Closed Bug 877219 Opened 12 years ago Closed 12 years ago

Crash [@ defaultValue] with ParallelArray and use-after-free

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 875957

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
1.02 KB, text/plain
Details
The following testcase crashes on mozilla-central revision e58336e81395 (run with --ion-eager): function mk() {} var p = new ParallelArray([0,0,0,0], mk); p.get(mk, "")
Crash trace: Program received signal SIGSEGV, Segmentation fault. 0x00000000009056cb in defaultValue (vp=..., obj=..., cx=0x185c720, hint=JSTYPE_NUMBER) at ../jsobjinlines.h:64 64 JSConvertOp op = obj->getClass()->convert; #0 0x00000000009056cb in defaultValue (vp=..., obj=..., cx=0x185c720, hint=JSTYPE_NUMBER) at ../jsobjinlines.h:64 #1 ToPrimitive (vp=$jsval((JSObject *) 0x7ffff5f23960 Cannot access memory at address 0x8), cx=0x185c720, preferredType=<optimized out>) at ../jsobjinlines.h:1458 #2 GreaterThanOrEqualOperation (res=<synthetic pointer>, rhs=$jsval(0), lhs=$jsval((JSObject *) 0x7ffff5f23960 Cannot access memory at address 0x8), cx=0x185c720) at ../jsinterpinlines.h:1017 #3 js::ion::GreaterThanOrEqual (cx=0x185c720, lhs=$jsval((JSObject *) 0x7ffff5f23960 Cannot access memory at address 0x8), rhs=$jsval(0), res=0x7fffffffc8cc) at js/src/ion/VMFunctions.cpp:205 #4 0x00007ffff7f94eb4 in ?? () #5 0x00007ffff5f3de80 in ?? () #6 0x00007fffffffc8cc in ?? () #7 0x0000000000000302 in ?? () rax 0xdada0000 -2676586395008892928 => 0x9056cb <js::ion::GreaterThanOrEqual(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, int*)+523>: mov 0x40(%rax),%rax Shows use-after-free (0xdada pattern), marking sec-critical.
Keywords: csec-uaf, sec-critical
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 132612:b2216a10f95b user: Shu-yu Guo date: Tue May 21 23:52:45 2013 -0700 summary: Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj) This iteration took 0.962 seconds to run.
Needinfo from shu based on comment 3 :)
Flags: needinfo?(shu)
Okay, this is caused by me not passing correct type info for the rest args array. This is fixed in 875957.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: