Closed
Bug 930974
Opened 11 years ago
Closed 11 years ago
Assertion failure: args[0].isObject(), at builtin/TypedObject.cpp:2401 or Crash [@ js::ObjectIsTypedHandle]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
Tracking | Status | |
---|---|---|
firefox26 | --- | disabled |
firefox27 | --- | disabled |
firefox28 | + | fixed |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | disabled |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | disabled |
People
(Reporter: decoder, Assigned: nmatsakis)
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files, 2 obsolete files)
2.34 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
886 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 5a9ac6fed6ff (run with --fuzzing-safe): var T = TypedObject; var Point = new T.ArrayType(T.float32, 3); var Line = new T.StructType({from: Point, to: Point}); var Lines = new T.ArrayType(Line, 3); var lines = new Lines([ {from: [1, 2, 3], to: [4, 5, 6]}, {from: [7, 8, 9], to: [10, 11, 12]}, {from: [13, 14, 15], to: [16, 17, 18]} ]); T.Handle.move() ;
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Comment 2•11 years ago
|
||
Attachment #822274 -
Attachment is obsolete: true
Reporter | ||
Comment 3•11 years ago
|
||
Calling this sec-critical now because passing in an address as the first parameter to move causes that to be used in a class pointer (I don't know how you manage to do that^^): var T = TypedObject; var Point = new T.ArrayType(T.float32, 3); var Line = new T.StructType({from: Point, to: Point}); var Lines = new T.ArrayType(Line, 3); function runTests() { } var lines = new Lines([ {from: [1, 2, 3], to: [4, 5, 6]}, {from: [7, 8, 9], to: [10, 11, 12]}, {from: [13, 14, 15], to: [16, 17, 18]} ]); var handle = 0xbeef; T.Handle.move(handle); Program received signal SIGSEGV, Segmentation fault. getClass (this=0xbeef) at ../vm/ObjectImpl.h:987 987 return type_->clasp; (gdb) bt 8 #0 getClass (this=0xbeef) at ../vm/ObjectImpl.h:987 #1 is<js::TypedHandle> (this=0xbeef) at ../jsobj.h:1152 #2 js::ObjectIsTypedHandle (argc=1, vp=0xffffbd48) at /srv/repos/mozilla-central/js/src/builtin/TypedObject.cpp:2366 #3 0x081dda86 in CallJSNative (args=..., native=0x81fbe60 <JSNativeThreadSafeWrapper<&js::ObjectIsTypedHandle>(JSContext*, unsigned int, JS::Value*)>, cx=0x9083850) at ../jscntxtinlines.h:220 #4 js::Invoke (cx=0x9083850, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/vm/Interpreter.cpp:462 #5 0x081de31d in js::Invoke (cx=0x9083850, thisv=..., fval=..., argc=1, argv=0xffffbfac, rval=...) at /srv/repos/mozilla-central/js/src/vm/Interpreter.cpp:512 #6 0x082a80f1 in js::jit::DoCallFallback (cx=0x9083850, frame=0xffffbfdc, stub=0x9124c00, argc=1, vp=0xffffbf9c, res=...) at /srv/repos/mozilla-central/js/src/jit/BaselineIC.cpp:7672 #7 0xf7a87a8d in ?? () (More stack frames follow...) (gdb) x /i $pc => 0x8473503 <js::ObjectIsTypedHandle(js::ThreadSafeContext*, unsigned int, JS::Value*)+19>: mov 0x4(%edx),%ecx (gdb) info reg edx edx 0xbeef 48879
Group: core-security
Keywords: csec-wildptr,
sec-critical
Assignee | ||
Comment 4•11 years ago
|
||
The naming convention `ObjectIsFoo` was SUPPOSED to make me remember to call `IsObject` first. Didn't work 100%.
Attachment #826698 -
Flags: review?
Reporter | ||
Comment 5•11 years ago
|
||
Attachment #823281 -
Attachment is obsolete: true
Assignee | ||
Updated•11 years ago
|
Attachment #826698 -
Flags: review? → review?(till)
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 6•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/35a83682c173 user: Nicholas D. Matsakis date: Wed Sep 11 16:24:23 2013 -0400 summary: Bug 898342 - Implement movable handles for Typed Objects r=till This iteration took 428.270 seconds to run.
Comment 7•11 years ago
|
||
Comment on attachment 826698 [details] [diff] [review] Bug930974.diff Review of attachment 826698 [details] [diff] [review]: ----------------------------------------------------------------- Oh, yes. Sorry this slipped through the review.
Attachment #826698 -
Flags: review?(till) → review+
Updated•11 years ago
|
Assignee: general → nmatsakis
status-b2g18:
--- → unaffected
status-firefox26:
--- → disabled
status-firefox27:
--- → disabled
status-firefox28:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → disabled
Updated•11 years ago
|
tracking-firefox28:
--- → +
Assignee | ||
Comment 10•11 years ago
|
||
Try run: https://tbpl.mozilla.org/?tree=Try&rev=e457606d58cb (Contains patches for bug 898359, bug 926401, and bug 930974)
Assignee | ||
Comment 11•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/28ed31db6d98
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/28ed31db6d98
Status: NEW → RESOLVED
Closed: 11 years ago
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → disabled
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 13•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•