Closed Bug 980450 Opened 11 years ago Closed 11 years ago

Crash [@ js::HasOwnProperty<(js::AllowGC)0>]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox29 --- unaffected
firefox30 --- fixed
firefox-esr24 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
393 bytes, text/plain
Details
patch
833 bytes, patch
luke
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 8122ffa9e1aa (run with --fuzzing-safe): var f32 = new Float32Array(1); for(var n = 100; n; --n) f32.hasOwnProperty(4)
Crash trace: Program received signal SIGSEGV, Segmentation fault. js::HasOwnProperty<(js::AllowGC)0> (cx=0x181e7a0, lookup=<optimized out>, obj=0x7ffff615bdc0, id=..., objp=..., propp=...) at js/src/jsobj.cpp:4283 4283 if (JSObjectOp op = objp->getClass()->ext.outerObject) { #0 js::HasOwnProperty<(js::AllowGC)0> (cx=0x181e7a0, lookup=<optimized out>, obj=0x7ffff615bdc0, id=..., objp=..., propp=...) at js/src/jsobj.cpp:4283 #1 0x0000000000494dc1 in obj_hasOwnProperty (cx=0x181e7a0, argc=<optimized out>, vp=0x7fffffffbe48) at js/src/builtin/Object.cpp:641 #2 0x000000000096b9e1 in js::CallJSNative (cx=0x181e7a0, native=0x494c70 <obj_hasOwnProperty(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239 #3 0x0000000000962521 in js::Invoke (cx=0x181e7a0, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476 #4 0x00000000009632d7 in js::Invoke (cx=0x181e7a0, thisv=..., fval=..., argc=<optimized out>, argv=0x7fffffffc4a0, rval=...) at js/src/vm/Interpreter.cpp:532 #5 0x00000000005c29a6 in js::jit::DoCallFallback (cx=0x181e7a0, frame=0x7fffffffc4e0, stub=0x1868940, argc=1, vp=0x7fffffffc490, res=...) at js/src/jit/BaselineIC.cpp:8090 #6 0x00007ffff7fefded in ?? () #7 0x0000003801868610 in ?? () rax 0x200 512 => 0x89ce5e <js::HasOwnProperty<(js::AllowGC)0>(JSContext*, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSObject*>, JS::MutableHandle<js::Shape*>), js::MaybeRooted<JSObject*, (js::AllowGC)0>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)0>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)0>::MutableHandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)0>::MutableHandleType)+286>: mov (%rax),%rdx The crash could be a null-deref but the offset is fairly large, marking s-s until triaged properly.
status-firefox30: --- → affected
Whiteboard: [jsbugmon:update,bisect]
Fwiw, here's an ASan trace: ==5454==ERROR: AddressSanitizer: SEGV on unknown address 0x02005fff8006 (pc 0x000000efb197 sp 0x7fffa3d6b720 bp 0x7fffa3d6b7f0 T0) AddressSanitizer can not provide additional info. #0 0xefb196 in js::BarrieredPtr<js::types::TypeObject, unsigned long>::operator->() const js/src/gc/Barrier.h:322 #1 0xefb196 in js::ObjectImpl::getClass() const js/src/vm/ObjectImpl.h:1003 #2 0xefb196 in bool js::HasOwnProperty<(js::AllowGC)0>(JSContext*, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSObject*>, JS::MutableHandle<js::Shape*>), js::MaybeRooted<JSObject*, (js::AllowGC)0>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)0>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)0>::MutableHandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)0>::MutableHandleType) js/src/jsobj.cpp:4283 #3 0x5c6f56 in obj_hasOwnProperty(JSContext*, unsigned int, JS::Value*) js/src/builtin/Object.cpp:641 #4 0x101eb80 in JSFunction::native() const js/src/jscntxtinlines.h:239 #5 0x101eb80 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:476 #6 0x10201e8 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:532 #7 0x8420a1 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:8090 SUMMARY: AddressSanitizer: SEGV js/src/gc/Barrier.h:322 js::BarrieredPtr<js::types::TypeObject, unsigned long>::operator->() const Looks like the operator is trying to deref an invalid object pointer, assuming sec-critical. Please correct if that's wrong :)
Keywords: csectype-wildptr, sec-critical
Group: javascript-core-security
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20140304112656" and the hash "703bd71926e4". The "bad" changeset has the timestamp "20140304114257" and the hash "78fa90a29c43". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=703bd71926e4&tochange=78fa90a29c43
Needinfo from bhackett based on comment 4, likely regressed by bug 695438.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
The outparams in LookupOwnPropertyWithFlagsInline weren't always being initialized.
Assignee: nobody → bhackett1024
Attachment #8387571 - Flags: review?(luke)
Flags: needinfo?(bhackett1024)
Attachment #8387571 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/5f7a9e12219a Can we land the test please?
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox30: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: