Closed Bug 763440 Opened 10 years ago Closed 10 years ago

IonMonkey: Crash [@ js::Proxy::set] with use-after-free and gcPreserveCode

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
Linux
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 762936

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update])

Crash Data

The following testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager):


var summary = '';
var actual = '';
gcPreserveCode()
function TestCase(n, d, e, a) {
  this.name=n;
}
function reportCompare (expected, actual, description) {
  new TestCase
}
reportCompare(true, eval++, "Function.prototype.isGenerator present");
var p = Proxy.create({
    has : function(id) {}
});
Object.prototype.__proto__ = p;
new TestCase;
var expect = '';
reportCompare(expect, actual, summary);
gczeal(4);
try {
  evalcx(".");
} catch (e) {}
reportCompare(expect, actual, summary);
Crash trace:

==24613== Invalid read of size 4
==24613==    at 0x81DBB98: js::Proxy::set(JSContext*, JSObject*, JSObject*, jsid, bool, JS::Value*) (jsproxy.cpp:1108)
==24613==    by 0x81DCF59: proxy_SetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Value*, int) (jsproxy.cpp:1338)
==24613==    by 0x8198201: JSObject::nonNativeSetProperty(JSContext*, JS::Handle<jsid>, JS::Value*, int) (jsobj.cpp:3083)
==24613==    by 0x807284F: JSObject::setGeneric(JSContext*, JS::Handle<jsid>, JS::Value*, int) (jsobjinlines.h:93)
==24613==    by 0x84CFCB7: js::ion::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, bool, bool) (VMFunctions.cpp:316)
==24613==    by 0x847074A: js::ion::SetPropertyCache(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:612)
==24613==    by 0x9CCBA95: ???
==24613==  Address 0xdadadada is not stack'd, malloc'd or (recently) free'd
Group: core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 762936
You need to log in before you can comment on or make changes to this bug.