Closed Bug 742094 Opened 13 years ago Closed 13 years ago

Crash [@ js_SuppressDeletedProperty]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 740654

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos null deref] js-triage-needed)

Crash Data

Attachments

(2 files)

stack
2.72 KB, text/plain
Details
Valgrind stack
1.17 KB, text/plain
Details
Attached file stack
mjitChunkLimit(7) try { g = (function() {}) g.get = (function() { for (p in undefined) { d } return q + '' }) q = Proxy.create(g, undefined); + q } catch (e) {} gc() delete eval crashes js opt shell on m-c changeset 95df15895e02 with -m and -n at js_SuppressDeletedProperty s-s because this involves gc. Thanks go out to Julian Seward for helping with using Valgrind during the reduction process - the crash disappeared halfway through but Valgrind continued to show an invalid read error which I'm attaching later. I'm not sure if autoBisect will be accurate when bisecting this because the crash went away and came back during the reduction process.
CC'ing bholley since this seems to involve proxies, and bhackett since mjitChunkLimit seems to be involved.
Attached file Valgrind stack
The 32-bit js shell that I tested on Mac OS X 10.7 was compiled with --enable-more-deterministic.
Note to self, this was the Valgrind patch used to aid reduction: $ svn diff --diff-cmd=diff -x -U8 Index: memcheck/mc_errors.c =================================================================== --- memcheck/mc_errors.c (revision 12485) +++ memcheck/mc_errors.c (working copy) @@ -730,16 +730,17 @@ emit( "Invalid %s of size %ld\n", extra->Err.Addr.isWrite ? "write" : "read", extra->Err.Addr.szB ); VG_(pp_ExeContext)( VG_(get_error_where)(err) ); mc_pp_AddrInfo( VG_(get_error_address)(err), &extra->Err.Addr.ai, extra->Err.Addr.maybe_gcc ); + VG_(exit)(0); } break; case Err_Jump: if (xml) { emit( " <kind>InvalidJump</kind>\n" ); emit( " <what>Jump to the invalid address stated " "on the next line</what>\n" );
You want jimb here.
Looks like a null deref, or is there still a security bug hiding behind that?
Whiteboard: js-triage-needed → [sg:dos null deref] js-triage-needed
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 88677:412f24be91ed user: Luke Wagner date: Fri Mar 09 16:25:50 2012 -0800 summary: Bug 734129 - uncatchable exceptions should still pop cx->enumerators (r=dvander)
Blocks: 734129
Keywords: regression
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 90829:3a185f034768 user: Luke Wagner date: Mon Apr 02 08:57:27 2012 -0700 summary: Bug 740654 - Hoist recursion checks out of Interpret into callers so that Interpret does not throw when trying to rejoin from mjit (r=bhackett) It got fixed by bug 740654. Yay!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Group: core-security
A testcase for this bug was already added in the original bug (bug 740654).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: