Crash [@ js_SuppressDeletedProperty]

RESOLVED DUPLICATE of bug 740654

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 740654
6 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
x86
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos null deref] js-triage-needed, crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 612011 [details]
stack

mjitChunkLimit(7)
try {
  g = (function() {})
  g.get = (function() {
    for (p in undefined) {
      d
    }
    return q + ''
  })
  q = Proxy.create(g, undefined); + q
} catch (e) {}
gc()
delete eval

crashes js opt shell on m-c changeset 95df15895e02 with -m and -n at js_SuppressDeletedProperty

s-s because this involves gc.

Thanks go out to Julian Seward for helping with using Valgrind during the reduction process - the crash disappeared halfway through but Valgrind continued to show an invalid read error which I'm attaching later.

I'm not sure if autoBisect will be accurate when bisecting this because the crash went away and came back during the reduction process.
(Reporter)

Comment 1

6 years ago
CC'ing bholley since this seems to involve proxies, and bhackett since mjitChunkLimit seems to be involved.
(Reporter)

Comment 2

6 years ago
Created attachment 612012 [details]
Valgrind stack

The 32-bit js shell that I tested on Mac OS X 10.7 was compiled with --enable-more-deterministic.
(Reporter)

Comment 3

6 years ago
Note to self, this was the Valgrind patch used to aid reduction:

$ svn diff --diff-cmd=diff -x -U8
Index: memcheck/mc_errors.c
===================================================================
--- memcheck/mc_errors.c	(revision 12485)
+++ memcheck/mc_errors.c	(working copy)
@@ -730,16 +730,17 @@
             emit( "Invalid %s of size %ld\n",
                   extra->Err.Addr.isWrite ? "write" : "read",
                   extra->Err.Addr.szB );
             VG_(pp_ExeContext)( VG_(get_error_where)(err) );
 
             mc_pp_AddrInfo( VG_(get_error_address)(err),
                             &extra->Err.Addr.ai,
                             extra->Err.Addr.maybe_gcc );
+         VG_(exit)(0);
          }
          break;
 
       case Err_Jump:
          if (xml) {
             emit( "  <kind>InvalidJump</kind>\n" );
             emit( "  <what>Jump to the invalid address stated "
                   "on the next line</what>\n" );
You want jimb here.
Looks like a null deref, or is there still a security bug hiding behind that?
Whiteboard: js-triage-needed → [sg:dos null deref] js-triage-needed
(Reporter)

Comment 6

6 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   88677:412f24be91ed
user:        Luke Wagner
date:        Fri Mar 09 16:25:50 2012 -0800
summary:     Bug 734129 - uncatchable exceptions should still pop cx->enumerators (r=dvander)
Blocks: 734129
Keywords: regression
(Reporter)

Comment 7

6 years ago
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   90829:3a185f034768
user:        Luke Wagner
date:        Mon Apr 02 08:57:27 2012 -0700
summary:     Bug 740654 - Hoist recursion checks out of Interpret into callers so that Interpret does not throw when trying to rejoin from mjit (r=bhackett)

It got fixed by bug 740654. Yay!
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 740654
Group: core-security
A testcase for this bug was already added in the original bug (bug 740654).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.