Closed
Bug 1209471
Opened 9 years ago
Closed 9 years ago
Assertion failure: MIR instruction returned object with unexpected type, at js/src/jit/MacroAssembler.cpp:1531
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla44
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main42+][adv-esr38.4+])
Attachments
(1 file)
708 bytes,
patch
|
jandem
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 79a5b2968d01 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks): function foo() { Object.prototype[2] = 2; delete Object.prototype[2]; for (var i = 9; i < 10; i & 1970 & Function ^ (this) ^ (this)) assertEq([2].concat([3])[0], 2); } foo(); Backtrace: Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007ffff7fd1a4e in ?? () #0 0x00007ffff7fd1a4e in ?? () #1 0x00007fffffffc570 in ?? () #2 0xfff9000000000000 in ?? () #3 0xfff8800000000002 in ?? () #4 0xfff8800000000002 in ?? () #5 0x0000000000000000 in ?? () rax 0x7ffff4800000 140737295417344 rbx 0x7ffff48fffa0 140737296465824 rcx 0x7ffff7e5c6d0 140737352419024 rdx 0x7fffffffccd0 140737488342224 rsi 0x7ffff6907400 140737330050048 rdi 0x7fffffffc798 140737488340888 rbp 0x7fffffffc868 140737488341096 rsp 0x7fffffffc828 140737488341032 r8 0x1 1 r9 0x7ffff6907420 140737330050080 r10 0x7fffffffc580 140737488340352 r11 0x7ffff6c27960 140737333328224 r12 0x8 8 r13 0x7ffff47fc0b0 140737295401136 r14 0x7ffff7e610c0 140737352437952 r15 0x0 0 rip 0x7ffff7fd1a4e 140737353947726 => 0x7ffff7fd1a4e: push %r10 0x7ffff7fd1a50: push %r9 Marking s-s because this assertion is known to be security-related.
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/19d5d9619443 user: Brian Hackett date: Sun Jun 14 08:02:44 2015 -0700 summary: Bug 1162986 - Allow objects to be turned into singletons dynamically, r=jandem. This iteration took 192.722 seconds to run.
Updated•9 years ago
|
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 2•9 years ago
|
||
I don't think bug 1162986 is at fault here. The basic problem here is that when we Ion compile Array.concat we assume a particular result group for the result of the concat, but when we execute we can go down a path in array_concat which creates an array with a generic unknown-properties group instead. Unfortunately this problem seems to go back pretty far, including to before the unboxed array changes in jsarray.cpp.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8668988 -
Flags: review?(jdemooij)
Assignee | ||
Comment 3•9 years ago
|
||
Comment on attachment 8668988 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? not easily Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? no Which older supported branches are affected by this flaw? all of them, I think If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? backports should be simple How likely is this patch to cause regressions; how much testing does it need? not at all Approval Request Comment [User impact if declined]: potential exploit [Describe test coverage new/current, TreeHerder]: none [Risks and why]: none
Attachment #8668988 -
Flags: sec-approval?
Attachment #8668988 -
Flags: approval-mozilla-beta?
Attachment #8668988 -
Flags: approval-mozilla-aurora?
Updated•9 years ago
|
status-firefox41:
--- → affected
status-firefox42:
--- → affected
status-firefox43:
--- → affected
status-firefox-esr38:
--- → affected
Keywords: sec-high
Updated•9 years ago
|
tracking-firefox42:
--- → +
tracking-firefox43:
--- → +
tracking-firefox44:
--- → +
tracking-firefox-esr38:
--- → 42+
Comment 4•9 years ago
|
||
Comment on attachment 8668988 [details] [diff] [review] patch Approvals given. We'll want an ESR38 patch as well.
Attachment #8668988 -
Flags: sec-approval?
Attachment #8668988 -
Flags: sec-approval+
Attachment #8668988 -
Flags: approval-mozilla-beta?
Attachment #8668988 -
Flags: approval-mozilla-beta+
Attachment #8668988 -
Flags: approval-mozilla-aurora?
Attachment #8668988 -
Flags: approval-mozilla-aurora+
Updated•9 years ago
|
Attachment #8668988 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b17006f337c4
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 6•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 89732fcdb0ba).
Comment 7•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b17006f337c4
Target Milestone: --- → mozilla44
Comment 8•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/02fe292b9b56 https://hg.mozilla.org/releases/mozilla-esr38/rev/6346ba104122 https://hg.mozilla.org/releases/mozilla-aurora/rev/248a05c6ec77
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
status-b2g-v2.0:
--- → wontfix
status-b2g-v2.0M:
--- → wontfix
status-b2g-v2.1:
--- → wontfix
status-b2g-v2.1S:
--- → wontfix
status-b2g-v2.2:
--- → affected
status-b2g-v2.2r:
--- → affected
status-b2g-master:
--- → fixed
Updated•9 years ago
|
Status: RESOLVED → VERIFIED
Comment 9•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed. JSBugMon: This bug has been automatically verified fixed on Fx42 JSBugMon: This bug has been automatically verified fixed on Fx43
This broke the build on esr38: https://treeherder.mozilla.org/logviewer.html#?job_id=33731&repo=mozilla-esr38 Backing it out in https://hg.mozilla.org/releases/mozilla-esr38/rev/d1b871aabbe6
Flags: needinfo?(bhackett1024)
Updated•9 years ago
|
Group: javascript-core-security → core-security-release
Assignee | ||
Comment 11•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr38/rev/2d309862d622
Flags: needinfo?(bhackett1024)
Updated•9 years ago
|
Updated•9 years ago
|
This broke builds like https://treeherder.mozilla.org/logviewer.html#?job_id=171331&repo=mozilla-b2g37_v2_2 Backed out from 2.2 in https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/8757922a2c3b
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 14•9 years ago
|
||
b2g37_v2_2 should call TryReuseArrayType instead of TryReuseArrayGroup.
Flags: needinfo?(bhackett1024)
I'll land that when I get home tonight. ni? to remind me.
Flags: needinfo?(wkocher)
https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/d546c2eb1c0c
Flags: needinfo?(wkocher)
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main42+][adv-esr38.4+]
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•