Closed
Bug 822858
Opened 12 years ago
Closed 12 years ago
Crash [@ js::EncapsulatedPtr] or [@ js::types::TypeObject::print] or "Assertion failure: [infer failure] Missing type in object [0x10172f070] lastIndex: int,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: gkw, Assigned: bhackett1024)
Details
(5 keywords, Whiteboard: [jsbugmon:update][adv-main19+][adv-esr1703+])
Crash Data
Attachments
(4 files)
21.14 KB,
text/plain
|
Details | |
15.44 KB,
text/plain
|
Details | |
933 bytes,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
3.49 KB,
patch
|
billm
:
review+
bajaj
:
approval-mozilla-aurora+
bajaj
:
approval-mozilla-beta+
bajaj
:
approval-mozilla-esr17+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
RegExp.prototype.lastIndex = this
gc()
newGlobal()
eval("RegExp().lastIndex")
crashes js debug shell on m-c changeset fd8fd1a7aecd with -a at js::EncapsulatedPtr
During the process of reduction, the following assert showed up, also with -a, Assertion failure: [infer failure] Missing type in object [0x10172f070] lastIndex: int, with the testcase:
function g() {
z = newGlobal('')
return function(code) {
evalcx(code, z)
}
}
f = g()
f("this.RegExp.prototype.lastIndex=this")
gc()
f("RegExp().lastIndex")
s-s and sec-critical because it's a type inference failure and involves gc, feel free to change this when shown not to be s-s.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 108156:7228effb2e5b
user: Bill McCloskey
date: Mon Sep 03 16:42:22 2012 -0700
summary: Bug 787856 - Use lazy protos for cross-compartment wrappers (r=bholley)
Reporter | ||
Updated•12 years ago
|
status-firefox20:
--- → affected
tracking-firefox20:
--- → ?
Reporter | ||
Comment 1•12 years ago
|
||
The regressing patch autoBisect pinpointed in comment 0 was for the crash in the first testcase.
Here's another regression window for the assert (2nd testcase).
Bill, I'm not sure which is correct, is this a GC or TI bug?
Flags: needinfo?(wmccloskey)
Assignee: general → wmccloskey
Reporter | ||
Comment 2•12 years ago
|
||
Sometimes js::types::TypeObject::print is on the stack.
Crash Signature: [@ js::EncapsulatedPtr] → [@ js::EncapsulatedPtr]
[@ js::types::TypeObject::print]
Summary: Crash [@ js::EncapsulatedPtr] or "Assertion failure: [infer failure] Missing type in object [0x10172f070] lastIndex: int," → Crash [@ js::EncapsulatedPtr] or [@ js::types::TypeObject::print] or "Assertion failure: [infer failure] Missing type in object [0x10172f070] lastIndex: int,"
Updated•12 years ago
|
Reporter | ||
Comment 3•12 years ago
|
||
If 22c9c298a21f is the correct regressing changeset, then 18 and later is affected, and 17 ESR and prior are not. Setting flags based on this assumption, please feel free to change if necessary.
status-b2g18:
--- → affected
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
status-firefox18:
--- → affected
status-firefox19:
--- → affected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-b2g18:
--- → ?
tracking-firefox18:
--- → ?
tracking-firefox19:
--- → ?
tracking-firefox21:
--- → ?
This fixes a problem that was introduced by the lazy proto patch. However, it's not the real fix, since we still assert after it's applied.
Attachment #699370 -
Flags: review?(bhackett1024)
Flags: needinfo?(wmccloskey)
Brian said he would take this. It looks like RegExp objects aren't informing TI when they initialize properties like lastIndex. Brian says that StringObject may have a similar problem.
Assignee: wmccloskey → bhackett1024
Assignee | ||
Updated•12 years ago
|
Attachment #699370 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 6•12 years ago
|
||
The blame revision is wrong for the underlying problem, this goes back to objshrink I think. We add type information for the builtin properties of String and RegExp objects, but only do so during class initialization. If the type of those default String/RegExp objects is later destroyed, that information is lost and is not regenerated. The attached patch fixes this by ensuring that whenever the type for a RegExp or String object is created, type information for the builtin properties is added.
Attachment #699389 -
Flags: review?(wmccloskey)
Attachment #699389 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 7•12 years ago
|
||
Comment on attachment 699389 [details] [diff] [review]
fix
[Security approval request comment]
> How easily could an exploit be constructed based on the patch?
Rather difficult, requires knowledge of how the modified parts of the code interact with each other and GC.
> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No
> Which older supported branches are affected by this flaw?
esr 17
> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
trivial
> How likely is this patch to cause regressions; how much testing does it need?
none
Attachment #699389 -
Flags: sec-approval?
Updated•12 years ago
|
Attachment #699389 -
Flags: sec-approval? → sec-approval+
My patch doesn't need sec-approval because it only affects DEBUG builds.
