Closed Bug 1531054 Opened 5 years ago Closed 5 years ago

Crash [@ js::MaybeHasInterestingSymbolProperty] or Assertion failure: MIR instruction returned value with unexpected type, at jit/MacroAssembler.cpp:2029

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1534810
Tracking Flags:
Tracking Status
firefox67 --- disabled

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:ignore])

Crash Data

The following testcase crashes on mozilla-central revision 8c60d3a2fcc4+ (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-jemalloc --disable-debug, run with --fuzzing-safe --cpu-count=2 --ion-warmup-threshold=0 --spectre-mitigations=off --ion-gvn=off --ion-offthread-compile=off --ion-inlining=off):

evaluate(`
  function TestCase(d, e, a, r) {  }
  var actualvalues = [];
  function F1(arguments){}
  test = actualvalues;
  BUGNUMBER = F1;
  x = test;
  SECTION = 0;
  var foreign = {}
  var fast = DiagModule(this, foreign);
  SECTION = 0;
  function outer_func(x){
    usingApply = SECTION;
    new TestCase( usingApply, { SECTION: true ==  x * 1 < this });
  }
  function DiagModule(stdlib, foreign) {
    function diag() {
      for (let i = 0; i < 100; ++i) {
        test = outer_func;
        test(1, x);
      }
    }
    diag_1 = BUGNUMBER;
    return { diag: diag, diag_1:diag_1 };
  }
  fast.diag()
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::MaybeHasInterestingSymbolProperty (cx=0xaaac1e426ab0, obj=0xadede4400628, symbol=<optimized out>, holder=<optimized out>) at js/src/vm/ObjectOperations-inl.h:222
222	    if (obj->maybeHasInterestingSymbolProperty() ||
#0  js::MaybeHasInterestingSymbolProperty (cx=0xaaac1e426ab0, obj=0xadede4400628, symbol=<optimized out>, holder=<optimized out>) at js/src/vm/ObjectOperations-inl.h:222
#1  js::GetInterestingSymbolProperty (cx=0xaaac1e426ab0, obj=..., sym=<optimized out>, vp=...) at js/src/vm/ObjectOperations-inl.h:242
#2  js::ToPrimitiveSlow (cx=0xaaac1e426ab0, preferredType=JSTYPE_NUMBER, vp=...) at js/src/vm/JSObject.cpp:3235
#3  0x0000aaabe1ac82a0 in js::ToPrimitive (cx=<optimized out>, preferredType=JSTYPE_NUMBER, vp=...) at js/src/vm/JSObject.h:773
#4  js::LessThanOperation (cx=0xaaac1e426ab0, res=<optimized out>, lhs=..., rhs=...) at js/src/vm/Interpreter-inl.h:773
#5  js::jit::LessThan (cx=0xaaac1e426ab0, lhs=..., rhs=..., res=<optimized out>) at js/src/jit/VMFunctions.cpp:237
#6  0x0000aaabe1c0aa78 in js::jit::IonCompareIC::update (cx=0xaaac1e426ab0, outerScript=..., ic=0xaaac1e548ec0, lhs=..., rhs=..., res=0xffffe0360f60) at js/src/jit/IonIC.cpp:625
#7  0x000009e826576bf8 in ?? ()
[...]
x0	0x1e426ab0	187656218766000
x1	0x4	4
x2	0xe0360d30	281474443382064
x3	0xe0360f60	281474443382624
x4	0xe0360f98	281474443382680
x5	0xe0360f60	281474443382624
x6	0x3044	12356
x7	0xe0360480	281474443379840
x8	0x57d290b0	62076635746480
x9	0xe0360b80	281474443381632
x10	0xe0360b68	281474443381608
x11	0xffffffff	4294967295
x12	0xfffffffe	4294967294
x13	0x80	128
x14	0x7	7
x15	0x1e532790	187656219862928
x16	0xe1c0a968	187655203629416
x17	0x57da1bc8	62076636240840
x18	0xe246e0e0	187655212425440
x19	0xe2482210	187655212507664
x20	0x1e426ab0	187656218766000
x21	0xe0360d30	281474443382064
x22	0xe0360b90	281474443381648
x23	0xe0360b78	281474443381624
x24	0xe4400628	191237248255528
x25	0x57d290b4	62076635746484
x26	0x1e426b18	187656218766104
x27	0x1e426ad0	187656218766032
x28	0x0	-1829587348619264
x29	0xe0360c60	281474443381856
x30	0xe1ac82a0	187655202308768
sp	0xe0360b50	281474443381584
pc	0xaaabe172b64c <js::ToPrimitiveSlow(JSContext*, JSType, JS::MutableHandle<JS::Value>)+136>
cpsr	[ EL=0 C ]
fpcsr	void
fpcr	0x0	0
=> 0xaaabe172b64c <js::ToPrimitiveSlow(JSContext*, JSType, JS::MutableHandle<JS::Value>)+136>:	ldr	x8, [x24]
   0xaaabe172b650 <js::ToPrimitiveSlow(JSContext*, JSType, JS::MutableHandle<JS::Value>)+140>:	ldr	x9, [x8]

This requires the patch from bug 1528869 to enable Ion on ARM64. Marking s-s because the assertion is known to be security relevant and the crash is on a random address. Note that the bug is quite fragile with respect to the runtime flags.

Sounds bad, so I'll mark it sec-high.

Keywords: sec-high
Priority: -- → P2

I cannot reproduce this on ARM64 hardware or in the simulator. Nicolas, can you? Otherwise we might as well close it as an old fuzz bug.

Flags: needinfo?(nicolas.b.pierron)

Looking at the test case containing 1 * x and the command line being --ion-gvn=off, this definitely sounds like a duplicate of Bug 1534810.
Testing with and without this patch confirmed this hypothesis.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.