Closed Bug 1346543 Opened 4 years ago Closed 4 years ago

Assertion failure: predInfo.length() > 0, at jit/FlowAliasAnalysis.cpp:771 or Crash [@ AppendToWorklist<mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy> >] with use-after-free

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox-esr52 --- disabled
firefox53 --- disabled
firefox54 --- disabled
firefox55 --- fixed

People

(Reporter: decoder, Assigned: h4writer)

Details

(6 keywords, Whiteboard: [jsbugmon:][fuzzblocker])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 4ceb9062ea8f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-aa=flow-sensitive):

new Function(`
  var rng_psize = 256;
  var rng_pool;
  if(rng_pool == null) {
    rng_pptr = 0;
    while(rng_pptr < rng_psize) {
      function rng_get_byte() {
        rng_pool[rng_pptr] = 0;
      }
    }
    function SecureRandom() {}
    var rng = new SecureRandom();
  }
`)();



Backtrace:

#0  0x0000000000c545b4 in AppendToWorklist<mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy> > (stores=..., worklist=...) at js/src/jit/FlowAliasAnalysis.cpp:181
#1  js::jit::FlowAliasAnalysis::improveNonAliasedStores (onlyControlInstructions=false, onlyControlInstructions=false, improved=<synthetic pointer>, outputStores=..., inputStores=..., load=0x7ffff69b98d0, this=0x7fffffffc320) at js/src/jit/FlowAliasAnalysis.cpp:674
#2  js::jit::FlowAliasAnalysis::improveDependency (this=0x7fffffffc320, load=0x7ffff69b98d0, inputStores=..., outputStores=...) at js/src/jit/FlowAliasAnalysis.cpp:651
#3  0x0000000000c558ec in js::jit::FlowAliasAnalysis::processLoad (load=0x7ffff69b98d0, blockInfo=..., this=0x7fffffffc320) at js/src/jit/FlowAliasAnalysis.cpp:545
#4  js::jit::FlowAliasAnalysis::analyze (this=this@entry=0x7fffffffc320) at js/src/jit/FlowAliasAnalysis.cpp:497
#5  0x000000000063620b in js::jit::AccountForCFGChanges (mir=0x7ffff69b2260, graph=..., updateAliasAnalysis=<optimized out>, underValueNumberer=<optimized out>) at js/src/jit/IonAnalysis.cpp:2308
#6  0x000000000063629e in js::jit::AccountForCFGChanges (mir=<optimized out>, graph=..., updateAliasAnalysis=<optimized out>, underValueNumberer=underValueNumberer@entry=true) at js/src/jit/IonAnalysis.cpp:2315
#7  0x000000000074bf4d in js::jit::ValueNumberer::run (this=this@entry=0x7fffffffc4f0, updateAliasAnalysis=updateAliasAnalysis@entry=js::jit::ValueNumberer::UpdateAliasAnalysis) at js/src/jit/ValueNumbering.cpp:1268
#8  0x0000000000636c54 in js::jit::OptimizeMIR (mir=mir@entry=0x7ffff69b2260) at js/src/jit/Ion.cpp:1714
#9  0x0000000000637a79 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69b2260) at js/src/jit/Ion.cpp:2057
#10 0x000000000042d41a in js::jit::IonCompile (cx=cx@entry=0x7ffff6926800, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffca88, osrPc=osrPc@entry=0x7ffff699a4ca "ず", recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2341
#11 0x0000000000637e9b in js::jit::Compile (cx=cx@entry=0x7ffff6926800, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffca88, osrPc=osrPc@entry=0x7ffff699a4ca "ず", forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2534
#12 0x0000000000638474 in BaselineCanEnterAtBranch (pc=0x7ffff699a4ca "ず", osrFrame=0x7fffffffca88, script=..., cx=0x7ffff6926800) at js/src/jit/Ion.cpp:2725
#13 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff6926800, frame=frame@entry=0x7fffffffca88, pc=pc@entry=0x7ffff699a4ca "ず") at js/src/jit/Ion.cpp:2783
#14 0x0000000000561dcd in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff6926800, frame=0x7fffffffca88, stub=<optimized out>, infoPtr=0x7fffffffca30) at js/src/jit/BaselineIC.cpp:143
#15 0x00003b4ccd27cb23 in ?? ()
[...]
#26 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff69b8958	140737330776408
rcx	0xe5e5e5e5e5e5e5e5	-1880844493789993499
rdx	0x7fffffffc368	140737488339816
rsi	0x1	1
rdi	0x7ffff69b8958	140737330776408
rbp	0x0	0
rsp	0x7fffffffc150	140737488339280
r8	0x7fffffffc368	140737488339816
r9	0x7fffffffc060	140737488339040
r10	0x1	1
r11	0x7ffff69cc370	140737330856816
r12	0x1	1
r13	0x7fffffffc348	140737488339784
r14	0x7fffffffc320	140737488339744
r15	0x7fffffffc3b8	140737488339896
rip	0xc545b4 <js::jit::FlowAliasAnalysis::improveDependency(js::jit::MDefinition*, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&)+372>
=> 0xc545b4 <js::jit::FlowAliasAnalysis::improveDependency(js::jit::MDefinition*, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&)+372>:	testb  $0x2,0x24(%rcx)
   0xc545b8 <js::jit::FlowAliasAnalysis::improveDependency(js::jit::MDefinition*, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&)+376>:	jne    0xc545e7 <js::jit::FlowAliasAnalysis::improveDependency(js::jit::MDefinition*, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&)+423>


Not sure what the status of --ion-aa=flow-sensitive in the browser is right now, but if it has already been enabled by default, then this is very likely a sec-high or sec-crit.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
If --ion-aa=flow-sensitive is needed, setting Hannes as default needinfo? person.
Flags: needinfo?(hv1989)
Keywords: sec-high
Component: JavaScript Engine → JavaScript Engine: JIT
Flags: needinfo?(hv1989)
Priority: -- → P1
This bug also seems to responsible for several heap crashes that are not easily catchable with signatures. Marking as fuzzblocker.
Whiteboard: [jsbugmon:] → [jsbugmon:][fuzzblocker]
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8857407 - Flags: review?(jdemooij)
Opening since it is not enabled by default.
Group: javascript-core-security
Keywords: sec-high
Comment on attachment 8857407 [details] [diff] [review]
Make sure the OSR has a valid starting dependency

Review of attachment 8857407 [details] [diff] [review]:
-----------------------------------------------------------------

Can you add a testcase?

::: js/src/jit/FlowAliasAnalysis.cpp
@@ +911,5 @@
>      BlockStoreInfo* blockInfo = stores_->newCurrent(alloc(), block);
>      if (!blockInfo)
>          return false;
>  
> +    // First and osr block depends on the first instruction.

Nit: depend
Attachment #8857407 - Flags: review?(jdemooij) → review+
Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f38245b1ca4e
IonMonkey: Add alias information to the osr block in flow-aa, r=jandem
https://hg.mozilla.org/mozilla-central/rev/f38245b1ca4e
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.