Closed Bug 787667 Opened 12 years ago Closed 12 years ago

Crash [@ JS::Value::isMagic] with ParallelArray

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla18
Tracking Flags:
Tracking Status
firefox15 --- unaffected
firefox16 --- unaffected
firefox17 + fixed
firefox18 + fixed
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: shu)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update][qa?][adv-track-main17-])

Crash Data

Attachments

(1 file)

fix and testcases
2.57 KB, patch
dvander
: review+
lsblakk
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision c64a9f342156 (run with -m -n -a):


function testScatter() {
  var shape = [("x=new String();x.charAt(-1)")];
  for (var i = 0; i < (271); i++) {
    shape.push(i+1);
    var p = new ParallelArray(shape, function(k) { return k; });
    var r = p.scatter([0,1,0,3,(null )], 9, function (a,b) { return a+b; }, 10);
  }
}
testScatter();
GDB shows:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000466ec6 in JS::Value::isMagic (this=0x7ffff6100000) at /srv/repos/mozilla-central/js/src/jsapi.h:409
409             return JSVAL_IS_MAGIC_IMPL(data);
(gdb) bt 8
#0  0x0000000000466ec6 in JS::Value::isMagic (this=0x7ffff6100000) at /srv/repos/mozilla-central/js/src/jsapi.h:409
#1  0x0000000000466ef1 in JS::Value::isMagic (this=0x7ffff6100000, why=JS_ARRAY_HOLE) at /srv/repos/mozilla-central/js/src/jsapi.h:414
#2  0x000000000072757c in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...)
    at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1530
#3  0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...)
    at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490
#4  0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...)
    at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490
#5  0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...)
    at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490
#6  0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...)
    at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490
#7  0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...)
    at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490
(More stack frames follow...)
(gdb) x /i $pc
=> 0x466ec6 <JS::Value::isMagic() const+16>:    mov    (%rax),%rdi
(gdb) info reg rax rdi
rax            0x7ffff6100000   140737321631744
rdi            0x7ffff6100000   140737321631744

In Valgrind, I see lots of:

==15274== Invalid read of size 8
==15274==    at 0x7A0EFD: js::ValueToStringBufferSlow(JSContext*, JS::Value const&, js::StringBuffer&) (StringBuffer.cpp:86)
==15274==    by 0x468F17: js::ValueToStringBuffer(JSContext*, JS::Value const&, js::StringBuffer&) (StringBuffer.h:137)
==15274==    by 0x727765: js::ParallelArrayObject::toStringBufferImpl(JSContext*, js::ParallelArrayObject::IndexInfo&, bool, JS::Handle<JSObject*>, js::StringBuffer&) (ParallelArray.cpp:1549)
[...]
==15274==  Address 0x7200000 is not stack'd, malloc'd or (recently) free'd


S-s due to possibly exploitable crash. This is likely a regression from the ParallelArray landing, but I'm doing a bisect anyway to be sure that this also affects Aurora.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   102665:ea2ad8970f3e
user:        Shu-yu Guo
date:        Fri Aug 17 10:38:59 2012 -0700
summary:     Bug 778559 - Implement ParallelArray API with sequential execution (r=dmandelin)
This hits a corner case where getting a row (as opposed to a leaf value) of a multidimensional array with one of the dimensions being 0 is considered in bounds while it should not.
Assignee: general → shu
Attachment #657587 - Flags: review?(dvander)
Attachment #657587 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/b1f9a8d75e20
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox18: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Comment on attachment 657587 [details] [diff] [review]
fix and testcases

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 778559
User impact if declined: Uninitialized memory read
Testing completed (on m-c, etc.): locally and on m-c
Risk to taking this patch (and alternatives if risky): None, localized to a non-publicized and unused-in-the-wild API
String or UUID changes made by this patch:
Attachment #657587 - Flags: approval-mozilla-aurora?
Attachment #657587 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Does this need QA verification given comment 10?
Whiteboard: [jsbugmon:update] → [jsbugmon:update][qa?]
Whiteboard: [jsbugmon:update][qa?] → [jsbugmon:update][qa?][adv-track-main17-]
Blocks: 778559
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: