Closed Bug 1183153 Opened 10 years ago Closed 9 years ago

Assertion failure: MIR instruction returned object with unexpected type, at js/src/jit/MacroAssembler.cpp:1789

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox40 --- wontfix
firefox41 + verified
firefox42 + verified
firefox43 + verified
firefox-esr38 41+ fixed
b2g-v2.0 --- wontfix
b2g-v2.0M --- wontfix
b2g-v2.1 --- wontfix
b2g-v2.1S --- fixed
b2g-v2.2 --- fixed
b2g-v2.2r --- fixed
b2g-master --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update][post-critsmash-triage][adv-main41+][adv-esr38.3+])

Attachments

(2 files)

Part 1 - Fix bug
3.76 KB, patch
Waldo
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Sylvestre
: approval-mozilla-esr38+
abillings
: sec-approval+
Details | Diff | Splinter Review
Part 2 - Add test, asserts
1.72 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision eab21ec484bb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-offthread-compile=off): gczeal(1); var lfGlobal = newGlobal(); lfGlobal.offThreadCompileScript("(function* p() {});"); lfGlobal.runOffThreadScript(); Backtrace: Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007ffff7fd321d in ?? () #0 0x00007ffff7fd321d in ?? () #1 0x00007ffff7e7c060 in ?? () #2 0x00007ffff7fe8bcd in ?? () #3 0x0000000000000204 in ?? () #4 0x00007ffff7e9e12a in ?? () #5 0x0000000000000000 in ?? () rax 0x7ffff4800000 140737295417344 rbx 0x7ffff69811c0 140737330549184 rcx 0x7ffff7e91610 140737352635920 rdx 0x7fffffffbf28 140737488338728 rsi 0x7ffff7e00000 140737352040448 rdi 0x7fffffffb7e0 140737488336864 rbp 0x7fffffffb8e0 140737488337120 rsp 0x7fffffffb878 140737488337016 r8 0x0 0 r9 0x7ffff4800000 140737295417344 r10 0xc7ce0c7ce0c7ce0d -4049285284472828403 r11 0x7ffff6c27960 140737333328224 r12 0x8 8 r13 0x7fffffffbf28 140737488338728 r14 0x204 516 r15 0x7fffffffbee0 140737488338656 rip 0x7ffff7fd321d 140737353953821 => 0x7ffff7fd321d: push %r10 0x7ffff7fd321f: push %r9 Filing s-s because the test involves GC.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/796283553115 user: Boris Zbarsky date: Wed Apr 01 12:05:29 2015 -0400 summary: Bug 679939 part 5. Stop using the compileAndGo script flag in the bytecode emitter. r=luke This iteration took 184.623 seconds to run.
Boris, can you take a look at this?
Flags: needinfo?(bzbarsky)
Chances are this is a preexisting jit bug, but I'll take a look on Monday if no one else has gotten to it first...
Flags: needinfo?(bzbarsky)
(In reply to Boris Zbarsky [:bz] from comment #4) > Chances are this is a preexisting jit bug, but I'll take a look on Monday if > no one else has gotten to it first... I think I know what's happening. Ion's MLambda for the generator function has a resultTypeSet (ObjectGroup) based on the function object created by the parser. This assumes the lambda cloning process will give the clone the same ObjectGroup. NewFunctionClone does this for generators: if (!proto && fun->isStarGenerator()) { cloneProto = GlobalObject::getOrCreateStarGeneratorFunctionPrototype(cx, cx->global()); ... The clone's ObjectGroup is based on the Class + proto. So if the proto we get here does not match our original function's proto, we get a different ObjectGroup and we fail this check. When we parse off-thread, as we're doing here, we'll create a new Zone and at the end we merge it back. This can probably lead to duplicate ObjectGroups: the original function and our clone will have different groups. In other words, js::Lambda needs to assert fun->group() == clone->group(), since that's an invariant Ion depends on. I'll see what's the easiest fix here.
Hm, the prototype fixup in finishParseTask calls IdentifyStandardPrototype, but that doesn't handle the generator function case, since Generator.prototype is not a generator. I'll see if we can special case this...
Flags: needinfo?(jdemooij)
Attached patch Part 1 - Fix bugSplinter Review
This patch fixes mergeParseTaskCompartment to give generator function groups the correct builtin prototype.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8639341 - Flags: review?(jwalden+bmo)
And this one has the test and adds some asserts to js::Lambda/js::LambdaArrow to catch this sooner. We can land this one once part 1 is on all branches.
Attachment #8639344 - Flags: review?(jwalden+bmo)
