Closed Bug 688371 Opened 14 years ago Closed 14 years ago

Crash [@ its_getter]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 700295
Tracking Flags:
Tracking Status
firefox7 - affected
firefox8 - affected
firefox9 - affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: js-triage-done)

Crash Data

The following test crashes on mozilla-central revision 06445f55f009 (no options required), as well as mozilla-aurora 009c64b64cf3: this.__proto__ = null; Object.prototype.__proto__ = this; function exploreProperties(obj) { var props = []; for (var o = obj; o; o = Object.getPrototypeOf(o)) { props = props.concat(Object.getOwnPropertyNames(o)); } for (var i = 0; i < props.length; ++i) { var p = props[i]; var v = obj[p]; } } var c = [{}]; exploreProperties(c); Crash looks like a near-null deref/pointer magic with pointer being null, likely not security sensitive: ==50865== Invalid read of size 8 ==50865== at 0x403807: its_getter(JSContext*, JSObject*, long, unsigned long*) (js.cpp:4518) ==50865== by 0x4A4149: js_NativeGet(JSContext*, JSObject*, JSObject*, js::Shape const*, unsigned int, js::Value*) (jscntxtinlines.h:333) ==50865== by 0x41F7C9: array_getProperty(JSContext*, JSObject*, JSObject*, long, js::Value*) (jsarray.cpp:760) ==50865== by 0x579E19: js::GetPropertyByName(JSContext*, JSObject*, JSString**, js::Value*) (jsobj.h:1227) ==50865== by 0x4058D70: ??? ==50865== by 0x593411: js::ExecuteTree(JSContext*, js::TraceMonitor*, js::TreeFragment*, js::VMSideExit**, js::VMSideExit**) (jstracer.cpp:6597) ==50865== by 0x5A34A9: js::RecordLoopEdge(JSContext*, js::TraceMonitor*) (jstracer.cpp:7239) ==50865== by 0x689C8F: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2922) ==50865== by 0x5A25E6: js::RecordTracePoint(JSContext*, js::TraceMonitor*, bool*, bool) (jstracer.cpp:16741) ==50865== by 0x5A28DA: js::MonitorTracePoint(JSContext*, bool*, void**, unsigned int*, unsigned int*, unsigned int) (jstracer.cpp:16900) ==50865== by 0x644476: RunTracer(js::VMFrame&, js::mjit::ic::TraceICInfo&) (InvokeHelpers.cpp:945) ==50865== by 0x403A896: ??? ==50865== Address 0x1 is not stack'd, malloc'd or (recently) free'd
This affects also current aurora, beta and release builds.
status-firefox7: --- → affected
status-firefox8: --- → affected
status-firefox9: --- → affected
tracking-firefox7: --- → ?
tracking-firefox8: --- → ?
tracking-firefox9: --- → ?
Reduced: -- this.__proto__ = null; Object.prototype.__proto__ = this; var c = [{}]; c.custom; -- This is shell only. The problem is that its_getter and its_setter assume the object's private slot, if non-NULL, is a pointer to a jsval. In this case the object is an array and for these objects the private slot holds the length, so we dereference 0x1. The shell adds the custom and customRdOnly properties not only to the "it" object, but also to the global. Not sure why.
Whiteboard: js-triage-needed → js-triage-done
Firefox release drivers aren't going to track shell only bugs.
tracking-firefox7: ?-
tracking-firefox8: ?-
tracking-firefox9: ?-
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
A testcase for this bug was already added in the original bug (bug 700295).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.