Closed Bug 735869 Opened 14 years ago Closed 13 years ago

IonMonkey: Crash [@ js::shadow::Object::numFixedSlots] or [@ js_SuppressDeletedProperty]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: crash, sec-high, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

stack
7.32 KB, text/plain
Details
fix
3.43 KB, patch
jandem
: review+
Details | Diff | Splinter Review
Attached file stack
o = {} for (let i = 0; i < 70; i++) { try { p } catch (e) {} (function() { for (x in Iterator.prototype) {} })() o.__proto__ = null delete o.__proto__ } crashes js debug shell on IonMonkey changeset 76e469f863ae with -m, -a, --ion and -n at js::shadow::Object::numFixedSlots and crashes js opt shell at js_SuppressDeletedProperty
Version: Trunk → Other Branch
Looks like a non-zero invalid read (and in valgrind it doesn't crash at all). Marking s-s. Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0804c3d8 in js::shadow::Object::numFixedSlots (this=0xa0000) at ../../jsfriendapi.h:341 341 size_t numFixedSlots() const { return shape->slotInfo >> Shape::FIXED_SLOTS_SHIFT; } Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.i686 libstdc++-4.4.6-3.el6.i686 (gdb) x /i $pc => 0x804c3d8 <js::shadow::Object::numFixedSlots() const+6>: mov (%eax),%eax (gdb) info reg eax eax 0xa0000 655360 (gdb) bt 8 #0 0x0804c3d8 in js::shadow::Object::numFixedSlots (this=0xa0000) at ../../jsfriendapi.h:341 #1 0x0804cc85 in js::ObjectImpl::numFixedSlots (this=0xa0000) at ../../vm/ObjectImpl.h:728 #2 0x0806c039 in js::ObjectImpl::getPrivate (this=0xa0000) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/vm/ObjectImpl-inl.h:378 #3 0x08138307 in JSObject::getNativeIterator (this=0xa0000) at ../jsobjinlines.h:567 #4 0x0815a990 in SuppressDeletedPropertyHelper<SingleStringPredicate> (cx=0x871ce30, obj=0xf770c430, predicate=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:1009 #5 0x08157b93 in js_SuppressDeletedProperty (cx=0x871ce30, obj=0xf770c430, id=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:1097 #6 0x081791e8 in js_DeleteGeneric (cx=0x871ce30, obj=0xf770c430, id=..., rval=0xffffc590, strict=0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsobj.cpp:5512 #7 0x08179242 in js_DeleteProperty (cx=0x871ce30, obj=0xf770c430, name=0xf7812820, rval=0xffffc590, strict=0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsobj.cpp:5518 (More stack frames follow...)
Group: core-security
> Looks like a non-zero invalid read (and in valgrind it doesn't crash at > all). Marking s-s. Julian, shouldn't Valgrind show a crash as well?
Whiteboard: [jsbugmon:update]
I can repro this on x86-linux using the specified changeset (76e469f863ae) but not using the tip. V's output for 76e469f863ae is: Conditional jump or move depends on uninitialised value(s) at 0x81493A0: bool SuppressDeletedPropertyHelper<SingleStringPredicate>(JSContext*, JSObject*, SingleStringPredicate) (jsiter.cpp:1007) by 0x8146458: js_SuppressDeletedProperty(JSContext*, JSObject*, jsid) (jsiter.cpp:1097) by 0x8166C54: js_DeleteGeneric(JSContext*, JSObject*, jsid, JS::Value*, int) (jsobj.cpp:5727) by 0x8166CB3: js_DeleteProperty(JSContext*, JSObject*, js::PropertyName*, JS::Value*, int) (jsobj.cpp:5733) by 0x8127B13: JSObject::deleteProperty(JSContext*, js::PropertyName*, JS::Value*, bool) (jsobjinlines.h:261) by 0x8136E2B: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2559) by 0x82A5F85: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1079) by 0x82A6115: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1111) by 0x82A61D6: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1123) by 0x812CB3F: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:475) by 0x812D677: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:677) by 0x812D872: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:719) Uninitialised value was created by a heap allocation at 0x4026484: malloc (vg_replace_malloc.c:263) by 0x805C1A4: js_malloc (Utility.h:173) by 0x805FB37: JSRuntime::malloc_(unsigned int, JSContext*) (jscntxt.h:650) by 0x805FBAA: JSContext::malloc_(unsigned int) (jscntxt.h:1129) by 0x8144F2B: js::NativeIterator::allocateIterator(JSContext*, unsigned int, JS::AutoIdVector const&) (jsiter.cpp:546) by 0x8147E06: InitIteratorClass(JSContext*, js::GlobalObject*) (jsiter.cpp:1746) by 0x81481A0: js_InitIteratorClasses(JSContext*, JSObject*) (jsiter.cpp:1814) by 0x807E92A: JS_ResolveStandardClass (jsapi.cpp:1996) by 0x805936A: global_resolve(JSContext*, JSObject*, jsid, unsigned int, JSObject**) (js.cpp:4358) by 0x8163EF6: CallResolveOp(JSContext*, JSObject*, js::Handle<JSObject*>, js::Handle<jsid>, unsigned int, JSObject**, JSProperty**, bool*) (jsobj.cpp:4733) by 0x81642DD: LookupPropertyWithFlagsInline(JSContext*, JSObject*, jsid, unsigned int, JSObject**, JSProperty**) (jsobj.cpp:4789) by 0x8164577: js::LookupPropertyWithFlags(JSContext*, JSObject*, jsid, unsigned int, JSObject**, JSProperty**) (jsobj.cpp:4861) Conditional jump or move depends on uninitialised value(s) at 0x4C669ED: ??? by 0x8358E06: EnterIon(JSContext*, js::StackFrame*, CallTarget, void*, js::ion::IonActivation::Kind) (Ion.cpp:948) by 0x835900B: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:977) by 0x81387EE: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2804) by 0x82A5F85: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1079) by 0x82A6115: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1111) by 0x82A61D6: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1123) by 0x812CB3F: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:475) by 0x812D677: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:677) by 0x812D872: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:719) by 0x8087736: JS_ExecuteScript (jsapi.cpp:5294) by 0x804F780: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:479) Uninitialised value was created by a heap allocation at 0x4026484: malloc (vg_replace_malloc.c:263) by 0x805C1A4: js_malloc (Utility.h:173) by 0x805FB37: JSRuntime::malloc_(unsigned int, JSContext*) (jscntxt.h:650) by 0x805FBAA: JSContext::malloc_(unsigned int) (jscntxt.h:1129) by 0x8144F2B: js::NativeIterator::allocateIterator(JSContext*, unsigned int, JS::AutoIdVector const&) (jsiter.cpp:546) by 0x8147E06: InitIteratorClass(JSContext*, js::GlobalObject*) (jsiter.cpp:1746) by 0x81481A0: js_InitIteratorClasses(JSContext*, JSObject*) (jsiter.cpp:1814) by 0x807E92A: JS_ResolveStandardClass (jsapi.cpp:1996) by 0x805936A: global_resolve(JSContext*, JSObject*, jsid, unsigned int, JSObject**) (js.cpp:4358) by 0x8163EF6: CallResolveOp(JSContext*, JSObject*, js::Handle<JSObject*>, js::Handle<jsid>, unsigned int, JSObject**, JSProperty**, bool*) (jsobj.cpp:4733) by 0x81642DD: LookupPropertyWithFlagsInline(JSContext*, JSObject*, jsid, unsigned int, JSObject**, JSProperty**) (jsobj.cpp:4789) by 0x8164577: js::LookupPropertyWithFlags(JSContext*, JSObject*, jsid, unsigned int, JSObject**, JSProperty**) (jsobj.cpp:4861) Conditional jump or move depends on uninitialised value(s) at 0x812C95C: js::RunScript(JSContext*, JSScript*, js::StackFrame*)::CheckStackBalance::~CheckStackBalance() (jsinterp.cpp:454) by 0x812CB8C: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:478) by 0x812D677: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:677) by 0x812D872: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:719) by 0x8087736: JS_ExecuteScript (jsapi.cpp:5294) by 0x804F780: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:479) by 0x805A70F: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4816) by 0x805A95C: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4899) by 0x805B2C3: main (js.cpp:5128) Uninitialised value was created by a heap allocation at 0x4026484: malloc (vg_replace_malloc.c:263) by 0x805C1A4: js_malloc (Utility.h:173) by 0x805FB37: JSRuntime::malloc_(unsigned int, JSContext*) (jscntxt.h:650) by 0x805FBAA: JSContext::malloc_(unsigned int) (jscntxt.h:1129) by 0x8144F2B: js::NativeIterator::allocateIterator(JSContext*, unsigned int, JS::AutoIdVector const&) (jsiter.cpp:546) by 0x8147E06: InitIteratorClass(JSContext*, js::GlobalObject*) (jsiter.cpp:1746) by 0x81481A0: js_InitIteratorClasses(JSContext*, JSObject*) (jsiter.cpp:1814) by 0x807E92A: JS_ResolveStandardClass (jsapi.cpp:1996) by 0x805936A: global_resolve(JSContext*, JSObject*, jsid, unsigned int, JSObject**) (js.cpp:4358) by 0x8163EF6: CallResolveOp(JSContext*, JSObject*, js::Handle<JSObject*>, js::Handle<jsid>, unsigned int, JSObject**, JSProperty**, bool*) (jsobj.cpp:4733) by 0x81642DD: LookupPropertyWithFlagsInline(JSContext*, JSObject*, jsid, unsigned int, JSObject**, JSProperty**) (jsobj.cpp:4789) by 0x8164577: js::LookupPropertyWithFlags(JSContext*, JSObject*, jsid, unsigned int, JSObject**, JSProperty**) (jsobj.cpp:4861) Conditional jump or move depends on uninitialised value(s) at 0x80B49BB: js_DestroyContext(JSContext*, JSDestroyContextMode) (jscntxt.cpp:237) by 0x807CBBF: JS_DestroyContext (jsapi.cpp:1167) by 0x805992A: DestroyContext(JSContext*, bool) (js.cpp:4594) by 0x805B305: main (js.cpp:5135) Uninitialised value was created by a heap allocation at 0x4026484: malloc (vg_replace_malloc.c:263) by 0x805C1A4: js_malloc (Utility.h:173) by 0x805FB37: JSRuntime::malloc_(unsigned int, JSContext*) (jscntxt.h:650) by 0x805FBAA: JSContext::malloc_(unsigned int) (jscntxt.h:1129) by 0x8144F2B: js::NativeIterator::allocateIterator(JSContext*, unsigned int, JS::AutoIdVector const&) (jsiter.cpp:546) by 0x8147E06: InitIteratorClass(JSContext*, js::GlobalObject*) (jsiter.cpp:1746) by 0x81481A0: js_InitIteratorClasses(JSContext*, JSObject*) (jsiter.cpp:1814) by 0x807E92A: JS_ResolveStandardClass (jsapi.cpp:1996) by 0x805936A: global_resolve(JSContext*, JSObject*, jsid, unsigned int, JSObject**) (js.cpp:4358) by 0x8163EF6: CallResolveOp(JSContext*, JSObject*, js::Handle<JSObject*>, js::Handle<jsid>, unsigned int, JSObject**, JSProperty**, bool*) (jsobj.cpp:4733) by 0x81642DD: LookupPropertyWithFlagsInline(JSContext*, JSObject*, jsid, unsigned int, JSObject**, JSProperty**) (jsobj.cpp:4789) by 0x8164577: js::LookupPropertyWithFlags(JSContext*, JSObject*, jsid, unsigned int, JSObject**, JSProperty**) (jsobj.cpp:4861)
I can reproduce this on mac x86 (unfortunately, not Linux)
Assignee: general → dvander
Status: NEW → ASSIGNED
Attached patch fixSplinter Review
Turns out we need a slightly different test for JSOP_ITEREND, since we can only advance cx->enumerators if the iterobj has JSITER_ENUMERATE.
Attachment #624621 - Flags: review?(jdemooij)
Comment on attachment 624621 [details] [diff] [review] fix Review of attachment 624621 [details] [diff] [review]: ----------------------------------------------------------------- Oops, nice catch.
Attachment #624621 - Flags: review?(jdemooij) → review+
Can you also add the testcase? for-in, __proto__, delete, let, Iterator.prototype and try-catch in one short test is interesting :)
http://hg.mozilla.org/projects/ionmonkey/rev/63d76ea4e46e
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Group: core-security
Keywords: sec-high
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::shadow::Object::numFixedSlots] [@ js_SuppressDeletedProperty] → [@ js::shadow::Object::numFixedSlots] [@ js_SuppressDeletedProperty]
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug735869.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: