Closed Bug 847606 Opened 11 years ago Closed 11 years ago

Crash with ion, setTimeout(Array.prototype.filter)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox21 --- wontfix
firefox22 + wontfix
firefox23 + wontfix
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 24+ wontfix
b2g-v1.1hd --- wontfix

People

(Reporter: jruderman, Assigned: jandem)

Details

(4 keywords, Whiteboard: [adv-main24+])

Crash Data

Attachments

(2 files)

testcase (10000 elements)
245 bytes, text/html
Details
testcase (10 elements)
242 bytes, text/html
Details 
Testcase can cause:

* Assertion failure: hasfp(), at js/src/vm/Stack.h:1663
* Crash [@ js::ion::FastInvoke]

Security-sensitive because the testcase reminds me of bug 815010.
Attached file testcase (10 elements) 
This one requires:
  user_pref("javascript.options.ion.parallel_compilation", false);
  user_pref("javascript.options.methodjit.content", false);
So all window.setTimeout does is cause a JS_CallFunctionValue on the bound function with absolutely nothing on the stack.

Eventually we end up in array_filter which does:

  FastInvokeGuard fig(cx, ObjectValue(*callable));
....
    if (!fig.invoke(cx))

And js::ion::FastInvoke does:

  StackFrame *fp = cx->fp();

but cx doesn't have an fp on it, so that hits an assert...  Not sure where the bug is here exactly, but it sure doesn't seem to be in setTimeout stuff.
bp-15f1bc07-f564-4394-bd85-a075f2130304
Crash Signature: [@ js::ion::FastInvoke]
This case is a null deref, but could we do the same with a more dangerous bogus value?
We need js team input to sec rate this.
Keywords: sec-high
Pushing to Naveed to find an owner.
Assignee: general → nihsanullah
Assignee: nihsanullah → jdemooij
Good find! The way FastInvoke works is pretty hackish, the patch in bug 868437 will make this much nicer (it removes the cx->fp() call and a lot of code around it).

This affects all branches, but should be uncommon: FastInvoke is only used when some natives implemented in C++ (Array.prototype.filter/sort/.., String.prototype.replace, etc) call back into JS.
Status: NEW → ASSIGNED
status-firefox21: --- → affected
status-firefox22: --- → affected
status-firefox23: --- → affected
status-firefox24: --- → affected
tracking-firefox22: --- → ?
tracking-firefox23: --- → ?
tracking-firefox24: --- → ?
OS: Mac OS X → All
Hardware: x86_64 → All
Does the patch in bug 868437 fix this?

Do you have another plan for branches?  ("Don't bother fixing it on branches" is one possibility.)
(In reply to Jesse Ruderman from comment #8)
> Does the patch in bug 868437 fix this?

I just downloaded mozilla-inbound builds with/without that patch. Bug 868437 indeed fixed this.

> Do you have another plan for branches?  ("Don't bother fixing it on
> branches" is one possibility.)

Yeah I don't think it's worth fixing on branches: it's a safe NULL-deref and the bug has been there since Firefox 18.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [adv-main24+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: