Closed
Bug 880228
Opened 11 years ago
Closed 11 years ago
Assertion failure: (ptrBits & 0x7) == 0, at ./dist/include/js/Value.h:703 or Crash [@ GetValueType] or Crash [@ operator->]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
2.09 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 204de5b7e0a6 (run with --ion-eager): o = 9; Object.prototype.__proto__=null evaluate('\ var o = {\ "" : 2\ };\ var o = 430717;\ o.x = 4;\ ', { noScriptRval : true } );
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Crash trace: Program received signal SIGSEGV, Segmentation fault. GetValueType (val=..., cx=<optimized out>) at ../jsinferinlines.h:201 201 return Type::ObjectType(&val.toObject()); #0 GetValueType (val=..., cx=<optimized out>) at ../jsinferinlines.h:201 #1 GetValueType (val=..., cx=<optimized out>) at js/src/jsinfer.cpp:5713 #2 js::types::TypeMonitorResult (cx=0x1624520, script=0x7ffff5e511c0, pc=0x1642da1 "\232", rval=...) at js/src/jsinfer.cpp:5729 #3 0x000000000068be8d in Monitor (rval=..., pc=0x1642da1 "\232", script=<optimized out>, cx=0x1624520) at ../jsinferinlines.h:965 #4 js::ion::DoGetNameFallback (cx=0x1624520, frame=<optimized out>, stub=0x16371a0, scopeChain=(JSObject * const) 0x7ffff5e4d060 [object global] delegate, res=$jsval((JSObject *) 0x7fff0006927d Cannot access memory at address 0x7fff0006927d)) at js/src/ion/BaselineIC.cpp:4915 #5 0x00007ffff7f97ea2 in ?? () #6 0x0000000000000000 in ?? () r13 0x6927d 140733193818749 => 0x577ae8 <js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&)+200>: mov 0x8(%r13),%rdx In the original crash, the crashing function was operator-> so I assume we're operating on a corrupted object. If this object can be controlled, then it's likely sec-critical.
Crash Signature: [@ operator->]
[@ GetValueType]
Keywords: crash,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
Comment 3•11 years ago
|
||
It would be good to get a bisect so we can know how far back this goes.
status-firefox24:
--- → affected
tracking-firefox24:
--- → +
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ operator->]
[@ GetValueType] → [@ operator->]
[@ GetValueType]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 4•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/e1bca8b56470 user: Jan de Mooij date: Fri May 24 14:03:31 2013 +0200 summary: Bug 868431 - Disable Ion when Baseline is disabled, remove bailout-to-interpreter code. r=djvj This iteration took 11.611 seconds to run.
Reporter | ||
Comment 5•11 years ago
|
||
Needinfo from Jan based on comment 4.
Crash Signature: [@ operator->]
[@ GetValueType] → [@ operator->]
[@ GetValueType]
Flags: needinfo?(jdemooij)
Updated•11 years ago
|
status-firefox23:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ operator->]
[@ GetValueType] → [@ operator->]
[@ GetValueType]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 6•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d79910d9e251).
Updated•11 years ago
|
Crash Signature: [@ operator->]
[@ GetValueType] → [@ operator->]
[@ GetValueType]
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ operator->]
[@ GetValueType] → [@ operator->]
[@ GetValueType]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
Reporter | ||
Comment 7•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d79910d9e251). JSBugMon: Fix Bisection requested, result: Due to skipped revisions, the first good revision could be any of: changeset: http://hg.mozilla.org/mozilla-central/rev/b6652771e70f user: Chris Peterson date: Mon Jun 10 11:24:27 2013 -0700 summary: Back out changeset 12cdc8931e48 (Bug 857730) to remove Android Contacts permission. changeset: http://hg.mozilla.org/mozilla-central/rev/7ecbdd658637 user: Shu-yu Guo date: Mon Jun 10 12:10:13 2013 -0700 summary: Bug 879723 - Make sure property types reflect inherited types from the prototype when specializing a setgname. (r=bhackett) This iteration took 325.274 seconds to run.
Updated•11 years ago
|
Crash Signature: [@ operator->]
[@ GetValueType] → [@ operator->]
[@ GetValueType]
Comment 8•11 years ago
|
||
Shu-yu, is bug 879723 a possible fix?
Flags: needinfo?(jdemooij) → needinfo?(shu)
Comment 9•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #8) > Shu-yu, is bug 879723 a possible fix? The test case looks like it might be triggering the same path I described in bug 879723, so it's possible that my patch fixed it. 1) Setting a global var to be one type 2) Mess with __proto__ to mark the global prototype to be marked unknownProperties 3) Ion eager causes us to specialize on the wrong typeset since we weren't propagating unknownProperties in compiling JSOP_SETGNAME 4) Set the same global var to be another type; Ion doesn't store the type tag 5) Crash sometime later
Flags: needinfo?(shu)
Comment 10•11 years ago
|
||
s/to mark/to cause
Comment 11•11 years ago
|
||
Assuming fixed by bug 879723, as per comment 9.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ operator->]
[@ GetValueType] → [@ operator->]
[@ GetValueType]
Reporter | ||
Comment 12•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
Blocks: 868431
Crash Signature: [@ operator->]
[@ GetValueType] → [@ operator->]
[@ GetValueType]
status-b2g18:
--- → unaffected
Keywords: regression
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•