Closed Bug 567387 Opened 15 years ago Closed 15 years ago

Crash [@ js_CallGCMarker] or "Assertion failure: obj_, at ../jscntxtinlines.h" with Proxy.createFunction

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: gal)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:dos], fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

patch
(deleted), patch
jorendorff
: review+
Details | Diff | Splinter Review
try { (x = Proxy.createFunction((function (x) { return { getOwnPropertyDescriptor: gc, has: function () { return x }, get: function (r, name) { return x[name] }, enumerateOwn: function () { return Object.keys } } })(this), Object.keys)) } catch (e) {} switch (uneval(x)()) {} crashes js opt shell on TM tip without -j at js_CallGCMarker and asserts js debug shell on TM tip without -j at Assertion failure: obj_, at ../jscntxtinlines.h:249 Tested on 64-bit Ubuntu and Mac 10.6.3, and assuming related to harmony:proxies. Program received signal SIGSEGV, Segmentation fault. 0x0000000000453626 in js_CallGCMarker(JSTracer*, void*, unsigned int) () (gdb) bt #0 0x0000000000453626 in js_CallGCMarker(JSTracer*, void*, unsigned int) () #1 0x000000000045795e in js::AutoGCRooter::trace(JSTracer*) () #2 0x0000000000453e73 in js_TraceContext(JSTracer*, JSContext*) () #3 0x00000000004540db in js_TraceRuntime(JSTracer*) () #4 0x000000000045423f in GC(JSContext*) () #5 0x00000000004558d1 in js_GC(JSContext*, JSGCInvocationKind) () #6 0x0000000000405b71 in GC(JSContext*, unsigned int, long*) () #7 0x0000000000459f6d in js_Invoke () #8 0x000000000045a8c2 in js_InternalInvoke () #9 0x00000000004a17a5 in JSProxy::getOwnPropertyDescriptor(JSContext*, JSObject*, long, JSPropertyDescriptor*) () #10 0x00000000004a1870 in proxy_GetAttributes(JSContext*, JSObject*, long, JSProperty*, unsigned int*) () #11 0x0000000000465c59 in MarkSharpObjects(JSContext*, JSObject*, JSIdArray**) () #12 0x0000000000465e9a in js_EnterSharpObject () #13 0x000000000046ad88 in obj_toSource(JSContext*, unsigned int, long*) () #14 0x0000000000459f6d in js_Invoke () #15 0x000000000045a8c2 in js_InternalInvoke () #16 0x000000000046c650 in js_TryMethod () #17 0x00000000004d1b2f in js_ValueToSource () #18 0x00000000004d1bd9 in str_uneval(JSContext*, unsigned int, long*) () #19 0x000000000054ea42 in js_Interpret () #20 0x00000000004595d1 in js_Execute () #21 0x000000000040b776 in JS_ExecuteScript () #22 0x000000000040665a in Process(JSContext*, JSObject*, char*, int) () #23 0x0000000000407269 in main () (gdb) x/i $rip => 0x453626 <_Z15js_CallGCMarkerP8JSTracerPvj+134>: mov (%rax),%r10 (gdb) x/b $rax 0xf9000: Cannot access memory at address 0xf9000 We seem to be moving data from a weird memory address, so s-s and assuming [sg:critical?] just to be safe.
Assignee: general → gal
Not in any product but definitely needs immediate fixing. We can open this up as soon it lands on tm.
Priority: -- → P2
Marking NULL here. Easy fix. It will always hit the same address, so its not exploitable IMO (we hit an assert in debug builds btw).
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dos]
Attached patch patch (deleted) — Splinter Review
Attachment #446744 - Flags: review?(jorendorff)
Attachment #446744 - Flags: review?(jorendorff) → review+
Opening this up. The patch is only on TM. http://hg.mozilla.org/tracemonkey/rev/65e5007540ef
Group: core-security
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos], fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/65e5007540ef
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_CallGCMarker]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: