Assertion failure: whyMagic() == why, at js/Value.h:651 with Reflect and Proxy
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
People
(Reporter: decoder, Assigned: jandem)
References
Details
(5 keywords, Whiteboard: [bugmon:confirmed][adv-main75+r][adv-esr68.7+r][sec-survey])
Attachments
(5 files)
178 bytes,
text/plain
|
Details | |
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
dveditz
:
sec-approval+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
dveditz
:
sec-approval+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
The following testcase crashes on mozilla-central revision 20200305-2e1a978b09d7 (build with (buildFlags not available), run with --fuzzing-safe --no-threads --ion-warmup-threshold=1 --baseline-warmup-threshold=0):
"use strict";
var target = {};
var proxy = new Proxy(target, {
defineProperty(set, [...x27], ... [{p10: q34}]) {}
});
Reflect.defineProperty(proxy, "test", {writable: false})
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00005555564c0881 in js::jit::GetPropIRGenerator::tryAttachDenseElement(JS::Handle<JSObject*>, js::jit::ObjOperandId, unsigned int, js::jit::Int32OperandId) ()
#0 0x00005555564c0881 in js::jit::GetPropIRGenerator::tryAttachDenseElement(JS::Handle<JSObject*>, js::jit::ObjOperandId, unsigned int, js::jit::Int32OperandId) ()
#1 0x00005555564bbfc0 in js::jit::GetPropIRGenerator::tryAttachStub() ()
#2 0x000055555639e8e6 in js::jit::TryAttachGetPropStub(char const*, JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, js::jit::CacheKind, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) ()
#3 0x000055555639d86f in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#4 0x0000054a53184863 in ?? ()
[...]
#28 0x0000000000000000 in ?? ()
rax 0x555556e205ff 93825018234367
rbx 0x7fffffff8430 140737488323632
rcx 0x555557ef4850 93825035880528
rdx 0x0 0
rsi 0x7ffff6efd770 140737336301424
rdi 0x7ffff6efc540 140737336296768
rbp 0x7fffffff8340 140737488323392
rsp 0x7fffffff8300 140737488323328
r8 0x7ffff6efd770 140737336301424
r9 0x7ffff7f9cd00 140737353731328
r10 0x58 88
r11 0x7ffff6ba47a0 140737332791200
r12 0x0 0
r13 0x0 0
r14 0x7ffff5e27000 140737318645760
r15 0x0 0
rip 0x5555564c0881 <js::jit::GetPropIRGenerator::tryAttachDenseElement(JS::Handle<JSObject*>, js::jit::ObjOperandId, unsigned int, js::jit::Int32OperandId)+145>
=> 0x5555564c0881 <_ZN2js3jit18GetPropIRGenerator21tryAttachDenseElementEN2JS6HandleIP8JSObjectEENS0_12ObjOperandIdEjNS0_14Int32OperandIdE+145>: movl $0x28b,0x0
0x5555564c088c <_ZN2js3jit18GetPropIRGenerator21tryAttachDenseElementEN2JS6HandleIP8JSObjectEENS0_12ObjOperandIdEjNS0_14Int32OperandIdE+156>: callq 0x5555557ef05e <abort>
Marking s-s because this assertion can indicate a critical JIT bug.
Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Jan, can you look at this issue or forward it to Iain or Matthew?
Comment 3•4 years ago
|
||
I took a quick look at this this morning. We are bailing out of the defineProperty handler and leaving a JS_OPTIMIZED_OUT in what I think is the rest array. Then it looks like we try iterating over it (self-hosted ArrayIteratorNext) and fail while attaching a GetElem IC. Not clear to me what the fix is, though.
Comment 4•4 years ago
|
||
Dangerous assertion in a sensitive bit of code. It's a release assert so maybe that saves us (in which case we can revise the rating), or maybe there's a way around it?
Assignee | ||
Comment 5•4 years ago
|
||
This is a bit similar to bug 1620189. In this case isObservableArgumentSlot
also has to test script()->hasRest()
.
I really don't like the duplication between isRecoverableOperand and isObservableFrameSlot. I'll see if I can untangle this code a bit today.
Comment 6•4 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #5)
I really don't like the duplication between isRecoverableOperand and isObservableFrameSlot. I'll see if I can untangle this code a bit today.
IIRC, Some slots might be observed but cannot be recovered.
Maybe we could have a single function which return an enum-type with the observability/recoverability status.
