Closed
Bug 906016
Opened 11 years ago
Closed 11 years ago
Crash [@ js::EncapsulatedPtr::operator->] with ParallelArray and Proxy
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 905396
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, csectype-wildptr, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
934 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 1ed5a88cd4d0 (threadsafe build, run with --fuzzing-safe):
var lfcode = new Array();
lfcode.push("4");
lfcode.push("\
function Test262Error(message) {}\
function getPrecision(num) {}\
var findNearestDateBefore = function(start) {\
new Date(2000, 5, 20, 0, 0, 0, 0), function (date) {};\
for (var step = 2592000000; step > 0; step = Math.floor(step / 3)) {}\
};\
findNearestDateBefore()();\
function Day(t) {}\
");
lfcode.push("ParallelArray((100), Proxy.createFunction(function(){}, function(){}))");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
switch (lfRunTypeId) {
default: eval("(function() { " + lfVarx + " })();"); break;
}
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) {}
}
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Crash trace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004264ce in js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator-> (this=0x73696f5073492108) at ../../gc/Barrier.h:175
175 T *operator->() const { return value; }
#0 0x00000000004264ce in js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator-> (this=0x73696f5073492108) at ../../gc/Barrier.h:175
#1 0x00000000004107ac in js::ObjectImpl::getClass (this=0x73696f5073492100) at ../../vm/ObjectImpl.h:1247
#2 0x0000000000801832 in JSObject::is<js::ScriptSourceObject> (this=(const JSObject * const) 0x73696f5073492100 Cannot access memory at address 0x73696f5073492100) at js/src/jsobj.h:990
#3 0x00000000007fe788 in JSObject::as<js::ScriptSourceObject> (this=(JSObject * const) 0x73696f5073492100 Cannot access memory at address 0x73696f5073492100) at js/src/jsobj.h:994
#4 0x00000000007f1e76 in JSScript::sourceObject (this=0xdceb38) at js/src/jsscript.cpp:809
#5 0x000000000041139e in JSScript::scriptSource (this=0xdceb38) at ../../jsscript.h:772
#6 0x00000000004113c0 in JSScript::filename (this=0xdceb38) at ../../jsscript.h:774
#7 0x0000000000a3c05f in js::ion::CallToUncompiledScriptPar (func=(JSFunction *) 0x7ffff5571040 [object Proxy]) at js/src/jit/ParallelFunctions.cpp:527
rax 0x73492108 8316300578238570760
rip 0x4264ce <js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator->() const+12>
=> 0x4264ce <js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator->() const+12>: mov (%rax),%rax
This doesn't look good at all, in particular the bogus js::ObjectImpl pointer being accessed here. Marking sec-critical based on that.Keywords: csec-wildptr,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
||
Comment 4•11 years ago
|
||
Related to bug 905396?
|
||
Comment 5•11 years ago
|
||
I think they are the same. Based on stacktrace. I cannot reproduce locally. Also this happens only during spewing that we will bailout, removing everything that could have gone bad. So I'll open this and set as duplicate of bug 905396
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•