Closed Bug 1209471 Opened 9 years ago Closed 9 years ago

Assertion failure: MIR instruction returned object with unexpected type, at js/src/jit/MacroAssembler.cpp:1531

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox41 --- wontfix
firefox42 + verified
firefox43 + verified
firefox44 + verified
firefox-esr38 42+ fixed
b2g-v2.0 --- wontfix
b2g-v2.0M --- wontfix
b2g-v2.1 --- wontfix
b2g-v2.1S --- wontfix
b2g-v2.2 --- fixed
b2g-v2.2r --- fixed
b2g-master --- fixed
thunderbird_esr38 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main42+][adv-esr38.4+])

Attachments

(1 file)

patch
708 bytes, patch
jandem
: review+
abillings
: approval-mozilla-aurora+
abillings
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 79a5b2968d01 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks): function foo() { Object.prototype[2] = 2; delete Object.prototype[2]; for (var i = 9; i < 10; i & 1970 & Function ^ (this) ^ (this)) assertEq([2].concat([3])[0], 2); } foo(); Backtrace: Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007ffff7fd1a4e in ?? () #0 0x00007ffff7fd1a4e in ?? () #1 0x00007fffffffc570 in ?? () #2 0xfff9000000000000 in ?? () #3 0xfff8800000000002 in ?? () #4 0xfff8800000000002 in ?? () #5 0x0000000000000000 in ?? () rax 0x7ffff4800000 140737295417344 rbx 0x7ffff48fffa0 140737296465824 rcx 0x7ffff7e5c6d0 140737352419024 rdx 0x7fffffffccd0 140737488342224 rsi 0x7ffff6907400 140737330050048 rdi 0x7fffffffc798 140737488340888 rbp 0x7fffffffc868 140737488341096 rsp 0x7fffffffc828 140737488341032 r8 0x1 1 r9 0x7ffff6907420 140737330050080 r10 0x7fffffffc580 140737488340352 r11 0x7ffff6c27960 140737333328224 r12 0x8 8 r13 0x7ffff47fc0b0 140737295401136 r14 0x7ffff7e610c0 140737352437952 r15 0x0 0 rip 0x7ffff7fd1a4e 140737353947726 => 0x7ffff7fd1a4e: push %r10 0x7ffff7fd1a50: push %r9 Marking s-s because this assertion is known to be security-related.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/19d5d9619443 user: Brian Hackett date: Sun Jun 14 08:02:44 2015 -0700 summary: Bug 1162986 - Allow objects to be turned into singletons dynamically, r=jandem. This iteration took 192.722 seconds to run.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
I don't think bug 1162986 is at fault here. The basic problem here is that when we Ion compile Array.concat we assume a particular result group for the result of the concat, but when we execute we can go down a path in array_concat which creates an array with a generic unknown-properties group instead. Unfortunately this problem seems to go back pretty far, including to before the unboxed array changes in jsarray.cpp.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8668988 - Flags: review?(jdemooij)
Comment on attachment 8668988 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? not easily Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? no Which older supported branches are affected by this flaw? all of them, I think If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? backports should be simple How likely is this patch to cause regressions; how much testing does it need? not at all Approval Request Comment [User impact if declined]: potential exploit [Describe test coverage new/current, TreeHerder]: none [Risks and why]: none
Attachment #8668988 - Flags: sec-approval?
Attachment #8668988 - Flags: approval-mozilla-beta?
Attachment #8668988 - Flags: approval-mozilla-aurora?
Comment on attachment 8668988 [details] [diff] [review] patch Approvals given. We'll want an ESR38 patch as well.
Attachment #8668988 - Flags: sec-approval?
Attachment #8668988 - Flags: sec-approval+
Attachment #8668988 - Flags: approval-mozilla-beta?
Attachment #8668988 - Flags: approval-mozilla-beta+
Attachment #8668988 - Flags: approval-mozilla-aurora?
Attachment #8668988 - Flags: approval-mozilla-aurora+
Attachment #8668988 - Flags: review?(jdemooij) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 89732fcdb0ba).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed. JSBugMon: This bug has been automatically verified fixed on Fx42 JSBugMon: This bug has been automatically verified fixed on Fx43
Group: javascript-core-security → core-security-release
b2g37_v2_2 should call TryReuseArrayType instead of TryReuseArrayGroup.
Flags: needinfo?(bhackett1024)
I'll land that when I get home tonight. ni? to remind me.
Flags: needinfo?(wkocher)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main42+][adv-esr38.4+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: