Closed
Bug 976530
Opened 11 years ago
Closed 11 years ago
Crash on Heap through [@ js::SizedTypeRepresentation::initInstance] with TypedObject
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla30
Tracking | Status | |
---|---|---|
firefox29 | --- | disabled |
firefox30 | --- | verified |
firefox-esr24 | --- | unaffected |
People
(Reporter: decoder, Assigned: nmatsakis)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(3 files, 1 obsolete file)
The following testcase crashes on mozilla-central revision e3daaa4c73dd (run with --fuzzing-safe --ion-eager):
var Vec3u16Type = TypedObject.uint16.array((1073741823));
var PairVec3u16Type = new TypedObject.StructType({ fst: Vec3u16Type, snd: Vec3u16Type });
new PairVec3u16Type();
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Crash trace:
Program received signal SIGSEGV, Segmentation fault.
0xf7df26e7 in ?? () from /lib/i386-linux-gnu/libc.so.6
#0 0xf7df26e7 in ?? () from /lib/i386-linux-gnu/libc.so.6
#1 0x080c870e in MemoryInitVisitor (rt=0x9455fc0, this=0xffffbf6c) at /usr/include/bits/string3.h:85
#2 js::SizedTypeRepresentation::initInstance (this=0x9507560, rt=0x9455fc0, mem=0x94e6e38 "", length=1) at js/src/builtin/TypeRepresentation.cpp:743
#3 0x080d726b in js::TypedObject::createZeroed (cx=0x9462270, descr=..., length=0) at js/src/builtin/TypedObject.cpp:1498
#4 0x080fea55 in js::TypedObject::constructSized (cx=0x9462270, argc=0, vp=0xffffc214) at js/src/builtin/TypedObject.cpp:2329
#5 0x085c1aec in js::CallJSNative (cx=0x9462270, native=0x80fe870 <js::TypedObject::constructSized(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:230
#6 0x085c240b in js::CallJSNativeConstructor (cx=0x9462270, native=0x80fe870 <js::TypedObject::constructSized(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:263
#7 0x085b79f1 in js::InvokeConstructor (cx=0x9462270, args=...) at js/src/vm/Interpreter.cpp:573
edx 0x954bfc0 156549056
=> 0xf7df26e7: movdqa %xmm0,0x40(%edx)
status-firefox30:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Comment 3•11 years ago
|
||
The number in comment 0 is 2^30 - 1. Subtracting one dword or increasing the value leads to either an OOM message or "Type is too large to allocate" so I suspect this is an improper bounds check. Marking sec-high for now.
Keywords: csectype-bounds,
sec-high
Assignee | ||
Comment 4•11 years ago
|
||
decoder -- sounds right. We try to guard against this sort of thing...
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 5•11 years ago
|
||
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20140220102129" and the hash "7a5cbe4dadf8".
The "bad" changeset has the timestamp "20140220102430" and the hash "cc73b1f7a47d".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7a5cbe4dadf8&tochange=cc73b1f7a47d
Assignee | ||
Comment 6•11 years ago
|
||
This bug is caused by using a uint32_t instead of an int32_t in the StructTypeRepresentation::create() routine. It is fixed by the (final two) patches in bug 966575.
Assignee | ||
Comment 7•11 years ago
|
||
Attachment #8381834 -
Flags: review?(sphink)
Assignee | ||
Comment 8•11 years ago
|
||
Include test case
Attachment #8381834 -
Attachment is obsolete: true
Attachment #8381834 -
Flags: review?(sphink)
Attachment #8381835 -
Flags: review?(sphink)
Assignee | ||
Comment 9•11 years ago
|
||
That said, here is a fix, it also adds some useful assertions to array buffer and a test.
Comment 10•11 years ago
|
||
Can you put that in the form of a patch? Right now, the attachment is a 3-line test file. You mentioned assertions, so I'm guessing this isn't what you meant to upload.
Assignee | ||
Comment 11•11 years ago
|
||
Argh. My mistake.
Assignee | ||
Comment 12•11 years ago
|
||
Here is the patch. It doesn't include the test case for some reason, but you already saw that ;)
Attachment #8385330 -
Flags: review?(sphink)
Comment 13•11 years ago
|
||
Comment on attachment 8385330 [details] [diff] [review]
Bug976530.diff
Review of attachment 8385330 [details] [diff] [review]:
-----------------------------------------------------------------
I suspect typed objects should be using mfbt/CheckedInt.h all over, but r=me anyway.
Has Waldo or somebody written up anything about how to use it? I just looked at the header file, and it's a rough read.
::: js/src/builtin/TypeRepresentation.cpp
@@ +308,5 @@
> fieldCount_ = names.length();
>
> // We compute alignment into the field `align_` directly in the
> // loop below, but not `size_` because we have to very careful
> + // about overflow. For now, we always use a int32_t for
*an int32_t
Attachment #8385330 -
Flags: review?(sphink) → review+
Updated•11 years ago
|
Attachment #8381835 -
Flags: review?(sphink) → review+
Updated•11 years ago
|
Group: javascript-core-security
Updated•11 years ago
|
Assignee: nobody → nmatsakis
status-firefox29:
--- → disabled
Assignee | ||
Comment 14•11 years ago
|
||
Assignee | ||
Comment 15•11 years ago
|
||
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/2645fa20fa25 for being in a push that broke jsreftests: https://tbpl.mozilla.org/php/getParsedLog.php?id=36020939&tree=Mozilla-Inbound
Assignee | ||
Comment 17•11 years ago
|
||
Try run (green, as far as I can tell): https://tbpl.mozilla.org/?tree=Try&rev=a6d2715798c8
Assignee | ||
Comment 18•11 years ago
|
||
Comment 19•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 20•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
status-firefox-esr24:
--- → unaffected
Updated•11 years ago
|
Group: javascript-core-security
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Comment 21•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed on Fx30
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•