Closed Bug 1029130 Opened 10 years ago Closed 10 years ago

Assertion failure: IsCompatibleLIRCoercion(def->type(), as->type()), at jit/shared/Lowering-shared-inl.h:195 or Crash on Heap with invalid read

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla34
Tracking Flags:
Tracking Status
firefox32 --- disabled
firefox33 --- disabled
firefox34 --- verified
firefox-esr24 --- disabled
firefox-esr31 --- disabled

People

(Reporter: decoder, Assigned: nmatsakis)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
695 bytes, text/plain
Details
Bug1029130.diff
1.95 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 366b5c0c02d3 (run with --fuzzing-safe):


var PointType2 = new TypedObject.StructType({ y: TypedObject.float64 });
function xPlusY(p) {
  return p.x + p.y;
}
function xPlusYTweak(p = x ? Math.y : x)  {
  return xPlusY(p);
}
var N = 100;
for (var i = 0; i < N; "IQD") {
  obj = new PointType2({x: i, y: i+1});
  xPlusYTweak(obj)
}
This crashes on the heap with an invalid read from a bogus address:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fdf03b in ?? ()
#0  0x00007ffff7fdf03b in ?? ()
[...]
#7  0x00007ffff575a680 in ?? ()
rax     0xf5846770      -1125900082714768
=> 0x7ffff7fdf03b:      mov    0x30(%rax),%r11



Marked s-s and sec-critical based on that.
status-firefox33: --- → affected
Keywords: crash, sec-critical
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b2ed6214694f
user:        Nicholas D. Matsakis
date:        Mon Feb 10 14:48:51 2014 -0500
summary:     Bug 898356 Part 4 -- Check for neutered typed object unless the check is covered by a length check r=jandem

This iteration took 234.629 seconds to run.
Needinfo from nmatsakis based on comment 3 :)
Flags: needinfo?(nmatsakis)
Jan, since Nick is away for a bit would you be able to confirm comment 3?
Flags: needinfo?(jdemooij)
On x86 I get this assertion failure in LIRGeneratorShared::use:

  JS_ASSERT(mir->type() != MIRType_Value);

It looks like MNeuterCheck has a MIRType_Value operand but it uses useRegister. It probably needs an object type policy.

Niko, can you please comment on this bug or forward it to somebody else? These asserts make it harder for the fuzzers to find other bugs.
Flags: needinfo?(jdemooij)
Group: javascript-core-security
Any updates on this?
status-firefox34: --- → affected
So I investigated the problem. I am unclear on where exactly this bug is. The `MDefinition` in question is a phi that starts out as an object and is later changed to a value as part of type adjustment. I was under the (false?) impression that code could rely on the type etc of an `MDefinition` not to change. If this is false, I think there are a number of places that will need object policies.
Flags: needinfo?(nmatsakis)
This looks like it is a trunk-only thing.
status-firefox33: affecteddisabled
Attached patch Bug1029130.diffSplinter Review 
Add object policy to MNeuterCheck. One question is: I was unable to produce a test that reproduced with fewer than 10000 iterations, even with --ion-eager. I'm actually not quite sure why this is. Any suggestions?
Attachment #8469624 - Flags: review?(jdemooij)
Comment on attachment 8469624 [details] [diff] [review]
Bug1029130.diff

Review of attachment 8469624 [details] [diff] [review]:
-----------------------------------------------------------------

(In reply to Niko Matsakis [:nmatsakis] from comment #10)
> One question is: I was unable to produce
> a test that reproduced with fewer than 10000 iterations, even with
> --ion-eager. I'm actually not quite sure why this is. Any suggestions?

Did you try --ion-eager --ion-offthread-compile=off? Parallel compilation can take a while. (We run jit-tests with these flags as part of jit_test.py --tbpl)
Attachment #8469624 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/9c1418c26c20
Assignee: nobody → nmatsakis
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox34: affectedfixed
status-firefox-esr31: --- → disabled
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Status: RESOLVED → VERIFIED
status-firefox34: fixedverified
JSBugMon: This bug has been automatically verified fixed.
(In reply to Jan de Mooij [:jandem] from comment #11)
> Did you try --ion-eager --ion-offthread-compile=off? Parallel compilation
> can take a while. (We run jit-tests with these flags as part of jit_test.py
> --tbpl)

I did try that, I believe.
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: