Status

()

--
critical
RESOLVED DUPLICATE of bug 700295
7 years ago
6 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox7- affected, firefox8- affected, firefox9- affected)

Details

(Whiteboard: js-triage-done, crash signature)

(Reporter)

Description

7 years ago
The following test crashes on mozilla-central revision 06445f55f009 (no options required), as well as mozilla-aurora 009c64b64cf3:


this.__proto__ = null;
Object.prototype.__proto__ = this;
function exploreProperties(obj) {
  var props = [];
  for (var o = obj; o; o = Object.getPrototypeOf(o)) {
    props = props.concat(Object.getOwnPropertyNames(o));
  }
  for (var i = 0; i < props.length; ++i) {
    var p = props[i];
    var v = obj[p];
  }
}
var c = [{}];
exploreProperties(c);



Crash looks like a near-null deref/pointer magic with pointer being null, likely not security sensitive:

==50865== Invalid read of size 8
==50865==    at 0x403807: its_getter(JSContext*, JSObject*, long, unsigned long*) (js.cpp:4518)
==50865==    by 0x4A4149: js_NativeGet(JSContext*, JSObject*, JSObject*, js::Shape const*, unsigned int, js::Value*) (jscntxtinlines.h:333)
==50865==    by 0x41F7C9: array_getProperty(JSContext*, JSObject*, JSObject*, long, js::Value*) (jsarray.cpp:760)
==50865==    by 0x579E19: js::GetPropertyByName(JSContext*, JSObject*, JSString**, js::Value*) (jsobj.h:1227)
==50865==    by 0x4058D70: ???
==50865==    by 0x593411: js::ExecuteTree(JSContext*, js::TraceMonitor*, js::TreeFragment*, js::VMSideExit**, js::VMSideExit**) (jstracer.cpp:6597)
==50865==    by 0x5A34A9: js::RecordLoopEdge(JSContext*, js::TraceMonitor*) (jstracer.cpp:7239)
==50865==    by 0x689C8F: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2922)
==50865==    by 0x5A25E6: js::RecordTracePoint(JSContext*, js::TraceMonitor*, bool*, bool) (jstracer.cpp:16741)
==50865==    by 0x5A28DA: js::MonitorTracePoint(JSContext*, bool*, void**, unsigned int*, unsigned int*, unsigned int) (jstracer.cpp:16900)
==50865==    by 0x644476: RunTracer(js::VMFrame&, js::mjit::ic::TraceICInfo&) (InvokeHelpers.cpp:945)
==50865==    by 0x403A896: ???
==50865==  Address 0x1 is not stack'd, malloc'd or (recently) free'd
(Reporter)

Comment 1

7 years ago
This affects also current aurora, beta and release builds.
status-firefox7: --- → affected
status-firefox8: --- → affected
status-firefox9: --- → affected
tracking-firefox7: --- → ?
tracking-firefox8: --- → ?
tracking-firefox9: --- → ?
Reduced:
--
this.__proto__ = null;
Object.prototype.__proto__ = this;
var c = [{}];
c.custom;
--
This is shell only. The problem is that its_getter and its_setter assume the object's private slot, if non-NULL, is a pointer to a jsval. In this case the object is an array and for these objects the private slot holds the length, so we dereference 0x1.

The shell adds the custom and customRdOnly properties not only to the "it" object, but also to the global. Not sure why.

Updated

7 years ago
Whiteboard: js-triage-needed → js-triage-done

Comment 3

7 years ago
Firefox release drivers aren't going to track shell only bugs.
tracking-firefox7: ? → -
tracking-firefox8: ? → -
tracking-firefox9: ? → -
(Reporter)

Updated

7 years ago
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 700295
(Reporter)

Comment 5

6 years ago
A testcase for this bug was already added in the original bug (bug 700295).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.