Closed Bug 727987 Opened 14 years ago Closed 14 years ago

Assertion failure: obj, at ../../jsval.h:774 or Crash on heap (JIT) or Crash [@ js::gc::ChunkBitmap::markIfUnmarked] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla13
Tracking Flags:
Tracking Status
firefox11 --- wontfix
firefox12 --- affected
firefox13 --- fixed
firefox-esr10 --- wontfix
status1.9.2 --- unaffected

People

(Reporter: decoder, Assigned: billm)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos][js-triage-done])

Crash Data

Attachments

(1 file)

patch
687 bytes, patch
Waldo
: review+
Details | Diff | Splinter Review
The following test asserts/crashes on mozilla-central revision 4a9a6ffd1f21: gcparam("maxBytes", gcparam("gcBytes") + 4*(1)); arr = [1e0, 5e1, 9e19, 0.1e20, 1.3e20, 1e20, 9e20, 9.99e20, 0.1e21, 1e21, 1e21+65537, 1e21+65536, 1e21-65536, 1]; for (var i = 0; i < 4000; i++) { arr.push(new Boolean(false)); } When stepping through the assert, I first got this crash with options -m -n: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f3fcd9 in ?? () (gdb) bt #0 0x00007ffff7f3fcd9 in ?? () #1 0x00007ffff7f3fc2e in ?? () #2 0x0000000000000001 in ?? () #3 0x0000000000000000 in ?? () (gdb) x /4i $pc => 0x7ffff7f3fcd9: mov 0x8(%rsi),%rsi 0x7ffff7f3fcdd: movabs $0x7ffff6000250,%r11 0x7ffff7f3fce7: cmp %r11,%rsi 0x7ffff7f3fcea: je 0x7ffff7f3fcf5 (gdb) info register rsi rsi 0x0 0 This looked like a simple null-deref. However, without any options, I get this crash: Program received signal SIGSEGV, Segmentation fault. 0x00000000004b9dcc in js::gc::ChunkBitmap::markIfUnmarked (this=0xfc0b8, cell=0x0, color=0) at /srv/repos/larch/js/src/jsgc.h:666 666 if (*word & mask) (gdb) x / 4i $pc Invalid number "4i". (gdb) x /4i $pc => 0x4b9dcc <js::gc::ChunkBitmap::markIfUnmarked(js::gc::Cell const*, uint32_t)+58>: mov (%rax),%rdx 0x4b9dcf <js::gc::ChunkBitmap::markIfUnmarked(js::gc::Cell const*, uint32_t)+61>: mov -0x10(%rbp),%rax 0x4b9dd3 <js::gc::ChunkBitmap::markIfUnmarked(js::gc::Cell const*, uint32_t)+65>: and %rdx,%rax 0x4b9dd6 <js::gc::ChunkBitmap::markIfUnmarked(js::gc::Cell const*, uint32_t)+68>: test %rax,%rax (gdb) info register rax rdx rax 0xfc0b8 1032376 rdx 0xfc0b8 1032376 which is certainly security-relevant. I can't judge if you can get the non-jitted crash in the browser somehow, so I'm marking this s-s.
Attached patch patchSplinter Review
It's an OOM.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #598006 - Flags: review?(jwalden+bmo)
Also, we'll always crash at exactly the same address that Christian saw (0xfc0b8). I'm not sure what the security implications of that are. It seems possible that there could be important stuff there, and we're going to set a bit on that word. But I think an attacker would have to be pretty clever to exploit this.
Whiteboard: js-triage-needed → [js-triage-done]
Heh, I'm just afraid once I see "gc" with a crash and a non-null address ^_^
Attachment #598006 - Flags: review?(jwalden+bmo) → review+
Whiteboard: [js-triage-done] → [sg:dos][js-triage-done]
https://hg.mozilla.org/mozilla-central/rev/24dd2472229f
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
This is a regression from bug 695756 so it affects the ESR, though it doesn't seem needed.
Blocks: 695756
status1.9.2: --- → unaffected
status-firefox-esr10: --- → affected
status-firefox11: --- → wontfix
status-firefox12: --- → affected
Keywords: regression
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: