Closed Bug 637010 Opened 14 years ago Closed 14 years ago

Crash [@ js_IteratorMore]

Categories

(Core :: JavaScript Engine, defect)

All
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla5
Tracking Status
firefox5 --- fixed
blocking2.0 --- -
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: decoder, Assigned: gal)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

The following code crashes on TM tip (without any options even): var o0 = Iterator.prototype; function f0(o) { } for(var i=0; i<7; i++) { try { o0.prototype(); } catch(e) { if (o0.next() != 7) throw "7 not yielded"; }; } This looks like a null pointer dereference to me: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f8ffa2dc720 (LWP 5590)] 0x00000000004d983c in js_IteratorMore (cx=0x143f530, iterobj=0x7f8ff8c03288, rval=0x7f8ff8d8a0a8) at jsiter.cpp:940 940 bool more = ni->props_cursor < ni->props_end; (gdb) bt #0 0x00000000004d983c in js_IteratorMore (cx=0x143f530, iterobj=0x7f8ff8c03288, rval=0x7f8ff8d8a0a8) at jsiter.cpp:940 #1 0x00000000004d94f4 in iterator_next (cx=0x143f530, argc=0, vp=0x7f8ff8d8a0a8) at jsiter.cpp:717 #2 0x00000000004d4d72 in js::CallJSNative (cx=0x143f530, native=0x4d9464 <iterator_next>, argc=0, vp=0x7f8ff8d8a0a8) at jscntxtinlines.h:701 #3 0x00000000006f971d in js::Interpret (cx=0x143f530, entryFrame=0x7f8ff8d8a048, inlineCallCount=0, interpMode=JSINTERP_NORMAL) at jsinterp.cpp:4781 #4 0x00000000004d0dc2 in js::RunScript (cx=0x143f530, script=0x14a6020, fp=0x7f8ff8d8a048) at jsinterp.cpp:650 #5 0x00000000004d21eb in js::Execute (cx=0x143f530, chain=0x7f8ff8c03048, script=0x14a6020, prev=0x0, flags=0, result=0x0) at jsinterp.cpp:1011 #6 0x000000000043141e in JS_ExecuteScript (cx=0x143f530, obj=0x7f8ff8c03048, script=0x14a6020, rval=0x0) at jsapi.cpp:4929 #7 0x0000000000405723 in Process (cx=0x143f530, obj=0x7f8ff8c03048, filename=0x7fffc7876316 "min.js", forceTTY=0) at js.cpp:452 #8 0x0000000000406665 in ProcessArgs (cx=0x143f530, obj=0x7f8ff8c03048, argv=0x7fffc7875c10, argc=1) at js.cpp:944 #9 0x0000000000410a40 in Shell (cx=0x143f530, argc=1, argv=0x7fffc7875c10, envp=0x7fffc7875c20) at js.cpp:5711 #10 0x0000000000410c06 in main (argc=1, argv=0x7fffc7875c10, envp=0x7fffc7875c20) at js.cpp:5819 (gdb) print ni $1 = (class js::NativeIterator *) 0x0 Locking this anyways, unlock if confirmed to be harmless.
Forgot: Found through combined fuzzing (jandem's method fuzzer + LangFuzz)
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 42641:b15fd8b568e4 user: Andreas Gal date: Fri May 07 17:52:52 2010 -0700 summary: fast object iteration (558754, r=brendan, CLOSED TREE).
blocking2.0: --- → ?
Keywords: regression
Hardware: x86_64 → All
blocking2.0: ? → ---
Hardware: All → x86_64
Summary: Crash in js_IteratorMore → Crash [@ js_IteratorMore]
blocking2.0: --- → ?
Hardware: x86_64 → All
I reduced this (to see how my fuzzer can generate this): Iterator.prototype.next(); iterobj->getNativeIterator() in js_IteratorMore returns NULL in this case.
Whiteboard: [sg:dos]
Attached patch patch (deleted) — Splinter Review
Assignee: general → gal
Just a couple missing null checks. Not exploitable. Should be very safe to take, but I won't fight an a-.
Attachment #515373 - Flags: approval2.0?
blocking2.0: ? → -
Attachment #515373 - Flags: review?(dvander)
Comment on attachment 515373 [details] [diff] [review] patch r+ before a? please!
Attachment #515373 - Flags: approval2.0?
dvander, want to review?
Attachment #515373 - Flags: review?(dvander) → review+
Comment on attachment 515373 [details] [diff] [review] patch This is a safe crash and a DOS. I would like to take it for 2.x but I am not going to fight for it.
Attachment #515373 - Flags: approval2.0?
Comment on attachment 515373 [details] [diff] [review] patch Actually no, I take back the approval nom. I just land it on trunk and we pick it up whenever.
Attachment #515373 - Flags: approval2.0?
Whiteboard: [sg:dos] → [sg:dos] fixed-in-tracemonkey
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla5
Crash Signature: [@ js_IteratorMore]
Group: core-security
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: