Closed Bug 1060276 Opened 10 years ago Closed 10 years ago

Assertion failure: hasSlot() && !hasMissingSlot(), at vm/Shape.h:922 or Crash [@ js::types::TemporaryTypeSet::propertyIsConstant] with invalid read

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla35
Tracking Status
firefox33 --- unaffected
firefox34 --- fixed
firefox35 --- verified
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- fixed
b2g-v2.2 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:][b2g-adv-main2.2-])

Attachments

(1 file, 1 obsolete file)

The following testcase asserts on mozilla-central revision d697d649c765 (run with --no-threads --fuzzing-safe --ion-eager):


function $ERROR(message) {}
function runTestCase() { $ERROR(); }
loadFile("String = Array;");
function range(n, m) {
  var result = [];
  return result;
}
function assertStructuralEq(e1) {
    if (e1 instanceof Array) {}
}
function assertParallelExecSucceeds(opFunction) {
  while (true) { opFunction(); break; }
}
function assertArraySeqParResultsEq(arr, op, func) {
  var e = arr[op].apply(arr, [func]);
  assertParallelExecSucceeds(function (r) { assertStructuralEq(e); });
}
loadFile("assertArraySeqParResultsEq(range(0, 1024), 'map', function() { return c.foo; });");
function testcase(x) {}
runTestCase(testcase);
function newFunc(x) { new Function(x)(); };
newFunc("prototype($ERROR[5], 0); (typeof String.prototype.length )");
function loadFile(lfVarx) {
  if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1)
    evaluate(lfVarx, { noScriptRval : true, compileAndGo : true });
}
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
constant (valOut=0x7fffffffb740, constraints=0x169dcb8, this=0x7fffffffb6e0) at js/src/jsinfer.cpp:1802
1802        Value val = object()->singleton()->nativeGetSlot(shape->slot());
#0  constant (valOut=0x7fffffffb740, constraints=0x169dcb8, this=0x7fffffffb6e0) at js/src/jsinfer.cpp:1802
#1  js::types::TemporaryTypeSet::propertyIsConstant (this=<optimized out>, constraints=0x169dcb8, id=..., valOut=0x7fffffffb740) at js/src/jsinfer.cpp:1933
#2  0x0000000000649748 in getPropTryInferredConstant (name=0x7ffff7e1c2b0, obj=0x1772ed8, emitted=0x7fffffffb74f, this=0x169dd30) at js/src/jit/IonBuilder.cpp:8784
#3  js::jit::IonBuilder::jsop_getprop (this=0x169dd30, name=0x7ffff7e1c2b0) at js/src/jit/IonBuilder.cpp:8681
#4  0x000000000064cd82 in js::jit::IonBuilder::inspectOpcode (this=0x169dd30, op=<optimized out>) at js/src/jit/IonBuilder.cpp:1674
#5  0x000000000064dbd4 in js::jit::IonBuilder::traverseBytecode (this=0x169dd30) at js/src/jit/IonBuilder.cpp:1281
#6  0x000000000064e607 in build (this=0x169dd30) at js/src/jit/IonBuilder.cpp:748
#7  js::jit::IonBuilder::build (this=0x169dd30) at js/src/jit/IonBuilder.cpp:640
rbp     0x9699418       157914136
=> 0x765f03 <js::types::TemporaryTypeSet::propertyIsConstant(js::types::CompilerConstraintList*, jsid, JS::Value*)+387>:        mov    0x0(%rbp),%rax


Looks like rbp has been overwritten/clobbered, marking sec-critical.
Keywords: crash, sec-critical
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3a545eb9828b
user:        Brian Hackett
date:        Tue Aug 26 12:30:36 2014 -0700
summary:     Bug 894596 - Bake constant valued object properties into jitcode when possible, r=jandem, patch mostly written by djvj.

This iteration took 333.475 seconds to run.
Needinfo from djvj, also cc'ing bhackett for help :)
Flags: needinfo?(kvijayan)
jsfunfuzz is hitting this quite a lot, setting [fuzzblocker].
Keywords: regression
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Attachment #8481163 - Attachment is obsolete: true
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f7a27a866c47).
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:bisectfix]
Whiteboard: [fuzzblocker] [jsbugmon:bisectfix] → [fuzzblocker] [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/91c1baf5b733
user:        Brian Hackett
date:        Sun Sep 07 10:27:31 2014 -0600
summary:     Bug 1063598 - Infer constant properties even when the type property has not yet been instantiated, r=jandem.

This iteration took 362.682 seconds to run.
Brian, is the patch in comment 8 a likely fix for this issue too?
Flags: needinfo?(bhackett1024)
(In reply to Christian Holler (:decoder) from comment #9)
> Brian, is the patch in comment 8 a likely fix for this issue too?

Yeah.
Flags: needinfo?(bhackett1024)
Fixed by bug 1063598.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(kvijayan)
Resolution: --- → WORKSFORME
-> FIXED because there is a known fix.
Resolution: WORKSFORME → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Does this impact ESR?
Flags: needinfo?(dveditz)
Assignee: nobody → bhackett1024
Target Milestone: --- → mozilla35
Group: core-security
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:][b2g-adv-main2.2-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: