Closed Bug 1055219 Opened 5 years ago Closed 5 years ago

Assertion failure: ptr.found() && &*ptr == &e.front(), at jsinfer.cpp:4267


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox31 --- unaffected
firefox32 --- fixed
firefox33 --- fixed
firefox34 --- verified
firefox-esr24 --- unaffected
firefox-esr31 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.3T --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.1 --- fixed


(Reporter: decoder, Assigned: jonco)


(Blocks 1 open bug)


(4 keywords, Whiteboard: [jsbugmon:update])


(4 files)

The following testcase asserts on mozilla-central revision 0aaa2d3d15cc (run with --no-threads --fuzzing-safe --ion-eager):

function A() {};
A.prototype = [];
function B() {};
B.prototype = new A();
Test involves gczeal and assertion is about pointers, marking s-s based on that.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Jon Coppeard
date:        Thu Aug 14 11:46:33 2014 +0100
summary:     Bug 650161 - Update internal hash table checks for use after compacting GC as well r=terrence

This iteration took 296.263 seconds to run.
Needinfo from Jon based on comment 3 :)
Flags: needinfo?(jcoppeard)
We are missing a postbarrier for the lazyTypeObjects table.
Assignee: nobody → jcoppeard
Attachment #8475137 - Flags: review?(terrence)
Flags: needinfo?(jcoppeard)
Comment on attachment 8475137 [details] [diff] [review]

Review of attachment 8475137 [details] [diff] [review]:

I bet you this is our TypeCompartment::sweep top-crasher. Great, find, Christian!

Let's get this in and uplifted asap.
Attachment #8475137 - Flags: review?(terrence) → review+
Blocks: 958076
What versions does this affect?  Bug 650161 is trunk-only, but it sounds like bug 958076 is talking about a crash that affects more than that.
Flags: needinfo?(terrence)
Keywords: sec-high
This affects all builds with GGC enabled, 32 and onward.
Flags: needinfo?(terrence)
Comment on attachment 8475137 [details] [diff] [review]

This probably should have gotten sec-approval.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
It would be difficult.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
If you have internalized how our GGC works, then it's pretty obvious. Given that we don't have a GGC release yet, I think that's probably a pretty narrow set of people though.

Which older supported branches are affected by this flaw?
32 and onward.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This should be trivial to backport.

How likely is this patch to cause regressions; how much testing does it need?
Very unlikely. It's green on m-i, so think that's probably sufficient evidence.
Attachment #8475137 - Flags: sec-approval?
Attachment #8475137 - Flags: checkin+
Comment on attachment 8475137 [details] [diff] [review]

And we're certainly going to want to uplift.

Approval Request Comment
[Feature/regressing bug #]: GGC
[User impact if declined]: Increased crash volume.
[Describe test coverage new/current, TBPL]: An exact fuzz test and m-i is green.
[Risks and why]: Low. This is a simple missing barrier -- the patch fixes an obvious bug and does not add any new infrastructure.
[String/UUID change made/needed]: None.
Attachment #8475137 - Flags: approval-mozilla-beta?
Attachment #8475137 - Flags: approval-mozilla-aurora?
Comment on attachment 8475137 [details] [diff] [review]

Approvals given.
Attachment #8475137 - Flags: sec-approval?
Attachment #8475137 - Flags: sec-approval+
Attachment #8475137 - Flags: approval-mozilla-beta?
Attachment #8475137 - Flags: approval-mozilla-beta+
Attachment #8475137 - Flags: approval-mozilla-aurora?
Attachment #8475137 - Flags: approval-mozilla-aurora+
The test code has changed a bit since beta, so I'll do the uplift manually.
Closed: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Manual backport to aurora.
Attachment #8475443 - Flags: review+
Manual backport to beta.
Attachment #8475444 - Flags: review+
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.