Closed Bug 1506968 Opened Last year Closed Last year

Assertion failure: !isPhi(), at mozilla-central/js/src/jit/MIR.h:14290

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: jandem)

Details

(Keywords: assertion, oss-fuzz, testcase, Whiteboard: [disclosure deadline Feb 12, 2019])

Attachments

(2 files)

Found by Google's OSS-Fuzz, with 90 day disclosure:

[Environment] ASAN_OPTIONS = redzone=128:print_suppressions=0:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1
[Command line] /mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe --ion-eager /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-24.js

Assertion failure: !isPhi(), at mozilla-central/js/src/jit/MIR.h:14290
AddressSanitizer:DEADLYSIGNAL
=================================================================
==51451==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x559c3c9a5439 bp 0x7fffd2a00510 sp 0x7fffd2a004c0 T0)
==51451==The signal is caused by a WRITE memory access.
==51451==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x559c3c9a5438 in js::jit::MFilterTypeSet::MFilterTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*) mozilla-central/js/src/jit/MIR.h:12193:9
    #1 0x559c3c9a5438 in js::jit::MFilterTypeSet* js::jit::MFilterTypeSet::New<js::jit::MDefinition*&, js::TemporaryTypeSet*&>(js::jit::TempAllocator&, js::jit::MDefinition*&&&, js::TemporaryTypeSet*&&&) mozilla-central/js/src/jit/MIR.h:12200
    #2 0x559c3c9a5438 in js::jit::IonBuilder::improveThisTypesForCall() mozilla-central/js/src/jit/IonBuilder.cpp:10938
    #3 0x559c3c96a674 in js::jit::IonBuilder::inspectOpcode(JSOp) mozilla-central/js/src/jit/IonBuilder.cpp:0
    #4 0x559c3c96840a in js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) mozilla-central/js/src/jit/IonBuilder.cpp:1672:9
    #5 0x559c3c95ce36 in js::jit::IonBuilder::traverseBytecode() mozilla-central/js/src/jit/IonBuilder.cpp:1586:9
    #6 0x559c3c947825 in js::jit::IonBuilder::build() mozilla-central/js/src/jit/IonBuilder.cpp:918:5
    #7 0x559c3c930a65 in js::jit::IonCompile(JSContext*, JSScript*, js::jit::BaselineFrame*, unsigned char*, bool, js::jit::OptimizationLevel) mozilla-central/js/src/jit/Ion.cpp:2140:32
    #8 0x559c3c930a65 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) mozilla-central/js/src/jit/Ion.cpp:2442
    #9 0x559c3c933b73 in BaselineCanEnterAtEntry(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*) mozilla-central/js/src/jit/Ion.cpp:2567:27
    #10 0x559c3c933b73 in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) mozilla-central/js/src/jit/Ion.cpp:2700
    #7 0x2ba2b876d118  (<unknown module>)
    #8 0x2ba2b8755824  (<unknown module>)
    #11 0x559c3cb20b74 in EnterJit(JSContext*, js::RunState&, unsigned char*) mozilla-central/js/src/jit/Jit.cpp:103:9
    #12 0x559c3cb20b74 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) mozilla-central/js/src/jit/Jit.cpp:170
    #13 0x559c3aaaaf18 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:432:34
    #14 0x559c3aae5694 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:587:15
    #15 0x559c3c39340d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:3688:14
    #13 0x2ba2b8767722  (<unknown module>)
    #14 0x6210003d6ef7  (<unknown module>)
    #15 0x2ba2b8755b03  (<unknown module>)
    #16 0x559c3cb20b74 in EnterJit(JSContext*, js::RunState&, unsigned char*) mozilla-central/js/src/jit/Jit.cpp:103:9
    #17 0x559c3cb20b74 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) mozilla-central/js/src/jit/Jit.cpp:170
    #18 0x559c3aaaaf18 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:432:34
    #19 0x559c3aaeb525 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:813:15
    #20 0x559c3aaec35b in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:845:12
    #21 0x559c3ae14c04 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:394:12
    #22 0x559c3ae1508f in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:429:12
    #23 0x559c3a97714a in RunFile(JSContext*, char const*, _IO_FILE*, bool) mozilla-central/js/src/shell/js.cpp:922:14
    #24 0x559c3a97714a in Process(JSContext*, char const*, bool, FileKind) mozilla-central/js/src/shell/js.cpp:1399
    #25 0x559c3a8f96bb in ProcessArgs(JSContext*, js::cli::OptionParser*) mozilla-central/js/src/shell/js.cpp:10336:14
    #26 0x559c3a8f96bb in Shell(JSContext*, js::cli::OptionParser*, char**) mozilla-central/js/src/shell/js.cpp:10787
    #27 0x559c3a8f96bb in main mozilla-central/js/src/shell/js.cpp:11297
    #28 0x7f7cc59eb82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
Flags: needinfo?(jdemooij)
Calling this sec-high because the assertion looks like type confusion, but maybe it's handled after that. Jan: feel free to adjust or remove the rating after you've looked.
Whiteboard: [disclosure deadline Feb 12, 2019]
I *think* this is not actually security-sensitive: we call toInstruction() on an MDefinition* but the function we're passing that to takes an MDefinition* anyway, so in opt builds it's just an unnecessary cast.

However for simplicity I think we should consider deoptimizing if we see a phi here. It's apparently very uncommon.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Opening this up per comment 2.
Group: javascript-core-security
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3c2cc6c7a72e
Fix an invalid assert in IonBuilder::improveThisTypesForCall. r=nbp
https://hg.mozilla.org/mozilla-central/rev/3c2cc6c7a72e
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.