637010 - Crash [@ js_IteratorMore]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following code crashes on TM tip (without any options even):

var o0 = Iterator.prototype;
function f0(o) {
}
for(var i=0; i<7; i++) {
try { o0.prototype(); } catch(e) {
  if (o0.next() != 7)
    throw "7 not yielded";
};
}

This looks like a null pointer dereference to me:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f8ffa2dc720 (LWP 5590)]
0x00000000004d983c in js_IteratorMore (cx=0x143f530, iterobj=0x7f8ff8c03288, rval=0x7f8ff8d8a0a8) at jsiter.cpp:940
940             bool more = ni->props_cursor < ni->props_end;
(gdb) bt
#0  0x00000000004d983c in js_IteratorMore (cx=0x143f530, iterobj=0x7f8ff8c03288, rval=0x7f8ff8d8a0a8) at jsiter.cpp:940
#1  0x00000000004d94f4 in iterator_next (cx=0x143f530, argc=0, vp=0x7f8ff8d8a0a8) at jsiter.cpp:717
#2  0x00000000004d4d72 in js::CallJSNative (cx=0x143f530, native=0x4d9464 <iterator_next>, argc=0, vp=0x7f8ff8d8a0a8) at jscntxtinlines.h:701
#3  0x00000000006f971d in js::Interpret (cx=0x143f530, entryFrame=0x7f8ff8d8a048, inlineCallCount=0, interpMode=JSINTERP_NORMAL) at jsinterp.cpp:4781
#4  0x00000000004d0dc2 in js::RunScript (cx=0x143f530, script=0x14a6020, fp=0x7f8ff8d8a048) at jsinterp.cpp:650
#5  0x00000000004d21eb in js::Execute (cx=0x143f530, chain=0x7f8ff8c03048, script=0x14a6020, prev=0x0, flags=0, result=0x0) at jsinterp.cpp:1011
#6  0x000000000043141e in JS_ExecuteScript (cx=0x143f530, obj=0x7f8ff8c03048, script=0x14a6020, rval=0x0) at jsapi.cpp:4929
#7  0x0000000000405723 in Process (cx=0x143f530, obj=0x7f8ff8c03048, filename=0x7fffc7876316 "min.js", forceTTY=0) at js.cpp:452
#8  0x0000000000406665 in ProcessArgs (cx=0x143f530, obj=0x7f8ff8c03048, argv=0x7fffc7875c10, argc=1) at js.cpp:944
#9  0x0000000000410a40 in Shell (cx=0x143f530, argc=1, argv=0x7fffc7875c10, envp=0x7fffc7875c20) at js.cpp:5711
#10 0x0000000000410c06 in main (argc=1, argv=0x7fffc7875c10, envp=0x7fffc7875c20) at js.cpp:5819
(gdb) print ni
$1 = (class js::NativeIterator *) 0x0


Locking this anyways, unlock if confirmed to be harmless.

Comment 1

[Christian Holler (:decoder)]

Forgot: Found through combined fuzzing (jandem's method fuzzer + LangFuzz)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   42641:b15fd8b568e4
user:        Andreas Gal
date:        Fri May 07 17:52:52 2010 -0700
summary:     fast object iteration (558754, r=brendan, CLOSED TREE).

Comment 3

[Jan de Mooij [:jandem]]

I reduced this (to see how my fuzzer can generate this):

Iterator.prototype.next();

iterobj->getNativeIterator() in js_IteratorMore returns NULL in this case.

Comment 4

[Andreas Gal :gal]

Attachment: patch

Comment 5

[Andreas Gal :gal]

Just a couple missing null checks. Not exploitable. Should be very safe to take, but I won't fight an a-.

Comment 6

[Mike Beltzner [:beltzner, not reading bugmail]]

Comment on attachment 515373 [details] [diff] [review]
patch

r+ before a? please!

Comment 7

[Andreas Gal :gal]

dvander, want to review?

Comment 8

[Andreas Gal :gal]

Comment on attachment 515373 [details] [diff] [review]
patch

This is a safe crash and a DOS. I would like to take it for 2.x but I am not going to fight for it.

Comment 9

[Andreas Gal :gal]

Comment on attachment 515373 [details] [diff] [review]
patch

Actually no, I take back the approval nom. I just land it on trunk and we pick it up whenever.

Comment 10

[Boris Zbarsky [:bzbarsky]]

http://hg.mozilla.org/tracemonkey/rev/ef65c2f6ed63

Comment 11

[Chris Leary [:cdleary] (not checking bugmail)]

http://hg.mozilla.org/mozilla-central/rev/ef65c2f6ed63

Comment 13

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929