Closed Bug 881470 Opened 6 years ago Closed 6 years ago

Crash [@ JSRuntime::needsBarrier] or [@ js::EncapsulatedValue::runtime]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla24
Tracking Status
firefox21 --- unaffected
firefox22 --- unaffected
firefox23 --- unaffected
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected
b2g18-v1.0.0 --- unaffected
b2g18-v1.0.1 --- unaffected
b2g-v1.1hd --- unaffected

People

(Reporter: gkw, Assigned: h4writer)

References

(Blocks 3 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:update,testComment=3])

Crash Data

Attachments

(3 files)

Attached file stack
s = newGlobal()
try {
    evalcx("\
        Object.defineProperty(this,\"x\",{ \
            get: function() {\
                y[15] = y;\
                x \
            }\
        });\
        y = [];\
        Array(x);\
    ", s)
} catch (e) {}
try {
    evalcx("\
        y = [];\
        x, {};\
    ", s)
} catch (e) {}
evalcx("\
    Array.prototype.shift.call(y); \
", s)

crashes js debug shell on m-c changeset 9115d8b717e1 without any CLI arguments at JSRuntime::needsBarrier
Crash Signature: [@ JSRuntime::needsBarrier] → [@ JSRuntime::needsBarrier()]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/3835cbed5915
user:        Nicolas B. Pierron
date:        Fri May 24 14:58:08 2013 -0700
summary:     Bug 774006 - IonMonkey: Implement SetElementIC for integer indexes. r=h4writer


Setting needinfo from Hannes since Nicolas is away on PTO, but feel free to forward this on.
Blocks: 774006
Flags: needinfo?(hv1989)
Group: core-security
Attached file Opt shell crash stack
try {
    Object.defineProperty(this, "y", {
        get: function() {
            x[7] = x;
            y
        }
    });
    x = RegExp().exec();
    y;
} catch (e) {}
try {
    y
} catch (e) {};
try {
    y
} catch (e) {};
x.t = 2;
y;

crashes js opt shell (no need for threadsafe nor --enable-more-deterministic) on m-c rev 291207393608 at js::EncapsulatedValue::runtime, turning s-s just in case.
The testcase in comment 3 also points to bug 774006.
Crash Signature: [@ JSRuntime::needsBarrier()] → [@ JSRuntime::needsBarrier()] [@ js::EncapsulatedValue::runtime]
Summary: Crash [@ JSRuntime::needsBarrier] → Crash [@ JSRuntime::needsBarrier] or [@ js::EncapsulatedValue::runtime]
Whiteboard: [jsbugmon:] → [jsbugmon:update,testComment=3]
Attached patch Possible patch?Splinter Review
I cannot reproduce this bug locally. Either testcases on the tested revision 64bit/32bit/safebuild/enable-deterministic w/wo ion-eager.

So this is actually just a guess. Could you test if this solves the problem?
Attachment #761382 - Flags: feedback?(gary)
Flags: needinfo?(hv1989)
sounds kind of bad...
Keywords: sec-high
Comment on attachment 761382 [details] [diff] [review]
Possible patch?

(In reply to Hannes Verschore [:h4writer] from comment #5)
> Created attachment 761382 [details] [diff] [review]
> Possible patch?
> 
> I cannot reproduce this bug locally. Either testcases on the tested revision
> 64bit/32bit/safebuild/enable-deterministic w/wo ion-eager.
> 
> So this is actually just a guess. Could you test if this solves the problem?

I tested this on Mac 10.8.4, and yes, this patch does fix the issue on rev b51316b2af6c.
Attachment #761382 - Flags: feedback?(gary) → feedback+
Attachment #761382 - Flags: review?(jdemooij)
Comment on attachment 761382 [details] [diff] [review]
Possible patch?

Review of attachment 761382 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch.
Attachment #761382 - Flags: review?(jdemooij) → review+
Assignee: general → hv1989
Status: NEW → ASSIGNED
I'm restarting a round of fuzzing after whole-day breakage, so I've landed this too (since this fixes bug 879096 as well):

https://hg.mozilla.org/integration/mozilla-inbound/rev/5efe6470e752

I'll drop a note to Hannes.
https://hg.mozilla.org/mozilla-central/rev/5efe6470e752
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Status: RESOLVED → VERIFIED
Crash Signature: [@ JSRuntime::needsBarrier()] [@ js::EncapsulatedValue::runtime] → [@ JSRuntime::needsBarrier()] [@ js::EncapsulatedValue::runtime]
JSBugMon: This bug has been automatically verified fixed.
Blocks: 887813
Group: core-security
You need to log in before you can comment on or make changes to this bug.