Closed Bug 980450 Opened 6 years ago Closed 6 years ago

Crash [@ js::HasOwnProperty<(js::AllowGC)0>]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla30
Tracking Status
firefox29 --- unaffected
firefox30 --- fixed
firefox-esr24 --- unaffected

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 8122ffa9e1aa (run with --fuzzing-safe):


var f32 = new Float32Array(1);
for(var n = 100; n; --n)
  f32.hasOwnProperty(4)
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
js::HasOwnProperty<(js::AllowGC)0> (cx=0x181e7a0, lookup=<optimized out>, obj=0x7ffff615bdc0, id=..., objp=..., propp=...) at  js/src/jsobj.cpp:4283
4283        if (JSObjectOp op = objp->getClass()->ext.outerObject) {
#0  js::HasOwnProperty<(js::AllowGC)0> (cx=0x181e7a0, lookup=<optimized out>, obj=0x7ffff615bdc0, id=..., objp=..., propp=...) at  js/src/jsobj.cpp:4283
#1  0x0000000000494dc1 in obj_hasOwnProperty (cx=0x181e7a0, argc=<optimized out>, vp=0x7fffffffbe48) at  js/src/builtin/Object.cpp:641
#2  0x000000000096b9e1 in js::CallJSNative (cx=0x181e7a0, native=0x494c70 <obj_hasOwnProperty(JSContext*, unsigned int, JS::Value*)>, args=...) at  js/src/jscntxtinlines.h:239
#3  0x0000000000962521 in js::Invoke (cx=0x181e7a0, args=..., construct=js::NO_CONSTRUCT) at  js/src/vm/Interpreter.cpp:476
#4  0x00000000009632d7 in js::Invoke (cx=0x181e7a0, thisv=..., fval=..., argc=<optimized out>, argv=0x7fffffffc4a0, rval=...) at  js/src/vm/Interpreter.cpp:532
#5  0x00000000005c29a6 in js::jit::DoCallFallback (cx=0x181e7a0, frame=0x7fffffffc4e0, stub=0x1868940, argc=1, vp=0x7fffffffc490, res=...) at  js/src/jit/BaselineIC.cpp:8090
#6  0x00007ffff7fefded in ?? ()
#7  0x0000003801868610 in ?? ()
rax     0x200   512
=> 0x89ce5e <js::HasOwnProperty<(js::AllowGC)0>(JSContext*, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSObject*>, JS::MutableHandle<js::Shape*>), js::MaybeRooted<JSObject*, (js::AllowGC)0>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)0>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)0>::MutableHandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)0>::MutableHandleType)+286>:    mov    (%rax),%rdx


The crash could be a null-deref but the offset is fairly large, marking s-s until triaged properly.
Whiteboard: [jsbugmon:update,bisect]
Fwiw, here's an ASan trace:

==5454==ERROR: AddressSanitizer: SEGV on unknown address 0x02005fff8006 (pc 0x000000efb197 sp 0x7fffa3d6b720 bp 0x7fffa3d6b7f0 T0)
AddressSanitizer can not provide additional info.
    #0 0xefb196 in js::BarrieredPtr<js::types::TypeObject, unsigned long>::operator->() const  js/src/gc/Barrier.h:322
    #1 0xefb196 in js::ObjectImpl::getClass() const  js/src/vm/ObjectImpl.h:1003
    #2 0xefb196 in bool js::HasOwnProperty<(js::AllowGC)0>(JSContext*, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSObject*>, JS::MutableHandle<js::Shape*>), js::MaybeRooted<JSObject*, (js::AllowGC)0>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)0>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)0>::MutableHandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)0>::MutableHandleType)  js/src/jsobj.cpp:4283
    #3 0x5c6f56 in obj_hasOwnProperty(JSContext*, unsigned int, JS::Value*)  js/src/builtin/Object.cpp:641
    #4 0x101eb80 in JSFunction::native() const  js/src/jscntxtinlines.h:239
    #5 0x101eb80 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)  js/src/vm/Interpreter.cpp:476
    #6 0x10201e8 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>)  js/src/vm/Interpreter.cpp:532
    #7 0x8420a1 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>)  js/src/jit/BaselineIC.cpp:8090
SUMMARY: AddressSanitizer: SEGV  js/src/gc/Barrier.h:322 js::BarrieredPtr<js::types::TypeObject, unsigned long>::operator->() const


Looks like the operator is trying to deref an invalid object pointer, assuming sec-critical. Please correct if that's wrong :)
Group: javascript-core-security
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140304112656" and the hash "703bd71926e4".
The "bad" changeset has the timestamp "20140304114257" and the hash "78fa90a29c43".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=703bd71926e4&tochange=78fa90a29c43
Needinfo from bhackett based on comment 4, likely regressed by bug 695438.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
The outparams in LookupOwnPropertyWithFlagsInline weren't always being initialized.
Assignee: nobody → bhackett1024
Attachment #8387571 - Flags: review?(luke)
Flags: needinfo?(bhackett1024)
Attachment #8387571 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/5f7a9e12219a

Can we land the test please?
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.