Reporter | ||
Comment 9•12 years ago
|
||
billm's patch:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f77b007d48bf
bhackett's patch:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7ada213f01bd
Comment 10•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f77b007d48bf
https://hg.mozilla.org/mozilla-central/rev/7ada213f01bd
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::EncapsulatedPtr]
[@ js::types::TypeObject::print] → [@ js::EncapsulatedPtr]
[@ js::types::TypeObject::print]
Comment 11•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Assignee | ||
Comment 12•12 years ago
|
||
Comment on attachment 699389 [details] [diff] [review]
fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #): objshrink
User impact if declined: potential security vulnerability
Testing completed (on m-c, etc.): on m-c
Risk to taking this patch (and alternatives if risky): none
String or UUID changes made by this patch: none
Attachment #699389 -
Flags: approval-mozilla-beta?
Attachment #699389 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Crash Signature: [@ js::EncapsulatedPtr]
[@ js::types::TypeObject::print] → [@ js::EncapsulatedPtr]
[@ js::types::TypeObject::print]
Updated•12 years ago
|
tracking-firefox21:
? → ---
Updated•12 years ago
|
Attachment #699389 -
Flags: approval-mozilla-beta?
Attachment #699389 -
Flags: approval-mozilla-beta+
Attachment #699389 -
Flags: approval-mozilla-aurora?
Attachment #699389 -
Flags: approval-mozilla-aurora+
Reporter | ||
Updated•12 years ago
|
Keywords: checkin-needed
Comment 13•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/3d197fdb4b98
https://hg.mozilla.org/releases/mozilla-aurora/rev/3b1ce7ca16b2
https://hg.mozilla.org/releases/mozilla-beta/rev/e711dd161c8d
https://hg.mozilla.org/releases/mozilla-beta/rev/3c6da794f5c3
Flags: in-testsuite?
Keywords: checkin-needed
Reporter | ||
Updated•12 years ago
|
tracking-firefox-esr17:
--- → ?
Comment 14•12 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #12)
> Comment on attachment 699389 [details] [diff] [review]
> fix
>
> [Approval Request Comment]
> Bug caused by (feature/regressing bug #): objshrink
> User impact if declined: potential security vulnerability
> Testing completed (on m-c, etc.): on m-c
> Risk to taking this patch (and alternatives if risky): none
> String or UUID changes made by this patch: none
Can we please get a esr patch ready here ? Thank you
Assignee | ||
Comment 15•12 years ago
|
||
Comment on attachment 699389 [details] [diff] [review]
fix
This should apply clean to esr 17.
Attachment #699389 -
Flags: approval-mozilla-esr17?
Updated•12 years ago
|
Attachment #699389 -
Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
Comment 16•12 years ago
|
||
The first patch doesn't apply cleanly to esr17. Looks like some function name changes, but also I don't see TaggedProto defined. The second patch has some differences in the surrounding code, so I'll let you make sure that it's applied correctly.
Reporter | ||
Comment 17•12 years ago
|
||
(In reply to Ryan VanderMeulen from comment #16)
> The first patch doesn't apply cleanly to esr17. Looks like some function
> name changes, but also I don't see TaggedProto defined. The second patch has
> some differences in the surrounding code, so I'll let you make sure that
> it's applied correctly.
Brian, looks like the patch needs unbitrotting for ESR17.
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 18•12 years ago
|
||
Only the second patch has approval. The first is just fixing some debugging code. For the second, getNewType() has change a little, but using this code instead:
if (self->isRegExp()) {
AddTypeProperty(cx, type, "source", types::Type::StringType());
AddTypeProperty(cx, type, "global", types::Type::BooleanType());
AddTypeProperty(cx, type, "ignoreCase", types::Type::BooleanType());
AddTypeProperty(cx, type, "multiline", types::Type::BooleanType());
AddTypeProperty(cx, type, "sticky", types::Type::BooleanType());
AddTypeProperty(cx, type, "lastIndex", types::Type::Int32Type());
}
if (self->isString())
AddTypeProperty(cx, type, "length", Type::Int32Type());
Before the self->getClass()->ext.equality test should be fine.
Flags: needinfo?(bhackett1024)
Comment 19•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr17/rev/7b5512da58d0
Can we check in a test for this?
Comment 20•12 years ago
|
||
Batch edit: Bugs marked status-b2g18: affected after 2/13 branching of v1.0.1 are now also status-b2g18-v1.0.1: affected
status-b2g18-v1.0.1:
--- → affected
Comment 21•12 years ago
|
||
Can someone suggest a security rating here?
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main19+][adv-esr1703+]
Comment 22•12 years ago
|
||
Can you please uplift the patch for b2g18 & land it on mozilla-b2g18_v1_0_1as well (should be identical fixes) asap. thank you !
Comment 23•12 years ago
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•