Assertion failure: obj->is<PlainObject>(), at /builds/worker/workspace/build/src/js/src/jit/CacheIR.cpp:4626
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
People
(Reporter: nils, Assigned: tcampbell)
Details
(Keywords: reporter-external, sec-high, Whiteboard: [jsbugmon:update,origRev=edf1f05e9d00,testComment=2][post-critsmash-triage][adv-main66+][adv-esr60.6+])
Attachments
(3 files)
47 bytes,
text/x-phabricator-request
|
lizzard
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Review |
16.50 KB,
patch
|
gkw
:
feedback+
|
Details | Diff | Splinter Review |
16.72 KB,
patch
|
RyanVM
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
Updated•6 years ago
|
Comment 1•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Assignee | ||
Comment 4•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 5•6 years ago
|
||
Comment 7•6 years ago
|
||
Ted would it make sense to have Matthew look at this now, since he is back from his leave?
Assignee | ||
Comment 8•6 years ago
|
||
I will post a patch tomorrow. I've ended up going with a quick fix for the purpose of closing out this bug. This can all be reworked to be cleaner on master once unboxed-objects are removed.
Assignee | ||
Comment 9•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 10•6 years ago
|
||
hg-base: 426ca85d23038f08ebe29ce16db8fd484062f1f9
phabricator: https://phabricator.services.mozilla.com/D18631?id=62799
Gary + decoder, can you do a little bit of fuzzing on this patch? It's a sec-high that will probably need uplifts but is tricky perf-sensitive jitcode. I'm very interested on if any of the MOZ_RELEASE_ASSERTs trip.
Assignee | ||
Comment 11•6 years ago
|
||
hg-base: db09f3a62a37bbd3c34d3218459ff5304705f230
This is the ESR60 version of the patch. The only issues were if-statements without {}s in the ESR branch and the effect of the clang-format changes around that.
Assignee | ||
Comment 12•6 years ago
|
||
Comment on attachment 9041348 [details]
Bug 1514682 - Split up AddSlot IC logic
Security Approval Request
How easily could an exploit be constructed based on the patch?
The patch has a number of changes going on due to performance considerations. It would take detailed inspection by someone familiar with the code to determine which of the changes was the actual bug. Further, it isn't entirely clear (even to me) how an exploit with be derived.
NOTE: The included test-case is unrelated to the security issue and came up making sure I didn't introduce new bugs. It passes safely on all branches.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No
Which older supported branches are affected by this flaw?
all
If not all supported branches, which bug introduced the flaw?
None
Do you have backports for the affected branches?
Yes
If not, how different, hard to create, and risky will they be?
How likely is this patch to cause regressions; how much testing does it need?
Moderate risk. This is tricky JIT code, but this patch was iterated a number of times to reduce the scope of changes. Local testing and additional asserts have identified (hopefully all of) the tricky cases and they have been validated (see Phabricator). I'm also requesting jsshell fuzzing of the patch.
I believe this patch to be strictly more correct than the original code and easier to do further patching.
(In reply to Ted Campbell [:tcampbell] from comment #10)
Created attachment 9044246 [details] [diff] [review]
RELEASE-BETA-CENTRAL-Bug-1514682-Split-up-AddSlot-IC-logic.patchhg-base: 426ca85d23038f08ebe29ce16db8fd484062f1f9
phabricator: https://phabricator.services.mozilla.com/D18631?id=62799
Now testing this on a Linux box.
Comment 14•6 years ago
|
||
Sec-approval+ for trunk. Can you please nominate beta and ESR60 patches as well?
Updated•6 years ago
|
Assignee | ||
Comment 15•6 years ago
|
||
Comment on attachment 9041348 [details]
Bug 1514682 - Split up AddSlot IC logic
Beta/Release Uplift Approval Request
Feature/Bug causing the regression
None
User impact if declined
sec-high bug
Is this code covered by automated tests?
Yes
Has the fix been verified in Nightly?
No
Needs manual test from QE?
No
If yes, steps to reproduce
List of other uplifts needed
None
Risk to taking this patch
Medium
Why is the change risky/not risky? (and alternatives if risky)
Moderate risk. This is tricky JIT code, but this patch was iterated a number of times to reduce the scope of changes. Local testing and additional asserts have identified (hopefully all of) the tricky cases and they have been validated (see Phabricator). I'm also requesting jsshell fuzzing of the patch.
I believe this patch to be strictly more correct than the original code and easier to do further patching.
String changes made/needed
Assignee | ||
Comment 16•6 years ago
|
||
Comment on attachment 9044248 [details] [diff] [review]
ESR60-Bug-1514682-Split-up-AddSlot-IC-logic.patch
ESR Uplift Approval Request
If this is not a sec:{high,crit} bug, please state case for ESR consideration
sec-high
User impact if declined
sec-high bug that will have patch published on nightly
Fix Landed on Version
Planned 67
Risk to taking this patch
Medium
Why is the change risky/not risky? (and alternatives if risky)
Moderate risk. This is tricky JIT code, but this patch was iterated a number of times to reduce the scope of changes. Local testing and additional asserts have identified (hopefully all of) the tricky cases and they have been validated (see Phabricator). I'm also requesting jsshell fuzzing of the patch.
I believe this patch to be strictly more correct than the original code and easier to do further patching.
String or UUID changes made by this patch
Comment 17•6 years ago
|
||
Comment on attachment 9041348 [details]
Bug 1514682 - Split up AddSlot IC logic
Fix for sec-high issue, let's land it for beta 9.
Comment 18•6 years ago
|
||
(In reply to Ted Campbell [:tcampbell] from comment #10)
Created attachment 9044246 [details] [diff] [review]
RELEASE-BETA-CENTRAL-Bug-1514682-Split-up-AddSlot-IC-logic.patchhg-base: 426ca85d23038f08ebe29ce16db8fd484062f1f9
phabricator: https://phabricator.services.mozilla.com/D18631?id=62799Gary + decoder, can you do a little bit of fuzzing on this patch? It's a sec-high that will probably need uplifts but is tricky perf-sensitive jitcode. I'm very interested on if any of the MOZ_RELEASE_ASSERTs trip.
Fuzzed this for at least 2 days, no issues found :)
Assignee | ||
Comment 19•6 years ago
|
||
Per Comment 14, I've pushed to Autoland.
https://hg.mozilla.org/integration/autoland/rev/e74ee65c18a6
I didn't find anything from the comment 10 patch over the weekend either.
![]() |
||
Updated•6 years ago
|
![]() |
||
Comment 21•6 years ago
|
||
Comment 22•6 years ago
|
||
uplift |
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 23•6 years ago
|
||
Updated•6 years ago
|
![]() |
||
Comment 24•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•8 months ago
|
Description
•