Closed Bug 1096016 Opened 10 years ago Closed 10 years ago

Crash [@ compartment] or Crash [@ ObjectType] with poisoned crash pattern and TypedObject

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla36
Tracking Flags:
Tracking Status
firefox34 --- unaffected
firefox35 --- unaffected
firefox36 --- verified
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.2 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
763 bytes, text/plain
Details
patch
12.56 KB, patch
nmatsakis
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision d380166816dd (run with --no-threads --fuzzing-safe --ion-eager): var T = TypedObject; var ObjectStruct = new T.StructType({f: T.Object}); var o = new ObjectStruct(); function testGC(o, p) { for (var i = 0; i < 5; i++) { minorgc(); o.f >>= p; } } testGC(o, {});
Crash trace for the optimized build: Program received signal SIGSEGV, Segmentation fault. 0x00000000007acb42 in ObjectType (obj=<optimized out>) at js/src/jsinferinlines.h:129 129 return Type(uintptr_t(obj) | 1); #0 0x00000000007acb42 in ObjectType (obj=<optimized out>) at js/src/jsinferinlines.h:129 #1 GetValueType (val=...) at js/src/jsinferinlines.h:153 #2 GetValueType (val=...) at js/src/jsinfer.cpp:3608 #3 js::types::TypeMonitorResult (cx=0x16bf6d0, script=0x7ffff7e604a0, pc=0x1781ff5 ":", rval=...) at js/src/jsinfer.cpp:3619 #4 0x00000000005c8c93 in Monitor (rval=..., pc=<optimized out>, script=0x7ffff7e604a0, cx=0x16bf6d0) at js/src/jsinferinlines.h:753 #5 js::jit::DoTypeMonitorFallback (cx=0x16bf6d0, frame=<optimized out>, stub=0x16eff68, value=..., res=...) at js/src/jit/BaselineIC.cpp:1311 #6 0x00007ffff7ff250e in ?? () rcx 0x2b2b2b2b 3110627432037296939 => 0x7acb42 <js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&)+242>: cmpq $0x0,0x10(%rcx) Marked s-s based on crash pattern. Needinfo from :nmatsakis as this seems to be a problem with TypedObject.
Crash Signature: [@ compartment] or Crash [@ ObjectType] → [@ compartment] [@ ObjectType]
status-firefox36: --- → affected
Flags: needinfo?(nmatsakis)
Whiteboard: [jsbugmon:update,bisect]
Crash Signature: [@ compartment] [@ ObjectType] → [@ compartment] [@ ObjectType]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/4bdc3391644e user: Brian Hackett date: Tue Nov 04 18:21:47 2014 -0700 summary: Bug 1091329 - Optimize writes to reference members of TypedObjects, r=nmatsakis,jandem. This iteration took 356.618 seconds to run.
(In reply to Christian Holler (:decoder) from comment #3) > JSBugMon: Bisection requested, result: > autoBisect shows this is probably related to the following changeset: > > The first bad revision is: > changeset: https://hg.mozilla.org/mozilla-central/rev/4bdc3391644e > user: Brian Hackett > date: Tue Nov 04 18:21:47 2014 -0700 > summary: Bug 1091329 - Optimize writes to reference members of > TypedObjects, r=nmatsakis,jandem. > > This iteration took 356.618 seconds to run. Could the above changeset have caused this?
Crash Signature: [@ compartment] [@ ObjectType] → [@ compartment] [@ ObjectType]
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
The code adding post barriers for writes to typed objects is wrong, as the logic looks at the input value before any ToObjectOrNull instruction is inserted, and if the ToObjectOrNull produces a nursery object we don't end up with a post barrier.
Assignee: nobody → bhackett1024
Flags: needinfo?(nmatsakis)
Flags: needinfo?(bhackett1024)
Attachment #8520213 - Flags: review?(nmatsakis)
Keywords: sec-high
Attachment #8520213 - Flags: review?(nmatsakis) → review+
Comment on attachment 8520213 [details] [diff] [review] patch Review of attachment 8520213 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/IonBuilder.cpp @@ +11332,5 @@ > break; > case ReferenceTypeDescr::TYPE_OBJECT: > + // Note: post barriers for object writes are added by the instruction's > + // type policy, which may insert ToObjectOrNull instructions that > + // affect whether a post barrier is needed. I think this comment could be clarified. Something like: // Note: We cannot necessarily tell at this point whether a post barrier is needed, because the type policy may insert ToObjectOrNull instructions later, and those may require a post barrier. Therefore, defer the insertion of post barriers to the type policy.
https://hg.mozilla.org/mozilla-central/rev/746283622967
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox36: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Status: RESOLVED → VERIFIED
Crash Signature: [@ compartment] [@ ObjectType] → [@ compartment] [@ ObjectType]
status-firefox36: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Crash Signature: [@ compartment] [@ ObjectType] → [@ compartment] [@ ObjectType]
status-b2g-v2.2: affectedfixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: