times. Is that with tracemonkey or mozilla-central? I just reproduced with 32bit and 64bit fedora 14 on mozilla-central with builds from this morning.
mozilla-central
Reporter | ||
Comment 5•13 years ago
|
||
just reproduced again on mozilla-central and tracemonkey on mac os x. I had to reload once for each.
Reporter | ||
Comment 6•13 years ago
|
||
nominated due to Andreas' concern this might enable a drive by.
blocking2.0: --- → ?
Updated•13 years ago
|
blocking2.0: ? → .x
Comment 7•13 years ago
|
||
Bob, please grab someone on IRC if you get this in gdb -- need to debug a bit. /be
Comment 8•13 years ago
|
||
This could be sg:crit. We need an analysis here. My plate is full sorry.
Comment 9•13 years ago
|
||
Jason said "Karate night" and had to run, but he said he'd take it. We believe this is #ifdef DEBUG code that calls lookupProperty which seems like it could call nsHTMLFormElementSH::NewResolve and mess with the tracer's carefully guarded invariants. If so, this bug is not sg:crit and not a blocker except to bc's life testing. It ought to be an easy NPOT(non-DEBUG)B fix. /be
Assignee: general → jorendorff
Assignee | ||
Comment 10•13 years ago
|
||
If a resolve hook is causing this, I think that means it's a dup of bug 458271, and that might lead to a small test case. Certainly we shouldn't be asserting rules that we know we're not actually following. Brendan suggested switching the assertion from obj->lookupProperty to something like SafeLookup. Sounds good to me.
Assignee | ||
Comment 11•13 years ago
|
||
Doesn't reproduce here (32-bit build on Windows).
Assignee | ||
Comment 12•13 years ago
|
||
bclary found a URL that reproduces this for me on Windows. It is: http://www.msnbc.msn.com/id/41584626/ns/business-small_business/?GT1=43001
Assignee | ||
Comment 13•13 years ago
|
||
This triggers the same assertion with the same stack. <!doctype html> <form></form> <form><input name="id"></form> <script> //var HOTLOOP = 8; var x = document.forms[0], y = document.forms[1]; var forms = []; for (var j = 0; j < 10000; j++) forms[j] = x; forms[j] = y; for (var i = 0; i < forms.length; i++) forms[i].id; </script>
Assignee | ||
Comment 14•13 years ago
|
||
It is definitely a case of bug 458271. In this bug, I'll just weaken the assertion. I'll leave bug 458271 open for the real fix. (Which will follow Ff4, I imagine. This bug report tells us there is now a real-world web site tickling bug 458271, which is a little surprising and should make that a higher priority; but not high enough to block, I think.) More in a second.
Assignee | ||
Comment 15•13 years ago
|
||
The bug does not lead to an exploitable crash or undefined behavior in the C++ sense. The situation is: - Two DOM objects x and y have the same shape. - They have the same prototype, P, which has a property P.id. - They have the same resolve hook, but it behaves differently for x vs. y. At trace record time x.id is inherited from P; and at trace run time, we treat y just like x, since they're the same shape, even though y's resolve hook would have resolved an own property y.id, shadowing P.id. We skip calling the resolve hook on x. Wrong computation, no crash. Given that it doesn't crash, is it exploitable some other way? I can't think of a plausible scenario. The only remote possibilities I can think of are: - Inasmuch as chrome code depends on getting right answers, when we give a wrong answer, that might be exploitable. But in this case we're talking about stuff like document.forms. Wrappers for such content nodes have x-ray behavior by default, which causes these resolve hooks to be skipped anyway. So the bug won't even occur. (We don't trace wrapper accesses either -- but that is little comfort since I suspect methodjit has the same bug.) There might be problems here I'm not seeing, but my hunch is we're OK. - It is just barely possible that some Web page somewhere contains both site-generated content and user-generated content, and scripts in the page distinguish the two by the presence or absence of a form field like this one. If such a site triggers this bug, it might trust user-generated content that it should not trust. It could amount to cross-site scripting in the worst case. This seems laughably unlikely, but proving that would be hard, maybe harder than just fixing the bug.
Assignee | ||
Comment 16•13 years ago
|
||
With resolver (see patch in bug 458271) this can be triggered in the shell: var p = /./, x = resolver({}, p), y = resolver({lastIndex: 2}, p), v; var a = []; for (var i = 0; i < HOTLOOP; i++) a[i] = x; a[HOTLOOP] = y; for (i = 0; i < a.length; i++) v = a[i].lastIndex; assertEq(v, 2);
Assignee | ||
Comment 17•13 years ago
|
||
This patch depends on resolver.
Attachment #513216 -
Flags: review?(brendan)
Comment 18•13 years ago
|
||
Based on comment #9 etc this sounds like it should be opened up. Or am I missing something here?
Updated•13 years ago
|
Attachment #513216 -
Flags: review?(brendan) → review+
Updated•13 years ago
|
Group: core-security
Assignee | ||
Comment 19•13 years ago
|
||
Comment on attachment 513216 [details] [diff] [review] v1 Looking for approval, since the patch is extremely low-risk (#ifdef DEBUG only) and assertions are bad.
Attachment #513216 -
Flags: approval2.0?
Updated•13 years ago
|
Attachment #513216 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Comment 20•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/711804514c8e
Whiteboard: [fixed-in-tracemonkey]
Comment 21•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/711804514c8e
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 22•13 years ago
|
||
I'd really like to make the following change: --- a/js/src/jsinterp.cpp +++ b/js/src/jsinterp.cpp @@ -2054,7 +2054,7 @@ AssertValidPropertyCacheHit(JSContext *c } if (!ok) return false; - if (cx->runtime->gcNumber != sample || entry->vshape() != pobj->shape()) + if (cx->runtime->gcNumber != sample) return true; JS_ASSERT(prop); JS_ASSERT(pobj == found); because without it, AssertValidPropertyCacheHit really doesn't do its job. However, if we do that, the test here trips that assertion. I think it's more valuable to be properly vetting property cache hits than to allow this resolver test to run. Can we back out the addition of js/src/jit-test/tests/basic/bug633890.js?
Comment 23•13 years ago
|
||
Or perhaps the fix is to extend jit_tests.py to cope with tests that are expected to trip an assertion.
Comment 24•13 years ago
|
||
Slippery slope! :-) (Note browser would have to skip regardless since it uses a single browser instance, not one per test.)
Comment 25•13 years ago
|
||
(In reply to comment #24) > Slippery slope! :-) Well, okay: The test should be deleted, as it's checking something that we don't support yet. :)
Comment 26•13 years ago
|
||
Test deleted as part of bug 554955: http://hg.mozilla.org/tracemonkey/rev/c583d7c12d9d
Comment 27•11 years ago
|
||
Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•