IonMonkey: Opt-only crash [@ getObjectClass] with gczeal(10)

RESOLVED DUPLICATE of bug 820186

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 820186
5 years ago
2 years ago

People

(Reporter: decoder, Assigned: terrence)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86
Linux
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:ignore], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 690841 [details]
Testcase for shell

The attached testcase crashes on mozilla-central revision 3ce22cb51e56 (run with --ion-eager).
(Reporter)

Comment 1

5 years ago
Backtrace:

Program received signal SIGSEGV, Segmentation fault.
getObjectClass (this=0x0) at ../jsscope.h:599
599         Class *getObjectClass() const { return base()->clasp; }
(gdb) bt
#0  getObjectClass (this=0x0) at ../jsscope.h:599
#1  getClass (this=0xf7408340) at ../vm/ObjectImpl-inl.h:336
#2  getOps (this=0xf7408340) at ../vm/ObjectImpl-inl.h:354
#3  getGeneric (vp=$jsval(-nan(0xfff87f7412070)), id=-145676384, receiver=(JSObject * const) 0xf7412070 [object Array], obj=(JSObject * const) 0xf7408340 Cannot access memory at address 0x0, cx=0x8598248)
    at ../jsobjinlines.h:168
#4  getProperty (vp=$jsval(-nan(0xfff87f7412070)), name="toString", receiver=(JSObject * const) 0xf7412070 [object Array], obj=(JSObject * const) 0xf7408340 Cannot access memory at address 0x0, cx=0x8598248)
    at ../jsobjinlines.h:184
#5  array_getProperty (cx=0x8598248, obj=(JSObject * const) 0xf7412070 [object Array], receiver=(JSObject * const) 0xf7412070 [object Array], name="toString", vp=$jsval(-nan(0xfff87f7412070)))
    at /srv/repos/mozilla-central/js/src/jsarray.cpp:738
#6  0x080746c3 in array_getGeneric (cx=0x8598248, obj=(JSObject * const) 0xf7412070 [object Array], receiver=(JSObject * const) 0xf7412070 [object Array], id=-145676384, vp=$jsval(-nan(0xfff87f7412070)))
    at /srv/repos/mozilla-central/js/src/jsarray.cpp:803
#7  0x08118804 in js::GetMethod (cx=<optimized out>, obj=..., id=-145676384, vp=$jsval(-nan(0xfff87f7412070)), getHow=0) at /srv/repos/mozilla-central/js/src/jsobj.cpp:4425
#8  0x081188a8 in MaybeCallMethod (cx=0x8598248, obj=..., id=-145676384, vp=$jsval(-nan(0xfff87f7412070))) at /srv/repos/mozilla-central/js/src/jsobj.cpp:4833
#9  0x0811a331 in js::DefaultValue (cx=0x8598248, obj=(JSObject * const) 0xf7412070 [object Array], hint=JSTYPE_STRING, vp=$jsval(-nan(0xfff87f7412070))) at /srv/repos/mozilla-central/js/src/jsobj.cpp:4864
#10 0x0817fc08 in defaultValue (vp=$jsval(-nan(0xfff87f7412070)), obj=(JSObject * const) 0xf7412070 [object Array], cx=0x8598248, hint=<optimized out>) at ../jsobjinlines.h:69
#11 ToPrimitive (vp=0xffffbe58, preferredType=JSTYPE_STRING, cx=0x8598248) at ../jsobjinlines.h:1307
#12 js::ToStringSlow (cx=0x8598248, arg=...) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3409
#13 0x0818242f in ToString (v=..., cx=0x8598248) at ../jsstr.h:138
#14 js_String (cx=0x8598248, argc=1, vp=0xf7697138) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3164
#15 0x080f8b2f in CallJSNative (args=..., native=<optimized out>, cx=0x8598248) at ../jscntxtinlines.h:364
#16 js::InvokeKernel (cx=0x8598248, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:389


Marking s-s because the test contains gczeal(10). Also the issue initially had a similar signature like bug 820186, maybe they are duplicates. During reduction, the issue changed crash stack to the one shown above.
Blocks: 724444
Whiteboard: [jsbugmon:ignore]
(Assignee)

Comment 2

5 years ago
This looks like a dup of Bug 820215, but the stack is crashing in the area I actually worked on.  Hopefully I'll be able to reproduce this one more easily.
Assignee: general → terrence
(Reporter)

Comment 3

5 years ago
Both this and bug 820215 might also be a duplicate of 817444 (also contains gczeal(10)) and the test there is even shorter.

In any case it would be nice if you could add a security rating for the bug because it's hard for me to judge the impact. I guess due to the various different signatures this crash can have, there is certainly some way to exploit it.
Flags: needinfo?(terrence)
(Assignee)

Comment 4

5 years ago
(In reply to Christian Holler (:decoder) from comment #3)
> Both this and bug 820215 might also be a duplicate of 817444 (also contains
> gczeal(10)) and the test there is even shorter.

Yup, just saw that yesterday.
 
> In any case it would be nice if you could add a security rating for the bug
> because it's hard for me to judge the impact. I guess due to the various
> different signatures this crash can have, there is certainly some way to
> exploit it.

It's hard for me to judge the impact as well. :-) Given that this seems to be a accessing a BaseShape that's gone missing and that the regression finder in one of the other bugs with this error implicates Incremental Sweeping: we should ask Jon. He will have a much more informed opinion on how dangerous this is.

Sadly, it looks like I can't ask Jon for info on this because he's not in the security group yet. We need to make that happen. For now, lets ask Bill, since he reviewed those patches.
Flags: needinfo?(terrence) → needinfo?(wmccloskey)
(Reporter)

Comment 5

5 years ago
(In reply to Terrence Cole [:terrence] from comment #4)

> Sadly, it looks like I can't ask Jon for info on this because he's not in
> the security group yet.

Oh you actually can, you just need to Cc him first. Bugzilla is being stupid there >.<
(Assignee)

Comment 6

5 years ago
(In reply to Christian Holler (:decoder) from comment #5)
> Oh you actually can, you just need to Cc him first. Bugzilla is being stupid
> there >.<

Okay, so I can.
Flags: needinfo?(wmccloskey) → needinfo?(jcoppeard)
I reproduced this using the revision mentioned in comment 1.  I could only reproduce for a debug build, and I got the hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK) assertion as also found in bug 820186.

Since this no longer reproduces at the current revision, I think it's safe to say this is a duplicate.
Flags: needinfo?(jcoppeard)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 820186
Group: core-security
You need to log in before you can comment on or make changes to this bug.