Closed Bug 913716 Opened 6 years ago Closed 6 years ago

Crash [@ js::EncapsulatedPtr] or [@ js::jit::SetPropertyIC::update]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla26

People

(Reporter: gkw, Assigned: efaust)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(4 files)

Attached file debug and opt stacks
g = __defineGetter__("x", Iterator.prototype.iterator);
c = x;
delete x;
Object.defineProperty(c, "x", ({
    set: undefined
}));
((function() {
    x = "";
    (arguments.callee)()
}))()

crashes js opt and debug shells on m-c changeset df8f342e9a6b without any CLI arguments at js::EncapsulatedPtr

My opt configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh /Users/mozillaadmin/Desktop/js-opt-64-dm-ts-darwin-mozilla-central-145747-df8f342e9a6b-PHKxZv/compilePath/js/src/configure --target=x86_64-apple-darwin11.4.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

My debug configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh /Users/mozillaadmin/Desktop/js-dbg-64-dm-ts-darwin-mozilla-central-145747-df8f342e9a6b-mhDfBN/compilePath/js/src/configure --target=x86_64-apple-darwin11.4.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/c1ccfd8f31bf
user:        Eric Faust
date:        Fri Aug 30 18:50:36 2013 -0700
summary:     Bug 824393 - Part 0: Open SetPropertyIC to cases with uncertain TI. (r=bhackett)

This looks like a recursive buffer overflow but I'm setting s-s to be safe. Eric, is bug 824393 a likely regressor?
Flags: needinfo?(efaustbmo)
y = this;
Object.defineProperty(__proto__, "set", ({}));
valueOf = (function(j) {
    x = String;
});
Object.defineProperty(this, "x", {});
y + this

also crashes [@ js::EncapsulatedPtr]
Sometimes js::jit::SetPropertyIC::update appears at the top of the stack instead.
Crash Signature: [@ js::EncapsulatedPtr] → [@ js::EncapsulatedPtr] [@ js::jit::SetPropertyIC::update]
Summary: Crash [@ js::EncapsulatedPtr] → Crash [@ js::EncapsulatedPtr] or [@ js::jit::SetPropertyIC::update]
Attached patch FixSplinter Review
shape->setterObject() is NULL if |set| was defined as |undefined|. Add a check for this case.

This shouldn't be an exploitable crash, just a NULL deref.
Assignee: general → efaustbmo
Status: NEW → ASSIGNED
Attachment #801055 - Flags: review?(kvijayan)
Flags: needinfo?(efaustbmo)
Keywords: csec-dos
Amazingly, I found the stack for the situation that I was referring to in comment 2.
Also, efaust says this should be safe to open up, as it's "just a null-deref, even in optimized builds."
Group: core-security
Attachment #801055 - Flags: review?(kvijayan) → review+
Duplicate of this bug: 914586
https://hg.mozilla.org/mozilla-central/rev/a512b89b44eb
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.