Closed
Bug 866672
Opened 12 years ago
Closed 12 years ago
Crash [@ __memcpy_ssse3_rep] with invalid reads/writes out of bounds through [@ JSRope::flattenInternal]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 866611
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
The following testcase crashes on mozilla-central revision 05533d50f2f7 (run with --ion-eager):
test("\
var s = '';\
for (var i = 0; i < 70000; i++) {\
s += 'function x' + s + '() { x' + i + '(); }\\n';\
}\
");
function test(code) {
if (code.substr(-3) != "") {
evaluate(code, { noScriptRval : true });
}
}
|
Reporter | |
Comment 1•12 years ago
|
||
This could potentially be the same issue as in bug 866611 but filing this anyway because it doesn't show the assertion there and is potentially sec-critical. Valgrind shows a lot of these before the crash:
==38621== Invalid write of size 4
==38621== at 0x4BE0B1C: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==38621== by 0x82B4727: JSFlatString* JSRope::flattenInternal<(JSRope::UsingBarrier)1>(JSContext*) (string3.h:52)
==38621== by 0x82B5669: JSString* js::ConcatStrings<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType) (String.cpp:294)
==38621== by 0x7FA93FE: ???
==38621== Address 0x968d2b4 is not stack'd, malloc'd or (recently) free'd
==38621==
==38621== Invalid read of size 4
==38621== at 0x4BE0B26: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==38621== by 0x82B4727: JSFlatString* JSRope::flattenInternal<(JSRope::UsingBarrier)1>(JSContext*) (string3.h:52)
==38621== by 0x82B5669: JSString* js::ConcatStrings<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType) (String.cpp:294)
==38621== by 0x7FA93FE: ???
==38621== Address 0x96762c4 is not stack'd, malloc'd or (recently) free'd
Crash Signature: [@ __memcpy_ssse3_rep] with invalid reads/writes out of bounds through [@ JSRope::flattenInternal] → [@ __memcpy_ssse3_rep]
Keywords: csec-bounds,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Comment 2•12 years ago
|
||
More reliable test which likely shows the same issue:
var fe="v";
for (addpow = 0; addpow < 33; addpow++)
fe += fe;
var fu = new Function(fe);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
__memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:345
345 ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S: No such file or directory.
(gdb) bt
#0 __memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:345
#1 0x082b4728 in PodCopy<unsigned short> (nelem=<optimized out>, src=0x88ce708, dst=0x894e708) at /usr/include/bits/string3.h:52
#2 JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=<error reading variable: Cannot access memory at address 0x760076>, maybecx=0x88d1440) at js/src/vm/String.cpp:261
#3 0x08102fe4 in ensureLinear (cx=0x88d1440, this=<error reading variable: Cannot access memory at address 0x760076>) at ../vm/String.h:911
#4 js::Function (cx=0x88d1440, argc=1, vp=0xf7716068) at js/src/jsfun.cpp:1439
#5 0x0814699d in js::CallJSNative (cx=0x88d1440, native=0x81029b0 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at ../jscntxtinlines.h:337
#6 0x08146c2f in js::CallJSNativeConstructor (cx=<optimized out>, native=0x81029b0 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at ../jscntxtinlines.h:370
#7 0x0815c4d6 in js::InvokeConstructorKernel (cx=0x88d1440, args=...) at js/src/jsinterp.cpp:497
#8 0x0815c602 in InvokeConstructor (args=..., cx=0x88d1440) at js/src/jsinterp.h:168
#9 js::InvokeConstructor (cx=0x88d1440, fval=..., argc=1, argv=0xffffc7d4, rval=0xffffc79c) at js/src/jsinterp.cpp:529
#10 0x0868705c in js::ion::DoCallFallback (cx=0x88d1440, frame=0xffffc80c, stub=0x88e6418, argc=1, vp=0xffffc7c4, res=$jsval(-nan(0xfff8200000000))) at js/src/ion/BaselineIC.cpp:6579
#11 0xf770dd7b in ?? ()
#12 0x088e6418 in ?? ()
#13 0xf77079ad in ?? ()
(gdb) x /i $pc
=> 0xf7df879a <__memcpy_ssse3+682>: movdqa %xmm7,0x70(%edx)
(gdb) info reg edx
edx 0x8976f90 144142224
|
||
Comment 3•12 years ago
|
||
Can't reproduce both testcases with the fix of bug 866611 applied.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 4•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 130142:3b7a2cbccaaa
user: Jan de Mooij
date: Fri Apr 26 14:08:54 2013 +0200
summary: Bug 863018 part 2 - Add JSShortString path back to ConcatStrings and LConcat. r=luke
This iteration took 126.827 seconds to run.
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•