820349 - IonMonkey: Opt-only crash [@ getObjectClass] with gczeal(10)

Status: RESOLVED DUPLICATE of bug 820186

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Testcase for shell

The attached testcase crashes on mozilla-central revision 3ce22cb51e56 (run with --ion-eager).

Comment 1

[Christian Holler (:decoder)]

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
getObjectClass (this=0x0) at ../jsscope.h:599
599         Class *getObjectClass() const { return base()->clasp; }
(gdb) bt
#0  getObjectClass (this=0x0) at ../jsscope.h:599
#1  getClass (this=0xf7408340) at ../vm/ObjectImpl-inl.h:336
#2  getOps (this=0xf7408340) at ../vm/ObjectImpl-inl.h:354
#3  getGeneric (vp=$jsval(-nan(0xfff87f7412070)), id=-145676384, receiver=(JSObject * const) 0xf7412070 [object Array], obj=(JSObject * const) 0xf7408340 Cannot access memory at address 0x0, cx=0x8598248)
    at ../jsobjinlines.h:168
#4  getProperty (vp=$jsval(-nan(0xfff87f7412070)), name="toString", receiver=(JSObject * const) 0xf7412070 [object Array], obj=(JSObject * const) 0xf7408340 Cannot access memory at address 0x0, cx=0x8598248)
    at ../jsobjinlines.h:184
#5  array_getProperty (cx=0x8598248, obj=(JSObject * const) 0xf7412070 [object Array], receiver=(JSObject * const) 0xf7412070 [object Array], name="toString", vp=$jsval(-nan(0xfff87f7412070)))
    at /srv/repos/mozilla-central/js/src/jsarray.cpp:738
#6  0x080746c3 in array_getGeneric (cx=0x8598248, obj=(JSObject * const) 0xf7412070 [object Array], receiver=(JSObject * const) 0xf7412070 [object Array], id=-145676384, vp=$jsval(-nan(0xfff87f7412070)))
    at /srv/repos/mozilla-central/js/src/jsarray.cpp:803
#7  0x08118804 in js::GetMethod (cx=<optimized out>, obj=..., id=-145676384, vp=$jsval(-nan(0xfff87f7412070)), getHow=0) at /srv/repos/mozilla-central/js/src/jsobj.cpp:4425
#8  0x081188a8 in MaybeCallMethod (cx=0x8598248, obj=..., id=-145676384, vp=$jsval(-nan(0xfff87f7412070))) at /srv/repos/mozilla-central/js/src/jsobj.cpp:4833
#9  0x0811a331 in js::DefaultValue (cx=0x8598248, obj=(JSObject * const) 0xf7412070 [object Array], hint=JSTYPE_STRING, vp=$jsval(-nan(0xfff87f7412070))) at /srv/repos/mozilla-central/js/src/jsobj.cpp:4864
#10 0x0817fc08 in defaultValue (vp=$jsval(-nan(0xfff87f7412070)), obj=(JSObject * const) 0xf7412070 [object Array], cx=0x8598248, hint=<optimized out>) at ../jsobjinlines.h:69
#11 ToPrimitive (vp=0xffffbe58, preferredType=JSTYPE_STRING, cx=0x8598248) at ../jsobjinlines.h:1307
#12 js::ToStringSlow (cx=0x8598248, arg=...) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3409
#13 0x0818242f in ToString (v=..., cx=0x8598248) at ../jsstr.h:138
#14 js_String (cx=0x8598248, argc=1, vp=0xf7697138) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3164
#15 0x080f8b2f in CallJSNative (args=..., native=<optimized out>, cx=0x8598248) at ../jscntxtinlines.h:364
#16 js::InvokeKernel (cx=0x8598248, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:389


Marking s-s because the test contains gczeal(10). Also the issue initially had a similar signature like bug 820186, maybe they are duplicates. During reduction, the issue changed crash stack to the one shown above.

Comment 2

[Terrence Cole [:terrence]]

This looks like a dup of Bug 820215, but the stack is crashing in the area I actually worked on.  Hopefully I'll be able to reproduce this one more easily.

Comment 3

[Christian Holler (:decoder)]

Both this and bug 820215 might also be a duplicate of 817444 (also contains gczeal(10)) and the test there is even shorter.

In any case it would be nice if you could add a security rating for the bug because it's hard for me to judge the impact. I guess due to the various different signatures this crash can have, there is certainly some way to exploit it.

Comment 4

[Terrence Cole [:terrence]]

(In reply to Christian Holler (:decoder) from comment #3)
> Both this and bug 820215 might also be a duplicate of 817444 (also contains
> gczeal(10)) and the test there is even shorter.

Yup, just saw that yesterday.
 
> In any case it would be nice if you could add a security rating for the bug
> because it's hard for me to judge the impact. I guess due to the various
> different signatures this crash can have, there is certainly some way to
> exploit it.

It's hard for me to judge the impact as well. :-) Given that this seems to be a accessing a BaseShape that's gone missing and that the regression finder in one of the other bugs with this error implicates Incremental Sweeping: we should ask Jon. He will have a much more informed opinion on how dangerous this is.

Sadly, it looks like I can't ask Jon for info on this because he's not in the security group yet. We need to make that happen. For now, lets ask Bill, since he reviewed those patches.

Comment 5

[Christian Holler (:decoder)]

(In reply to Terrence Cole [:terrence] from comment #4)

> Sadly, it looks like I can't ask Jon for info on this because he's not in
> the security group yet.

Oh you actually can, you just need to Cc him first. Bugzilla is being stupid there >.<

Comment 6

[Terrence Cole [:terrence]]

(In reply to Christian Holler (:decoder) from comment #5)
> Oh you actually can, you just need to Cc him first. Bugzilla is being stupid
> there >.<

Okay, so I can.

Comment 7

[Jon Coppeard (:jonco)]

I reproduced this using the revision mentioned in comment 1.  I could only reproduce for a debug build, and I got the hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK) assertion as also found in bug 820186.

Since this no longer reproduces at the current revision, I think it's safe to say this is a duplicate.