Comment on attachment 8639344 [details] [diff] [review] Part 2 - Add test, asserts Review of attachment 8639344 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/basic/bug1183153.js @@ +1,1 @@ > +gczeal(1); Name the test file something like offthread-generator-cloning.js or something other than a nondescript bug number. Ideally indicating what it's testing, but also making it easier to refer to the test file later, not just a long number that's hard to remember/find in a file listing.
Attachment #8639344 - Flags: review?(jwalden+bmo) → review+
Comment on attachment 8639341 [details] [diff] [review] Part 1 - Fix bug Review of attachment 8639341 [details] [diff] [review]: ----------------------------------------------------------------- Eeeeeugh the tactics being performed in this surrounding code are squirrely.
Attachment #8639341 - Flags: review?(jwalden+bmo) → review+
This sounds bad. Jandem, is this ready to land? Please put it up for sec-approval if so.
Flags: needinfo?(jdemooij)
Keywords: sec-high
Comment on attachment 8639341 [details] [diff] [review] Part 1 - Fix bug [Security approval request comment] > How easily could an exploit be constructed based on the patch? Not easily. Going from an off-thread parsing change to a TI exploit is not an obvious step. > Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. > Which older supported branches are affected by this flaw? The bisection says 40+, but I doubt that's correct. We should land this on all branches. > Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Shouldn't be hard. > How likely is this patch to cause regressions; how much testing does it need? Pretty unlikely. Also because generators are pretty rare on the web.
Attachment #8639341 - Flags: sec-approval?
I'm giving this sec-approval+ for checkin on 8/25 (two weeks into the cycle). You should nominate branch patches back to ESR38 so we can go everywhere after trunk checkin.
status-firefox40: --- → wontfix
status-firefox41: --- → affected
status-firefox43: --- → affected
status-firefox-esr38: --- → affected
tracking-firefox41: --- → +
tracking-firefox42: --- → +
tracking-firefox43: --- → +
tracking-firefox-esr38: --- → ?
Whiteboard: [jsbugmon:update] → [jsbugmon:update][checkin on 8/25]
Attachment #8639341 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/integration/mozilla-inbound/rev/60707ba97960
Flags: needinfo?(jdemooij) → in-testsuite?
Whiteboard: [jsbugmon:update][checkin on 8/25] → [jsbugmon:update]
https://hg.mozilla.org/mozilla-central/rev/60707ba97960 Please nominate this for Aurora/Beta/esr38 approval when you get a chance.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-b2g-master: affectedfixed
status-firefox43: affectedfixed
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Comment on attachment 8639341 [details] [diff] [review] Part 1 - Fix bug Approval Request Comment [Feature/regressing bug #]: Older off-thread-parsing/TI bug. [User impact if declined]: Security bugs. [Describe test coverage new/current, TreeHerder]: On m-c for a while. [Risks and why]: Low risk. Should only affect generators and those aren't used much on the web. [String/UUID change made/needed]: None.
Flags: needinfo?(jdemooij)
Attachment #8639341 - Flags: approval-mozilla-esr38?
Attachment #8639341 - Flags: approval-mozilla-beta?
Attachment #8639341 - Flags: approval-mozilla-aurora?
Comment on attachment 8639341 [details] [diff] [review] Part 1 - Fix bug sec high, taking it everywhere it is necessary
Attachment #8639341 - Flags: approval-mozilla-esr38?
Attachment #8639341 - Flags: approval-mozilla-esr38+
Attachment #8639341 - Flags: approval-mozilla-beta?
Attachment #8639341 - Flags: approval-mozilla-beta+
Attachment #8639341 - Flags: approval-mozilla-aurora?
Attachment #8639341 - Flags: approval-mozilla-aurora+
Group: core-security → core-security-release
Whiteboard: [jsbugmon:update] → [jsbugmon:update][post-critsmash-triage]
JSBugMon: This bug has been automatically verified fixed. JSBugMon: This bug has been automatically verified fixed on Fx41 JSBugMon: This bug has been automatically verified fixed on Fx42
Whiteboard: [jsbugmon:update][post-critsmash-triage] → [jsbugmon:update][post-critsmash-triage][adv-main41+][adv-esr38.3+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: