Assertion failure: MIR instruction returned object with unexpected type, at js/src/jit/MacroAssembler.cpp:1531

VERIFIED FIXED in Firefox 42



4 years ago
3 years ago


(Reporter: decoder, Assigned: bhackett)


(Blocks 1 bug, 4 keywords)


Firefox Tracking Flags

(firefox41 wontfix, firefox42+ verified, firefox43+ verified, firefox44+ verified, firefox-esr3842+ fixed, b2g-v2.0 wontfix, b2g-v2.0M wontfix, b2g-v2.1 wontfix, b2g-v2.1S wontfix, b2g-v2.2 fixed, b2g-v2.2r fixed, b2g-master fixed, thunderbird_esr38 fixed)


(Whiteboard: [jsbugmon:update,ignore][adv-main42+][adv-esr38.4+])


(1 attachment)



4 years ago
The following testcase crashes on mozilla-central revision 79a5b2968d01 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks):

function foo() {
  Object.prototype[2] = 2;
  delete Object.prototype[2];
  for (var i = 9; i < 10; i & 1970 & Function ^ (this) ^ (this))
    assertEq([2].concat([3])[0], 2);
} foo();


Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff7fd1a4e in ?? ()
#0  0x00007ffff7fd1a4e in ?? ()
#1  0x00007fffffffc570 in ?? ()
#2  0xfff9000000000000 in ?? ()
#3  0xfff8800000000002 in ?? ()
#4  0xfff8800000000002 in ?? ()
#5  0x0000000000000000 in ?? ()
rax	0x7ffff4800000	140737295417344
rbx	0x7ffff48fffa0	140737296465824
rcx	0x7ffff7e5c6d0	140737352419024
rdx	0x7fffffffccd0	140737488342224
rsi	0x7ffff6907400	140737330050048
rdi	0x7fffffffc798	140737488340888
rbp	0x7fffffffc868	140737488341096
rsp	0x7fffffffc828	140737488341032
r8	0x1	1
r9	0x7ffff6907420	140737330050080
r10	0x7fffffffc580	140737488340352
r11	0x7ffff6c27960	140737333328224
r12	0x8	8
r13	0x7ffff47fc0b0	140737295401136
r14	0x7ffff7e610c0	140737352437952
r15	0x0	0
rip	0x7ffff7fd1a4e	140737353947726
=> 0x7ffff7fd1a4e:	push   %r10
   0x7ffff7fd1a50:	push   %r9

Marking s-s because this assertion is known to be security-related.


4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Brian Hackett
date:        Sun Jun 14 08:02:44 2015 -0700
summary:     Bug 1162986 - Allow objects to be turned into singletons dynamically, r=jandem.

This iteration took 192.722 seconds to run.
Flags: needinfo?(bhackett1024)

Comment 2

4 years ago
Posted patch patchSplinter Review
I don't think bug 1162986 is at fault here.  The basic problem here is that when we Ion compile Array.concat we assume a particular result group for the result of the concat, but when we execute we can go down a path in array_concat which creates an array with a generic unknown-properties group instead.  Unfortunately this problem seems to go back pretty far, including to before the unboxed array changes in jsarray.cpp.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8668988 - Flags: review?(jdemooij)

Comment 3

4 years ago
Comment on attachment 8668988 [details] [diff] [review]

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

not easily

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?


Which older supported branches are affected by this flaw?

all of them, I think

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

backports should be simple

How likely is this patch to cause regressions; how much testing does it need?

not at all

Approval Request Comment
[User impact if declined]: potential exploit
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: none
Attachment #8668988 - Flags: sec-approval?
Attachment #8668988 - Flags: approval-mozilla-beta?
Attachment #8668988 - Flags: approval-mozilla-aurora?
Comment on attachment 8668988 [details] [diff] [review]

Approvals given. We'll want an ESR38 patch as well.
Attachment #8668988 - Flags: sec-approval?
Attachment #8668988 - Flags: sec-approval+
Attachment #8668988 - Flags: approval-mozilla-beta?
Attachment #8668988 - Flags: approval-mozilla-beta+
Attachment #8668988 - Flags: approval-mozilla-aurora?
Attachment #8668988 - Flags: approval-mozilla-aurora+
Attachment #8668988 - Flags: review?(jdemooij) → review+


4 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

Comment 6

4 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 89732fcdb0ba).
Last Resolved: 4 years ago
Resolution: --- → FIXED

Comment 9

4 years ago
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx42
JSBugMon: This bug has been automatically verified fixed on Fx43
Group: javascript-core-security → core-security-release

Comment 14

4 years ago
b2g37_v2_2 should call TryReuseArrayType instead of TryReuseArrayGroup.
Flags: needinfo?(bhackett1024)
I'll land that when I get home tonight. ni? to remind me.
Flags: needinfo?(wkocher)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main42+][adv-esr38.4+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.