[JavaScript engine] spidermonkey Debug 问题集

最新推荐文章于 2020-10-09 09:59:52 发布
最新推荐文章于 2020-10-09 09:59:52 发布
阅读量379 收藏
点赞数
分类专栏: 网络
原文链接:https://bugzilla.mozilla.org/show_bug.cgi?id=347645
版权

Removal of global arena cache list (arena_freelist)

https://bugzilla.mozilla.org/show_bug.cgi?id=347645

Currently when allocating a new arena the global list is checked before using malloc. This assumes that allocating from the list is faster than using malloc. But this may not be true for 2 reasons. First, many modern malloc/free implementations use thread-local cache. In such implementation malloc avoids taking any locks in many cases and can bit allocating from the list which allows take the lock. Second, the implementation searches the list for an element with exactly requested size. Since the list is not bounded, this can be arbitrary slow. 

Thus I suggest to remove the global list and always use malloc/free when allocating/releasing arena memory and allow the system to take better use of the memory.

But In case of SpiderMonkey the case is much more stronger for the following reason. The global list is populated only when JS_FreeArenaPool is called, in the rest of cases arena memory is released calling free directly. Now the only place in the browser code that calls JS_FreeArenaPool is js_GetPrinterOutput from js/src/jsopcode.c. 

Since the list is queried for exact allocations, the result of releasing the memory in js_GetPrinterOutput would, in most cases, be only usable when js_NewPrinter is called later. This happens because js_NewPrinter calls JS_InitArenaPool(&jp->pool, name, 256, 1) while in the rest of places JS_InitArenaPool is called with minimal allocation size set to 1K, 8K or the size deduced from the expected buffer size. Thus the global list just imposes useless locking and list searching before calling the malloc.

Here is stats from the browser collected with JS_ARENAMETER defined after the browser startup:

temp allocation statistics:
              number of arenas: 0
         number of allocations: 120748
 number of free arena reclaims: 0
        number of malloc calls: 5012
       number of deallocations: 0
  number of allocation growths: 19
    number of in-place growths: 0
 number of realloc'ing growths: 0
number of released allocations: 4381
       number of fast releases: 3253
         total bytes allocated: 4846989
          mean allocation size: 40.1414
            standard deviation: 186.675
       maximum allocation size: 4096

stack allocation statistics:
              number of arenas: 0
         number of allocations: 420
 number of free arena reclaims: 0
        number of malloc calls: 117
       number of deallocations: 0
  number of allocation growths: 0
    number of in-place growths: 0
 number of realloc'ing growths: 0
number of released allocations: 1012
       number of fast releases: 895
         total bytes allocated: 11584
          mean allocation size: 27.581
            standard deviation: 112.446
       maximum allocation size: 1676

properties allocation statistics:
              number of arenas: 51
         number of allocations: 12898
 number of free arena reclaims: 0
        number of malloc calls: 51
       number of deallocations: 0
  number of allocation growths: 0
    number of in-place growths: 0
 number of realloc'ing growths: 0
number of released allocations: 0
       number of fast releases: 0
         total bytes allocated: 361144
          mean allocation size: 28
            standard deviation: 27.8314
       maximum allocation size: 28

Which tells that there there were 5012 + 117 + 51 useless locking/unlocking calls.



Heap corruption on Out-of-Memory in jsopcode.c

https://bugzilla.mozilla.org/show_bug.cgi?id=393537
The reason for the bug is that SprintEnsureBuffer on failed realloc sets sp->base to null while keeping sp->size at the previous value. Thus the following call to SprintEnsureBuffer would set sp->base to freshly allocated memory of size just nb bytes and then write past malloc boundary.

I think this is exploitable on systems with sufficient memory as one can use huge strings to trigger OOM failure in the decompiler at the right moment.
The reason for the bug is that SprintEnsureBuffer on failed realloc sets sp->base to null while keeping sp->size at the previous value. Thus the following call to SprintEnsureBuffer would set sp->base to freshly allocated memory of size just nb bytes and then write past malloc boundary.

I think this is exploitable on systems with sufficient memory as one can use huge strings to trigger OOM failure in the decompiler at the right moment.
maimang09
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
python-spidermonkey
05-26
《用perl解析JavaScriptJavaScript模块的安装--SpiderMonkey》 安装依赖软件: 安装pyrex:sudo apt-get install python-pyrex 安装g++:sudo apt-get install g++ 安装libjs.so: $ tar zxvf js-1.7.0.tar.gz $ cd js/src $ make -f Makefile.ref $ cp Linux_All_DBG.OBJ/libjs.so /usr/lib 安装spidermonkey: $ unzip python-spidermonkey.zip $ cd python-spidermonkey $ python setup.py build $ python setup.py install 测试: $ python test.py spidermonkey的使用方法: eval_script函数: >>> from spidermonkey import Runtime >>> rt = Runtime() >>> cx = rt.new_context() >>> cx.eval_script("1 + 2") + 3 6 python中的函数在spidermonkey中运行: >>> class Foo: ... def hello(self): ... print "Hello, Javascript world!" >>> cx.bind_class(Foo, bind_constructor=True) >>> cx.eval_script("var f = new Foo(); f.hello();") Hello, Javascript world! >>> f = cx.eval_script("f;") >>> f.hello() Hello, Javascript world! get_global函数: >>> jsCode= "var acc = 'libearlibear'.substr(3,3) + 'libeautlibeaut'.substr(5,5) + 'abc';" >>> cx.eval_script(jsCode) >>> acc = cx.get_global('acc') >>> acc 'earutlibabc'
功能强大的JavaScript引擎--SpiderMonkey
weixin_34174322的博客
10-11 214
JavaScript在浏览器中的应用几乎是尽人皆知的。实际上,JavaScript技术也可以使用在非浏览器应用程序当中,从而让应用程序具有自动的脚本功能。本文介绍了一种功能非常强大的JavaScript引擎SpiderMonkey。这个引擎是Mozilla 浏览器的 JavaScript引擎。该引擎接口定义清晰,模块化好。本文简要介绍了 SpiderMonkey的基本结构,并讲解了如何在自己的应用...
SpiderMonkey-让你的C++程序支持JavaScript脚本
weixin_34061555的博客
08-06 108
译序 有些网友对为什么D2JSP能执行JavaScript脚本程序感到奇怪,因此我翻译了这篇文章,原文在这里。这篇教程手把手教你怎样利用SpiderMonkey创建一个能执行JavaScript脚本的C++程序,并让JavaScript脚本操纵你的C++程序的内部数据、操作。从这篇教程能够看到在SpiderMonkey引擎的帮助下,让C++程序支持JavaScript脚本是一件非常easy的...
学习 SpiderMonkey
w18767104183的专栏
11-11 1654
测试1 void SwimAlg::test1(){ } bool js_SwimAlg_SwimAlg_test1(JSContext *cx, uint32_t argc/*形参个数*/, jsval *vp) { //得到参数数组 JS::CallArgs args = JS::CallArgsFromVp(argc, vp); //js对象转化为c++
mozilla spidermonkey javascript engine 源代码
10-07
SpiderMonkey is Mozilla's JavaScript engine written in C/C++. It is used in various Mozilla products, including Firefox, and is available under the MPL2.
javascript SpiderMonkey中的函数序列化如何进行
10-27
JavaScript中如何进行函数序列化,函数序列化的作用是什么?本文将介绍SpiderMonkey中的函数序列化,有需要的朋友可以参考下
使用 Mozilla 的 SpiderMonkey 引擎和 Rust 构建的 JavaScript 运行时
06-28
蜘蛛火Spiderfire 是使用 Mozilla 的 SpiderMonkey 引擎和 Rust 构建的 javascript 运行时。Spiderfire 旨在破坏服务器端 javascript 运行时环境。许可该项目在 Mozilla Public License 2.0 下获得许可。可以在此处...
spidermonkey38.rar
07-02
由于JavaScript引擎的不同版本之间可能存在兼容性问题,因此,使用特定版本的SpiderMonkey(如38)是确保软件稳定性和兼容性的关键。 在**lib**目录下,你会找到一系列的库文件,这些是链接到你的C++程序所需的动态...
SpiderMonkey实现Javascript 脚本引擎
deng131的专栏
06-02 241
SpiderMonkey作为 Javascript 脚本引擎,一般用来嵌入其他语言中。同时还有google v8. http://www.aoeex.com/personal/2006/06/07/coding_with_spidermonkey.php 可以要让程序带有脚本控制功能,最经典的就是 Office的VBA了。 What SpiderMonkey does The Ja...
SpiderMonkey学习笔记(2)--封装JSAPI
zxh的专栏
06-04 2590
上一篇文章搭建好了一个简单的SpiderMonkey测试环境,并且把JSAPI User Guide里的样板代码直接拷贝到了工程里。在这篇文章里,我将对JSAPI做一个简单的封装,以方便后续的学习和试验。 1)添加一个C++类,名字估且就叫JsEngine吧 右键点击SpiderMonkeyTest Group,在弹出菜单中点击New Files... 菜单项: 选择iOS -> C a
v8,spidermonkey,chakra,spidermonkey四大主流JS引擎安装教程
weixin_39132520的博客
10-09 1111
四大主流JS引擎安装教程 参考网址: https://github.com/sslab-gatech/DIE/tree/master/engines 安装步骤: ./download-engine.sh ch 1.11.5 ./download-engine.sh jsc 2.23.3 ./build-ch.sh 1.11.5 ./build-jsc.sh 2.23.3 脚本含义: ./download-engine.sh:用于下载引擎源码,ch对应chakra引擎,1.11.5对应引擎版本。另:jsc
SpiderMonkey相关学习资料
省粮
10-13 495
SpiderMonkey相关学习资料 1、在Sublime中搭建SpiderMonkey编译环境 http://blog.csdn.net/ahey/article/details/51893718 点击打开链接
http://www.ibm.com/developerworks/cn/linux/l-cn-spidermonkey/index.html
weixin_33772645的博客
04-15 310
基于 C 语言的 JavaScript 引擎探索 使用 SpiderMonkey 脚本化您的应用 邱 俊涛, 软件工程师, 云电同方研发中心 邱俊涛,毕业于昆明理工大学计算机科学与技术专业,对机械控制、电子、人工智能、函数式编程等领域有浓厚的兴趣,对计算机科学的底层比较熟悉。喜欢 C/JAVA/Python/JavaScript 等语言。现就职于云电同方研发中心。 简介: JavaScri...
JavaScript-C引擎嵌入开发指南
08-07 2245
JavaScript-C引擎概览本文档提供了一个JavaScript(JS)引擎的C语言实现的概述,他介绍了你如何在你的应用程序中嵌入脚本引擎来让它们可以使用JS。有两大理由让你在应用程序中嵌入JS引擎:使用脚本来自动操作你的应用程序;同时使用JS引擎和脚本无论何时都可以提供跨平台的功能并消除了应用程序解决方案对平台的依赖性。受支持的JavaScript版本本JS引擎支持从JS 1.0
spidermonkey的使用及代码(SpiderMonkey1.7)
lak的专栏
03-18 1214
参见https://blog.csdn.net/kaitiren/article/details/21961235 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/JSAPI_User_Guide https://blog.csdn.net/jnstone3/article/details/3953203...
JSAPI用户手册
weixin_34075551的博客
09-05 239
本文档主要涵盖如何嵌入SpiderMonkey javascript引擎到你自己的c++程序中。 JavaScript在浏览器端已经被广泛使用了。但是,Mozilla的javascript引擎可以被嵌入到任何c++程序中,而不仅仅是应用于浏览器。许多应用程序开发可以通过脚本化的方式获益,这些程序可以使用SpiderMonkey API让c++代码里面跑js代码。 What SpiderMonk...
利用SpiderMonkey进行嵌入式开发——学习总结
董磊的专栏
03-03 1545
利用SpiderMonkey进行嵌入式开发——学习总结许峰 2007/07/30最近在学习javascript引擎SpiderMonkey,学了一个星期了,终于有点眉目,现将学习经验记录下来,已被后用。一下将逐步记录我学习的过程。1、下载源文件以及编译在 http://ftp.mozilla.org/pub/mozilla.org/js/ 下面有一个文件js-1.60.tar.gz,
spidermonkey 编译
最新发布
01-31
SpiderMonkey是Mozilla Firefox浏览器中使用的JavaScript引擎。要编译SpiderMonkey,可以按照以下步骤进行操作: 1. 下载SpiderMonkey源代码:你可以从Mozilla的官方网站上获取最新的SpiderMonkey源代码。下载地址...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值