Closed Bug 567580 Opened 14 years ago Closed 14 years ago

TM: Crash [@ JSObject::getClass] or [@ js::TraceRecorder::record_JSOP_BINDNAME] with Proxy.createFunction

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
blocking1.9.2 --- -
status1.9.2 --- wanted
blocking1.9.1 --- -
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: gal)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos], fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

patch
(deleted), patch
brendan
: review+
Details | Diff | Splinter Review 
y = Proxy.createFunction((function() {
  return {};
})(), /a/gi)
__proto__ = y;
(function() {
  (eval("\
    (function() {\
      for (var x = 0; x < 20; ++x) {\
        if (x % 5 == 0) {\" \"} \
        else { \
          for (xr = 0; 3; ) {} \
        }\
      }\
    })\
  "))()
})()

crashes js debug shell on TM tip with -j at JSObject::getClass and crashes js opt shell on TM tip with -j at js::TraceRecorder::record_JSOP_BINDNAME.

Assuming related to harmony:proxies. Also this seems to be a null crash and assuming [sg:dos] but locking s-s just-in-case.

Console stdout:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x00079e29 in JSObject::getClass (this=0x0) at jsobj.h:266
266             return (JSClass *) (classword & ~JSSLOT_CLASS_MASK_BITS);
(gdb) bt
#0  0x00079e29 in JSObject::getClass (this=0x0) at jsobj.h:266
#1  0x0018b986 in js::TraceRecorder::record_JSOP_BINDNAME (this=0x868200) at ../jstracer.cpp:13949
#2  0x00199f1e in js::TraceRecorder::monitorRecording (this=0x868200, op=JSOP_BINDNAME) at jsopcode.tbl:274
#3  0x0008221e in js_Interpret (cx=0x809200) at jsops.cpp:78
#4  0x000a8576 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40cca0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:837
#5  0x00012384 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40cca0, rval=0x0) at ../jsapi.cpp:4827
#6  0x0000a863 in Process (cx=0x809200, obj=0x1002000, filename=0xbffff9c5 "720-interesting.js", forceTTY=0) at ../../shell/js.cpp:422
#7  0x0000b5a5 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff8d8, argc=2) at ../../shell/js.cpp:836
#8  0x0000b75a in main (argc=2, argv=0xbffff8d8, envp=0xbffff8e4) at ../../shell/js.cpp:5077
(gdb) x/i $eip
0x79e29 <_ZNK8JSObject8getClassEv+9>:   mov    0x4(%eax),%eax
(gdb) x/b $eax
0x0:    Cannot access memory at address 0x0
Summary: TM: Crash [@ JSObject::getClass] or [@ js::TraceRecorder::record_JSOP_BINDNAME] → TM: Crash [@ JSObject::getClass] or [@ js::TraceRecorder::record_JSOP_BINDNAME] with Proxy.createFunction
Confirm that this is a safe NULL crash (dos), not exploitable.
Drivers: very old bug, affects all branches. Probably very hard to trigger in 1.9.1 and 1.9.2 (above test case only works with trunk, it uses a feature that is not in 1.9.1 and 1.9.2). Not exploitable, but a guaranteed crash.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Attached patch patch (deleted) — Splinter Review 
Assignee: general → gal

        Attachment #446907 -
        Flags: review?(brendan)

    
  
Severity: critical → major
OS: Mac OS X → All
Priority: -- → P2
Hardware: x86 → All

    
    

    
  
Comment on attachment 446907 [details] [diff] [review]
patch

Not in 1.9.1 -- this code involving js_FindIdentifierBase (not called in jstracer.cpp before this changeset: 080548cb428d) was for bug 510642.

/be

        Attachment #446907 -
        Flags: review?(brendan) → review+

    
  
blocking1.9.1: ? → -
blocking1.9.2: ? → -

          status1.9.1:
          --- → unaffected

          status1.9.2:
          --- → wanted
Blocks: 510642

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/3c0e96b610a2
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos], fixed-in-tracemonkey

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/3c0e96b610a2
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
  
blocking2.0: ? → betaN+
Crash Signature: [@ JSObject::getClass]
[@ js::TraceRecorder::record_JSOP_BINDNAME]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: