Closed Bug 831090 Opened 11 years ago Closed 11 years ago

crash @Worker::SetEventListener with Worker and __proto__

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
21 Branch
Platform:
x86
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 897678
Tracking Flags:
Tracking Status
firefox21 --- wontfix
firefox22 --- wontfix
firefox23 --- wontfix
firefox24 --- wontfix
firefox25 - affected
firefox26 --- affected
firefox-esr17 --- affected
b2g18 --- affected

People

(Reporter: nils, Assigned: Waldo)

References

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [asan])

Attachments

(1 file)

testcase, crashes the browser
463 bytes, text/html
Details
Attached file testcase, crashes the browser — 
Firefox nightly crashes when loading the attached testcase. Crashes on accessing unmapped memory.

Stack backtrace on Windows:
xul!`anonymous namespace'::Worker::SetEventListener+0x1e:
620656a5 8b34853c825e62  mov     esi,dword ptr xul!Worker::sEventStrings (625e823c)[eax*4] ds:002b:6b4be6fc=????????
0:000:x86> cdb: Reading initial command 'kp 16;q'
ChildEBP RetAddr  
0044be4c 68879ad7 xul!`anonymous namespace'::Worker::SetEventListener(struct JSContext * aCx = 0x06b1d800, class JS::Handle<JSObject *> aObj = class JS::Handle<JSObject *>, class JS::Handle<int> aIdval = class JS::Handle<int>, int aStrict = 0n0, class JS::MutableHandle<JS::Value> aVp = class JS::MutableHandle<JS::Value>)+0x1e
0044be70 688a634b mozjs!js::CallSetter+0x160697
0044bf44 687c2789 mozjs!js::baseops::SetPropertyHelper+0x1097eb
0044bf8c 687c2808 mozjs!js::DirectProxyHandler::set(struct JSContext * cx = 0x06b1d800, struct JSObject * proxy = 0x04452130, struct JSObject * receiverArg = 0x0446a180, int id_ = 0n74887776, bool strict = false, class JS::Value * vp = 0x0044bff0)+0x79
0044bfb8 687312b2 mozjs!js::DirectWrapper::set(struct JSContext * cx = 0x06b1d800, struct JSObject * wrapper = 0x04452130, struct JSObject * receiver = 0x0446a180, int id = 0n74887681, bool strict = false, class JS::Value * vp = 0x0044bff0)+0x48
0044c000 6872041e mozjs!js::CrossCompartmentWrapper::set(struct JSContext * cx = 0x06b1d800, struct JSObject * wrapper_ = 0x04452130, struct JSObject * receiver_ = 0x04452130, int id_ = 0n74887776, bool strict = false, class JS::Value * vp = 0x0044c0e0)+0xc2
0044c070 68720454 mozjs!js::Proxy::set(struct JSContext * cx = 0x06b1d800, class JS::Handle<JSObject *> proxy_ = class JS::Handle<JSObject *>, class JS::Handle<JSObject *> receiver = class JS::Handle<JSObject *>, class JS::Handle<int> id = class JS::Handle<int>, bool strict = false, class JS::MutableHandle<JS::Value> vp = class JS::MutableHandle<JS::Value>)+0x6e
0044c08c 68786ae1 mozjs!proxy_SetGeneric(struct JSContext * cx = 0x06b1d800, class JS::Handle<JSObject *> obj = class JS::Handle<JSObject *>, class JS::Handle<int> id = class JS::Handle<int>, class JS::MutableHandle<JS::Value> vp = class JS::MutableHandle<JS::Value>, int strict = 0n0)+0x24
0044c0ec 68792080 mozjs!js::SetPropertyOperation(struct JSContext * cx = 0x06b1d800, unsigned char * pc = 0x023b5930 "--- memory read error at address 0x023b5930 ---", class JS::Handle<JS::Value> lval = class JS::Handle<JS::Value>, class JS::Handle<JS::Value> rval = class JS::Handle<JS::Value>)+0x241
0044cc10 6878b4ae mozjs!js::Interpret(struct JSContext * cx = 0x0044be80, class js::StackFrame * entryFrame = 0x03990020, js::InterpMode interpMode = JSINTERP_NORMAL (0n0))+0x1eb0
0044cc84 68782222 mozjs!js::RunScript(struct JSContext * cx = 0x06b1d800, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, class js::StackFrame * fp = 0x03990020)+0x8e
0044ccdc 6872dd2d mozjs!js::ExecuteKernel(struct JSContext * cx = 0x06b1d800, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, struct JSObject * scopeChain = 0x0444d040, class JS::Value * thisv = 0x0044cd08, js::ExecuteType type = EXECUTE_GLOBAL (0n1), class js::StackFrame * evalInFrame = 0x00000000, class JS::Value * result = 0x00000000)+0x122
0044cd10 68727d73 mozjs!js::Execute(struct JSContext * cx = 0x06b1d800, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, struct JSObject * scopeChainArg = 0x023b5930, class JS::Value * rval = 0x00000000)+0x9d
0044cd6c 6196e3b2 mozjs!JS::Evaluate(struct JSContext * cx = 0x06b1d800, class JS::Handle<JSObject *> obj = class JS::Handle<JSObject *>, struct JS::CompileOptions options = struct JS::CompileOptions, wchar_t * chars = 0x06825a60 "start();", unsigned int length = 8, class JS::Value * rval = 0x00000000)+0xa3
0044ce30 61a98ae7 xul!nsJSContext::EvaluateString(class nsAString_internal * aScript = 0x0044ce84, struct JSObject * aScopeObject = 0x0444d040, class nsIPrincipal * aPrincipal = 0x07584fa0, class nsIPrincipal * aOriginPrincipal = 0x07584fa0, char * aURL = 0x07aebbf8 "file:///C:/Users/Password/Desktop/TestCaseStable/repro/ff.html", unsigned int aLineNo = 0x78, JSVersion aVersion = JSVERSION_DEFAULT (0n0), class nsAString_internal * aRetValue = 0x00000000, bool * aIsUndefined = 0x0044ce6b)+0x282
0044ce8c 61a98770 xul!nsGlobalWindow::RunTimeoutHandler(struct nsTimeout * aTimeout = 0x023b5930, class nsIScriptContext * aScx = 0x06b2dd30)+0x1c7
0044cf20 61a9d535 xul!nsGlobalWindow::RunTimeout(struct nsTimeout * aTimeout = 0x07aebbf8)+0x210
0044cf38 61a725fe xul!nsGlobalWindow::TimerCallback(class nsITimer * aTimer = 0x068240d0, void * aClosure = 0x07aebc40)+0x1b
0044cf78 61a72820 xul!nsTimerImpl::Fire(void)+0x12e
0044cf80 619e1dbf xul!nsTimerEvent::Run(void)+0x20
0044cff0 61b8c86f xul!nsThread::ProcessNextEvent(bool mayWait = false, bool * result = 0x0044d02c)+0x2cf
0044d024 61b9ca2b xul!mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate * aDelegate = 0x00e42001)+0x5f
quit:
Attachment #702586 - Attachment mime type: text/plain → text/html
QA Contact: mwobensmith
Matt said he'd get us an ASAN log for this.
Assertion failure: JSID_IS_INT(aIdval), at c:/dev/mozilla-inbound/dom/workers/Worker.cpp:184
Status: UNCONFIRMED → NEW
Ever confirmed: true
ASan log from build from 2013-01-16 (Mac):

============================
==8286== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010521e648 sp 0x7fff5fbf0ba0 bp 0x7fff5fbf0e30 T0)
AddressSanitizer can not provide additional info.
    #0 0x10521e647 in (anonymous namespace)::Worker::SetEventListener(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>) (in XUL) + 951
    #1 0x107d5c43e in js::CallJSPropertyOpSetter(JSContext*, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>), JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>) (in XUL) + 446
    #2 0x107d580a6 in js::CallSetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>), unsigned int, unsigned int, int, JS::MutableHandle<JS::Value>) (in XUL) + 726
    #3 0x107ccf884 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, int) (in XUL) + 1460
    #4 0x107b04e14 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) (in XUL) + 292
    #5 0x107d38b4e in js::DirectProxyHandler::set(JSContext*, JSObject*, JSObject*, jsid, bool, JS::Value*) (in XUL) + 814
    #6 0x107eac764 in js::Wrapper::set(JSContext*, JSObject*, JSObject*, jsid, bool, JS::Value*) (in XUL) + 244
    #7 0x107eaf35d in js::CrossCompartmentWrapper::set(JSContext*, JSObject*, JSObject*, jsid, bool, JS::Value*) (in XUL) + 829
    #8 0x107d4d979 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) (in XUL) + 1449
    #9 0x107d5132e in proxy_SetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) (in XUL) + 30
    #10 0x107cbefda in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) (in XUL) + 266
    #11 0x107b04dfb in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) (in XUL) + 267
    #12 0x107c803c3 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) (in XUL) + 4659
    #13 0x107c5f393 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (in XUL) + 35699
    #14 0x1080b1a9c in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (in XUL) + 860
    #15 0x1080b202b in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (in XUL) + 299
    #16 0x1080b1e56 in js::mjit::JaegerShot(JSContext*, bool) (in XUL) + 454
    #17 0x107c56592 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (in XUL) + 946
    #18 0x107c6ce2e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (in XUL) + 1102
    #19 0x107e1a071 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (in XUL) + 65
    #20 0x107c6d950 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (in XUL) + 720
    #21 0x107af4cfa in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) (in XUL) + 650
    #22 0x10677d982 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JSObject*, nsIDOMEvent*, mozilla::ErrorResult&) (in XUL) + 450
    #23 0x105196ae6 in JS::Value mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, nsIDOMEvent*, mozilla::ErrorResult&) (in XUL) + 262
    #24 0x105195045 in nsJSEventListener::HandleEvent(nsIDOMEvent*) (in XUL) + 789
    #25 0x104b721f7 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) (in XUL) + 359
    #26 0x104b72614 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) (in XUL) + 932
    #27 0x104bbe61b in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) (in XUL) + 523
    #28 0x104bbb81e in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) (in XUL) + 942
    #29 0x104bbcefa in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) (in XUL) + 3930
    #30 0x104333a66 in nsDocumentViewer::LoadComplete(tag_nsresult) (in XUL) + 1222
    #31 0x105ba0a7c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) (in XUL) + 1212
    #32 0x105b9ec5d in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) (in XUL) + 3373