Assignee | ||
Comment 7•4 years ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #6)
Maybe we could have a single function which return an enum-type with the observability/recoverability status.
Yeah I had the same idea and started working on it this morning, it's much nicer so far.
Assignee | ||
Comment 8•4 years ago
|
||
De-duplicate by merging a number of functions into a single method that returns
an enum. Branch on the slot kind first to make the code easier to reason about.
Updated•4 years ago
|
Assignee | ||
Comment 9•4 years ago
|
||
Depends on D65707
Assignee | ||
Comment 10•4 years ago
|
||
Depends on D65708
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 11•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200313163649-87ab9a88abce
The bug appears to have been introduced in the following build range:
> Start: 9b7cd94eaf0a2385f53791c982e2210bd6b96818 (20191215094838)
> End: 7e6a4e2214958f95a105a53ee575fde499a0cee2 (20191215214948)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9b7cd94eaf0a2385f53791c982e2210bd6b96818&tochange=7e6a4e2214958f95a105a53ee575fde499a0cee2
Assignee | ||
Comment 12•4 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #11)
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200313163649-87ab9a88abce
The bug appears to have been introduced in the following build range:
Those changes probably exposed this by Ion-compiling more scripts, but the underlying bug is older I think.
Assignee | ||
Comment 13•4 years ago
|
||
Comment on attachment 9131433 [details]
Bug 1620203 part 1 - Clean up isRecoverableOperand and isObservableSlot. r?nbp!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Hard. It's not clear this bug is exploitable to begin with.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Should be easy. For ESR we can probably land a simpler patch.
- How likely is this patch to cause regressions; how much testing does it need?:
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 15•4 years ago
|
||
Comment on attachment 9131433 [details]
Bug 1620203 part 1 - Clean up isRecoverableOperand and isObservableSlot. r?nbp!
sec-approval+, dveditz
Comment 16•4 years ago
|
||
Comment on attachment 9131434 [details]
Bug 1620203 part 2 - Fix some issues with formal arguments. r?nbp!
sec-approval+, dveditz
Assignee | ||
Comment 17•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/13ae2caaec54f735393d306b35afae3896e5cdb8
https://hg.mozilla.org/integration/autoland/rev/1ad72a9f0c4fa696de9043dfd146f9e021be5fd5
I think this should be on Nightly for a few days before beta uplift. NI myself for that.
Comment 18•4 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/13ae2caaec54
https://hg.mozilla.org/mozilla-central/rev/1ad72a9f0c4f
Updated•4 years ago
|
Comment 19•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200318160552-5bfecf5aff6d. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•4 years ago
|
Assignee | ||
Comment 20•4 years ago
|
||
Comment on attachment 9131433 [details]
Bug 1620203 part 1 - Clean up isRecoverableOperand and isObservableSlot. r?nbp!
Beta/Release Uplift Approval Request
- User impact if declined: Crashes, maybe security issues.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): This has been on Nightly for a few days but patches are not entirely trivial because they reorganize the code a bit to make this easier to fix.
- String changes made/needed:
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 21•4 years ago
|
||
Comment 22•4 years ago
|
||
Comment on attachment 9131433 [details]
Bug 1620203 part 1 - Clean up isRecoverableOperand and isObservableSlot. r?nbp!
approved for 75.0b7
Updated•4 years ago
|
Assignee | ||
Comment 23•4 years ago
|
||
Comment on attachment 9134658 [details]
Bug 1620203 - Patch for ESR68. r?nbp!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Maybe crashes or security issues.
- User impact if declined:
- Fix Landed on Version: backporting to 75
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): One-line change to deoptimize functions with a rest-parameter similar to functions that use 'arguments'.
- String or UUID changes made by this patch:
Comment 24•4 years ago
|
||
uplift |
Comment 25•4 years ago
|
||
Comment on attachment 9134658 [details]
Bug 1620203 - Patch for ESR68. r?nbp!
Simpler patch for ESR68 to disable the optimization. Approved for 68.7esr.
Comment 26•4 years ago
|
||
uplift |
Updated•4 years ago
|
Updated•4 years ago
|
Comment 27•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Updated•4 years ago
|
Comment 28•3 years ago
|
||
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/35093e2b0047 part 3 - Add tests. r=nbp
Comment 29•3 years ago
|
||
bugherder |
Assignee | ||
Updated•2 years ago
|
Description
•