Closed
Bug 847606
Opened 11 years ago
Closed 11 years ago
Crash with ion, setTimeout(Array.prototype.filter)
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla24
People
(Reporter: jruderman, Assigned: jandem)
Details
(4 keywords, Whiteboard: [adv-main24+])
Crash Data
Attachments
(2 files)
Testcase can cause: * Assertion failure: hasfp(), at js/src/vm/Stack.h:1663 * Crash [@ js::ion::FastInvoke] Security-sensitive because the testcase reminds me of bug 815010.
Reporter | ||
Comment 1•11 years ago
|
||
This one requires: user_pref("javascript.options.ion.parallel_compilation", false); user_pref("javascript.options.methodjit.content", false);
Comment 2•11 years ago
|
||
So all window.setTimeout does is cause a JS_CallFunctionValue on the bound function with absolutely nothing on the stack. Eventually we end up in array_filter which does: FastInvokeGuard fig(cx, ObjectValue(*callable)); .... if (!fig.invoke(cx)) And js::ion::FastInvoke does: StackFrame *fp = cx->fp(); but cx doesn't have an fp on it, so that hits an assert... Not sure where the bug is here exactly, but it sure doesn't seem to be in setTimeout stuff.
Reporter | ||
Comment 3•11 years ago
|
||
bp-15f1bc07-f564-4394-bd85-a075f2130304
Crash Signature: [@ js::ion::FastInvoke]
Comment 4•11 years ago
|
||
This case is a null deref, but could we do the same with a more dangerous bogus value?
Comment 5•11 years ago
|
||
We need js team input to sec rate this.
Updated•11 years ago
|
Assignee: nihsanullah → jdemooij
Assignee | ||
Comment 7•11 years ago
|
||
Good find! The way FastInvoke works is pretty hackish, the patch in bug 868437 will make this much nicer (it removes the cx->fp() call and a lot of code around it). This affects all branches, but should be uncommon: FastInvoke is only used when some natives implemented in C++ (Array.prototype.filter/sort/.., String.prototype.replace, etc) call back into JS.
Status: NEW → ASSIGNED
status-firefox21:
--- → affected
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox24:
--- → affected
tracking-firefox22:
--- → ?
tracking-firefox23:
--- → ?
tracking-firefox24:
--- → ?
OS: Mac OS X → All
Hardware: x86_64 → All
Reporter | ||
Comment 8•11 years ago
|
||
Does the patch in bug 868437 fix this? Do you have another plan for branches? ("Don't bother fixing it on branches" is one possibility.)
Updated•11 years ago
|
Assignee | ||
Comment 9•11 years ago
|
||
(In reply to Jesse Ruderman from comment #8) > Does the patch in bug 868437 fix this? I just downloaded mozilla-inbound builds with/without that patch. Bug 868437 indeed fixed this. > Do you have another plan for branches? ("Don't bother fixing it on > branches" is one possibility.) Yeah I don't think it's worth fixing on branches: it's a safe NULL-deref and the bug has been there since Firefox 18.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Target Milestone: --- → mozilla24
Updated•11 years ago
|
Updated•11 years ago
|
Whiteboard: [adv-main24+]
Updated•11 years ago
|
Updated•11 years ago
|
status-b2g-v1.1hd:
--- → wontfix
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•