Closed Bug 1175714 Opened 4 years ago Closed 4 years ago

Assertion failure: !CurrentThreadIsIonCompilingSafeForMinorGC(), at jit/shared/Assembler-shared.h:228 or Assertion failure: !IsInsideNursery(&lir->object()->toConstant()->toObject()), at jit/CodeGenerator.cpp:2743


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox39 --- unaffected
firefox40 --- unaffected
firefox41 + verified
firefox42 + verified
firefox-esr31 --- unaffected
firefox-esr38 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed


(Reporter: decoder, Assigned: bhackett)


(Blocks 1 open bug)


(4 keywords, Whiteboard: [jsbugmon:update][b2g-adv-main2.5-])


(1 file)

The following testcase crashes on mozilla-central revision d7c148c84594 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-extra-checks):

function foo() {
  var A = {x: 3};
  var B = Object.create(A);
  var C = Object.create(B);
  for (var i=0; i<30; "}") {}
} foo();


Program received signal SIGSEGV, Segmentation fault.
0x00000000008bed78 in js::jit::ImmGCPtr::ImmGCPtr (this=<optimized out>, ptr=<optimized out>) at js/src/jit/shared/Assembler-shared.h:227
#0  0x00000000008bed78 in js::jit::ImmGCPtr::ImmGCPtr (this=<optimized out>, ptr=<optimized out>) at js/src/jit/shared/Assembler-shared.h:227
#1  0x00000000009c68da in js::jit::MacroAssembler::guardObjectType (this=0x7ffff69bc058, obj=obj@entry=..., types=0x7ffff69b52b8, scratch=..., scratch@entry=..., miss=miss@entry=0x7fffffffbfa0) at js/src/jit/MacroAssembler.cpp:178
#2  0x0000000000850fff in js::jit::CodeGenerator::visitTypeBarrierO (this=0x7ffff69bc000, lir=0x7ffff4714c30) at js/src/jit/CodeGenerator.cpp:2659
#3  0x00000000008b569e in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff69bc000) at js/src/jit/CodeGenerator.cpp:4103
#4  0x00000000008b5e52 in js::jit::CodeGenerator::generate (this=this@entry=0x7ffff69bc000) at js/src/jit/CodeGenerator.cpp:7779
#5  0x00000000008e2c07 in js::jit::GenerateCode (mir=mir@entry=0x7ffff69b0258, lir=0x7ffff69b7ba0) at js/src/jit/Ion.cpp:1720
#6  0x0000000000947cd1 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69b0258) at js/src/jit/Ion.cpp:1742
#7  0x000000000094f635 in js::jit::IonCompile (cx=cx@entry=0x7ffff691b4e0, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffc718, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2074
#8  0x0000000000954de4 in js::jit::Compile (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffffc718, osrPc=osrPc@entry=0x7ffff6926b9c "\343\201V", constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2233
#9  0x0000000000955071 in js::jit::CanEnterAtBranch (cx=cx@entry=0x7ffff691b4e0, script=0x7ffff7e5e1f0, osrFrame=osrFrame@entry=0x7fffffffc718, pc=pc@entry=0x7ffff6926b9c "\343\201V") at js/src/jit/Ion.cpp:2315
#10 0x0000000000843006 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff6926b9c "\343\201V", script=..., frame=0x7fffffffc718, cx=0x7ffff691b4e0) at js/src/jit/BaselineIC.cpp:65
#11 js::jit::DoWarmUpCounterFallback (cx=0x7ffff691b4e0, frame=0x7fffffffc718, stub=<optimized out>, infoPtr=0x7fffffffc6d0) at js/src/jit/BaselineIC.cpp:229
#12 0x00007ffff7feffd9 in ?? ()
#13 0x00007fffffffc758 in ?? ()
#14 0x00007fffffffc698 in ?? ()
#15 0x0000000000000008 in ?? ()
#16 0x0000000001a66480 in js::jit::DoTypeMonitorFallbackInfo ()
#17 0x00007ffff7e51fa0 in ?? ()
#18 0x00007ffff7ff2017 in ?? ()
#19 0x0000000000000302 in ?? ()
#20 0x00007fffffffc718 in ?? ()
#21 0x00007ffff6993920 in ?? ()
#22 0x00007fffffffc6d0 in ?? ()
#23 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x0	0
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffbec0	140737488338624
rsp	0x7fffffffbec0	140737488338624
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffbc80	140737488338048
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff69b52b8	140737330762424
r13	0x1	1
r14	0x1	1
r15	0x7fffffffbf00	140737488338688
rip	0x8bed78 <js::jit::ImmGCPtr::ImmGCPtr(js::gc::Cell const*)+136>
=> 0x8bed78 <js::jit::ImmGCPtr::ImmGCPtr(js::gc::Cell const*)+136>:	movl   $0xe4,0x0
   0x8bed83 <js::jit::ImmGCPtr::ImmGCPtr(js::gc::Cell const*)+147>:	callq  0x494bd0 <abort()>

Marking s-s because GC seems to be involved.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150613075443" and the hash "3a994e364343".
The "bad" changeset has the timestamp "20150613081143" and the hash "fd36716d1f9d".

Likely regression window:
ni bhackett based on the regression window in comment 1
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
Nursery types could get into temporary type sets during IonBuilder when they were read off the baseline frame for OSR.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8628367 - Flags: review?(jdemooij)
Attachment #8628367 - Flags: review?(jdemooij) → review+
Comment on attachment 8628367 [details] [diff] [review]

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

not easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?


Which older supported branches are affected by this flaw?


If not all supported branches, which bug introduced the flaw?

bug 1162986

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?


How likely is this patch to cause regressions; how much testing does it need?

not at all

Approval Request Comment
[Feature/regressing bug #]: bug 1162986
[User impact if declined]: exploitable crashes
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: none
Attachment #8628367 - Flags: sec-approval?
Attachment #8628367 - Flags: approval-mozilla-aurora?
Keywords: sec-high
Comment on attachment 8628367 [details] [diff] [review]

Approvals given.
Attachment #8628367 - Flags: sec-approval?
Attachment #8628367 - Flags: sec-approval+
Attachment #8628367 - Flags: approval-mozilla-aurora?
Attachment #8628367 - Flags: approval-mozilla-aurora+
Sorry, I should have used isSingletonUnchecked.
Flags: needinfo?(bhackett1024)
Closed: 4 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx41
Depends on: 1186226
No longer depends on: 1186226
Group: core-security → core-security-release
Group: core-security-release
Whiteboard: [jsbugmon:update] → [jsbugmon:update][b2g-adv-main2.5-]
You need to log in before you can comment on or make changes to this bug.