    #33 0x105b9f0bf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) (in XUL) + 15
    #34 0x105bee115 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) (in XUL) + 1045
    #35 0x105bed7fb in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) (in XUL) + 427
    #36 0x105bebbc4 in nsDocLoader::DocLoaderIsEmpty(bool) (in XUL) + 1540
    #37 0x105bed02d in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (in XUL) + 1901
    #38 0x105bed5dc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (in XUL) + 12
    #39 0x103c62770 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) (in XUL) + 1952
    #40 0x104964247 in nsDocument::DoUnblockOnload() (in XUL) + 567
    #41 0x104950dc6 in nsDocument::DispatchContentLoadedEvents() (in XUL) + 1814
    #42 0x104986ef9 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() (in XUL) + 137
    #43 0x106a6fefb in nsThread::ProcessNextEvent(bool, bool*) (in XUL) + 2139
    #44 0x1069b679e in NS_ProcessPendingEvents_P(nsIThread*, unsigned int) (in XUL) + 254
    #45 0x1061b8c13 in nsBaseAppShell::NativeEventCallback() (in XUL) + 451
    #46 0x10613886a in nsAppShell::ProcessGeckoEvents(void*) (in XUL) + 490
    #47 0x7fff88bed100 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16
    #48 0x7fff88beca24 in __CFRunLoopDoSources0 (in CoreFoundation) + 244
    #49 0x7fff88c0fdc4 in __CFRunLoopRun (in CoreFoundation) + 788
    #50 0x7fff88c0f6b1 in CFRunLoopRunSpecific (in CoreFoundation) + 289
    #51 0x7fff8594b0a3 in RunCurrentEventLoopInMode (in HIToolbox) + 208
    #52 0x7fff8594ad83 in ReceiveNextEventCommon (in HIToolbox) + 165
    #53 0x7fff8594acd2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61
    #54 0x7fff8b122612 in _DPSNextEvent (in AppKit) + 684
    #55 0x7fff8b121ed1 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    #56 0x1061370b5 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in XUL) + 245
    #57 0x7fff8b119282 in -[NSApplication run] (in AppKit) + 516
    #58 0x106139449 in nsAppShell::Run() (in XUL) + 185
    #59 0x105d0dce7 in nsAppStartup::Run() (in XUL) + 311
    #60 0x103bc649f in XREMain::XRE_mainRun() (in XUL) + 4287
    #61 0x103bc7457 in XREMain::XRE_main(int, char**, nsXREAppData const*) (in XUL) + 599
    #62 0x103bc7912 in XRE_main (in XUL) + 146
    #63 0x1000031e8 in 0x2000031e8
    #64 0x10000252f in 0x20000252f
    #65 0x100001a93 in 0x200001a93
    #66 0x0 in 0x0000000100000000 (in firefox-bin)
Stats: 986M malloced (701M for red zones) by 1392583 calls
Stats: 127M realloced by 55974 calls
Stats: 900M freed by 1123789 calls
Stats: 853M really freed by 1053942 calls
Stats: 458M (117257 full pages) mmaped in 744 calls
  mmaps   by size class: 7:311220; 8:114632; 9:29667; 10:13797; 11:8925; 12:7040; 13:2048; 14:864; 15:816; 16:1072; 17:468; 18:46; 19:38; 20:24; 21:11; 22:5; 23:3; 24:1;
  mallocs by size class: 7:854033; 8:288459; 9:89546; 10:60949; 11:51397; 12:21431; 13:10941; 14:5070; 15:4792; 16:3174; 17:2388; 18:161; 19:119; 20:69; 21:29; 22:13; 23:7; 24:5;
  frees   by size class: 7:687861; 8:218664; 9:71293; 10:53900; 11:48276; 12:19040; 13:10214; 14:4567; 15:4586; 16:2685; 17:2354; 18:135; 19:101; 20:63; 21:27; 22:12; 23:6; 24:5;
  rfrees  by size class: 7:642449; 8:206305; 9:67677; 10:50896; 11:44943; 12:17944; 13:9771; 14:4437; 15:4353; 16:2545; 17:2281; 18:134; 19:97; 20:61; 21:27; 22:12; 23:6; 24:4;
Stats: malloc large: 10857 small slow: 20227
==8286== ABORTING
I'm going to tentatively move this over to spirdermonkey... Basically the Worker code uses tinyIds as args to this function and SM is somehow losing track of the fact that it needs to do so.

In my debug build I see this in jscntxtinlines.h:

465 inline bool
466 CallSetter(JSContext *cx, HandleObject obj, HandleId id, StrictPropertyOp op, unsigned attrs,
467            unsigned shortid, JSBool strict, MutableHandleValue vp)
468 {
469     if (attrs & JSPROP_SETTER)
470         return InvokeGetterOrSetter(cx, obj, CastAsObjectJsval(op), 1, vp.address(), vp.address());
471 
472     if (attrs & JSPROP_GETTER)
473         return js_ReportGetterOnlyAssignment(cx);
474 
475     if (!(attrs & JSPROP_SHORTID))
476         return CallJSPropertyOpSetter(cx, op, obj, id, strict, vp);
477 
478     RootedId nid(cx, INT_TO_JSID(shortid));
479 
480     return CallJSPropertyOpSetter(cx, op, obj, nid, strict, vp);
481 }

We're crashing when we call CallJSPropertyOpSetter on 476, apparently because the attrs no longer includes the SHORTID flag.

I can fix all the uses of tinyIds that I have to check for this problem rather than assert but it seems like this should be fixed in the engine to me.
Assignee: nobody → general
Component: DOM: Workers → JavaScript Engine
> I can fix all the uses of tinyIds that I have to check for this problem
> rather than assert but it seems like this should be fixed in the engine to
> me.

any progress on either one of these options?
Flags: sec-bounty?
Naveed, this bug is dead in the water. Can you take this and get it assigned to someone to fix?
Assignee: general → nihsanullah
Whiteboard: [asan]
Flags: needinfo?(nihsanullah)
Yoink.
Assignee: nihsanullah → jwalden+bmo
Flags: needinfo?(nihsanullah)
I can't reproduce this with the attached testcase.  My suspicion is that new Worker(null), since this bug was filed, has been kneecapped, and that something else needs to be done here to make this testcase work/crash again.  I can probably puzzle something out with some guessing -- or fall back to building and testing an older build, although then I'll hit potential issues when I write a fix and need to verify it against trunk -- but someone more knowledgeable about what might have changed in how we process that first argument to the Worker constructor might be able to do it quicker.
No more crash for me either - using today's m-c ASan build as well as recent FF23 ASan build also.
Nils - do you have another test case by any chance that might help us surface this? Or verify that this issue is actually fixed?
status-firefox22: affectedwontfix
status-firefox25: --- → affected
bent, any thoughts on a Worker-side change that might have triggered comment 9?  I think I lack the time to do the archaeology myself to find the cause, if indeed that guess is at all correct.
Flags: needinfo?(bent.mozilla)
I haven't seen anything change in this code wrt tinyIds.
Flags: needinfo?(bent.mozilla)
Not wrt tinyids -- wrt |new Worker(null)| and that possibly spinning up a worker in the past, where it doesn't now (because of URL syntax-checking or similar?).
Flags: needinfo?(bent.mozilla)
Ah! Maybe bug 587251 is what you're looking for (and hey, look who filed it!).
Flags: needinfo?(bent.mozilla)
Any updates on this?
I haven't seen any of these crashes with my fuzzer in a while now ...
Jesse, can you auto-bisect using the testcase here to see when this got fixed/obscured?
Flags: needinfo?(jruderman)
Depends on: CVE-2013-5602
Seems this was fixed/obscured on May 5:

http://hg.mozilla.org/mozilla-central/rev/adaaf6641785
Bug 855971 - Switch HTMLDocument to WebIDL bindings. r=bz.

Tested using debug builds on Mac and watching for the assertion.

(This doesn't seem to match Waldo's theory.)
Flags: needinfo?(jruderman)
Note that bug 897678 has what looks like a testcase that reproduces this exact issue on trunk.
Any updates, Jeff?
status-firefox26: --- → affected
tracking-firefox26: --- → +
Flags: needinfo?(jwalden+bmo)
I'm fairly sure bug 897678 will fix this.
Flags: needinfo?(jwalden+bmo)
Assuming wontfix for 23 and 24.

Waldo can you verify bug 897678 fixes this one? (Or pass to someone who can)
status-firefox23: affectedwontfix
status-firefox24: affectedwontfix
Flags: needinfo?(jwalden+bmo)
The similarity between the testcase here, and the testcase there, is enough I'm pretty confident calling this a dup.

(Technically no one can reproduce this, because this testcase broke with other changes we've made semi-recently.  If you wanted absolute, 100% proof you'd probably want to take a patch from here, apply it against a super-old build where this testcase failed, and check for bustage.  But I don't think it's worth the trouble, given the similarity of that testcase to this one.)
Flags: needinfo?(jwalden+bmo)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: