Closed Bug 913716 Opened 11 years ago Closed 11 years ago

Crash [@ js::EncapsulatedPtr] or [@ js::jit::SetPropertyIC::update]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla26

People

(Reporter: gkw, Assigned: efaust)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(4 files)

debug and opt stacks
(deleted), text/plain
Details
stack for second testcase
(deleted), text/plain
Details
Fix
(deleted), patch
djvj
: review+
Details | Diff | Splinter Review
stack for situation in comment 2
(deleted), text/plain
Details
Attached file debug and opt stacks (deleted) —
g = __defineGetter__("x", Iterator.prototype.iterator); c = x; delete x; Object.defineProperty(c, "x", ({ set: undefined })); ((function() { x = ""; (arguments.callee)() }))() crashes js opt and debug shells on m-c changeset df8f342e9a6b without any CLI arguments at js::EncapsulatedPtr My opt configure flags are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh /Users/mozillaadmin/Desktop/js-opt-64-dm-ts-darwin-mozilla-central-145747-df8f342e9a6b-PHKxZv/compilePath/js/src/configure --target=x86_64-apple-darwin11.4.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options> My debug configure flags are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh /Users/mozillaadmin/Desktop/js-dbg-64-dm-ts-darwin-mozilla-central-145747-df8f342e9a6b-mhDfBN/compilePath/js/src/configure --target=x86_64-apple-darwin11.4.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/c1ccfd8f31bf user: Eric Faust date: Fri Aug 30 18:50:36 2013 -0700 summary: Bug 824393 - Part 0: Open SetPropertyIC to cases with uncertain TI. (r=bhackett) This looks like a recursive buffer overflow but I'm setting s-s to be safe. Eric, is bug 824393 a likely regressor?
Flags: needinfo?(efaustbmo)
Attached file stack for second testcase (deleted) —
y = this; Object.defineProperty(__proto__, "set", ({})); valueOf = (function(j) { x = String; }); Object.defineProperty(this, "x", {}); y + this also crashes [@ js::EncapsulatedPtr]
Sometimes js::jit::SetPropertyIC::update appears at the top of the stack instead.
Crash Signature: [@ js::EncapsulatedPtr] → [@ js::EncapsulatedPtr] [@ js::jit::SetPropertyIC::update]
Summary: Crash [@ js::EncapsulatedPtr] → Crash [@ js::EncapsulatedPtr] or [@ js::jit::SetPropertyIC::update]
Attached patch Fix (deleted) — Splinter Review
shape->setterObject() is NULL if |set| was defined as |undefined|. Add a check for this case. This shouldn't be an exploitable crash, just a NULL deref.
Assignee: general → efaustbmo
Status: NEW → ASSIGNED
Attachment #801055 - Flags: review?(kvijayan)
Flags: needinfo?(efaustbmo)
Attached file stack for situation in comment 2 (deleted) —
Amazingly, I found the stack for the situation that I was referring to in comment 2.
Also, efaust says this should be safe to open up, as it's "just a null-deref, even in optimized builds."
Group: core-security
Attachment #801055 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/mozilla-central/rev/a512b89b44eb
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: