Closed
Bug 567387
Opened 15 years ago
Closed 15 years ago
Crash [@ js_CallGCMarker] or "Assertion failure: obj_, at ../jscntxtinlines.h" with Proxy.createFunction
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: gal)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:dos], fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
(deleted),
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
try {
(x = Proxy.createFunction((function (x) {
return {
getOwnPropertyDescriptor: gc,
has: function () {
return x
},
get: function (r, name) {
return x[name]
},
enumerateOwn: function () {
return Object.keys
}
}
})(this), Object.keys))
} catch (e) {}
switch (uneval(x)()) {}
crashes js opt shell on TM tip without -j at js_CallGCMarker and asserts js debug shell on TM tip without -j at Assertion failure: obj_, at ../jscntxtinlines.h:249
Tested on 64-bit Ubuntu and Mac 10.6.3, and assuming related to harmony:proxies.
Program received signal SIGSEGV, Segmentation fault.
0x0000000000453626 in js_CallGCMarker(JSTracer*, void*, unsigned int) ()
(gdb) bt
#0 0x0000000000453626 in js_CallGCMarker(JSTracer*, void*, unsigned int) ()
#1 0x000000000045795e in js::AutoGCRooter::trace(JSTracer*) ()
#2 0x0000000000453e73 in js_TraceContext(JSTracer*, JSContext*) ()
#3 0x00000000004540db in js_TraceRuntime(JSTracer*) ()
#4 0x000000000045423f in GC(JSContext*) ()
#5 0x00000000004558d1 in js_GC(JSContext*, JSGCInvocationKind) ()
#6 0x0000000000405b71 in GC(JSContext*, unsigned int, long*) ()
#7 0x0000000000459f6d in js_Invoke ()
#8 0x000000000045a8c2 in js_InternalInvoke ()
#9 0x00000000004a17a5 in JSProxy::getOwnPropertyDescriptor(JSContext*, JSObject*, long, JSPropertyDescriptor*) ()
#10 0x00000000004a1870 in proxy_GetAttributes(JSContext*, JSObject*, long, JSProperty*, unsigned int*) ()
#11 0x0000000000465c59 in MarkSharpObjects(JSContext*, JSObject*, JSIdArray**) ()
#12 0x0000000000465e9a in js_EnterSharpObject ()
#13 0x000000000046ad88 in obj_toSource(JSContext*, unsigned int, long*) ()
#14 0x0000000000459f6d in js_Invoke ()
#15 0x000000000045a8c2 in js_InternalInvoke ()
#16 0x000000000046c650 in js_TryMethod ()
#17 0x00000000004d1b2f in js_ValueToSource ()
#18 0x00000000004d1bd9 in str_uneval(JSContext*, unsigned int, long*) ()
#19 0x000000000054ea42 in js_Interpret ()
#20 0x00000000004595d1 in js_Execute ()
#21 0x000000000040b776 in JS_ExecuteScript ()
#22 0x000000000040665a in Process(JSContext*, JSObject*, char*, int) ()
#23 0x0000000000407269 in main ()
(gdb) x/i $rip
=> 0x453626 <_Z15js_CallGCMarkerP8JSTracerPvj+134>: mov (%rax),%r10
(gdb) x/b $rax
0xf9000: Cannot access memory at address 0xf9000
We seem to be moving data from a weird memory address, so s-s and assuming [sg:critical?] just to be safe.
Assignee | ||
Updated•15 years ago
|
Assignee: general → gal
Assignee | ||
Comment 1•15 years ago
|
||
Not in any product but definitely needs immediate fixing. We can open this up as soon it lands on tm.
Priority: -- → P2
Assignee | ||
Comment 2•15 years ago
|
||
Marking NULL here. Easy fix. It will always hit the same address, so its not exploitable IMO (we hit an assert in debug builds btw).
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dos]
Assignee | ||
Comment 3•15 years ago
|
||
Assignee | ||
Updated•15 years ago
|
Attachment #446744 -
Flags: review?(jorendorff)
Updated•15 years ago
|
Attachment #446744 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 4•15 years ago
|
||
Opening this up. The patch is only on TM.
http://hg.mozilla.org/tracemonkey/rev/65e5007540ef
Group: core-security
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos], fixed-in-tracemonkey
Comment 5•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Updated•14 years ago
|
Crash Signature: [@ js_CallGCMarker]
You need to log in
before you can comment on or make changes to this bug.
Description
•