Closed Bug 1766225 Opened 3 years ago Closed 3 years ago

Crash [@ js::jit::AssertValidObjectPtr]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox99 --- unaffected
firefox100 --- unaffected
firefox101 + verified

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(6 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(3 files)

Detailed Crash Information
909 bytes, text/plain
Details
Testcase
149 bytes, text/plain
Details
Bug 1766225: Save volatile output register before calling post-write barrier. r=jandem!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20220424-1160a0aab272 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=1 --ion-gvn=off):

gczeal(4)
function a() {}
function b() {
  a(Array.prototype.slice.call(arguments, 1, 3));
}
function c() {
  b(1, 2);
}
for (i=0 ; i<200; ++i)
  c()

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557796226 in js::jit::AssertValidObjectPtr(JSContext*, JSObject*) ()
#1  0x00003fba39bfa8e5 in ?? ()
#2  0x0000000000000000 in ?? ()
rax	0x7ffff7f99801	140737353717761
rbx	0x1	1
rcx	0x0	0
rdx	0x1	1
rsi	0x7ffff602e800	140737320773632
rdi	0x7ffff6018000	140737320681472
rbp	0x7fffffffbad0	140737488337616
rsp	0x7fffffffba90	140737488337552
r8	0x7fffffffbb78	140737488337784
r9	0x7	7
r10	0x7dffadb	132119259
r11	0x2fe0c94fffff	52642496643071
r12	0x0	0
r13	0x0	0
r14	0x7ffff602e800	140737320773632
r15	0x1	1
rip	0x555557796226 <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+70>
=> 0x555557796226 <_ZN2js3jit20AssertValidObjectPtrEP9JSContextP8JSObject+70>:	mov    (%r15),%rax
   0x555557796229 <_ZN2js3jit20AssertValidObjectPtrEP9JSContextP8JSObject+73>:	test   $0x7,%al

Marking s-s because the test involves GC and this is a JIT runtime check failing.

Attached file Testcase

NI anba because of the slice.call(arguments) pattern.

Flags: needinfo?(andrebargull)
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)

This sounds like a value isn't being barriered properly, so I'm going to rate this sec-high.

Keywords: csectype-uaf, sec-high

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220425094217-9cb38db713cc.
The bug appears to have been introduced in the following build range:

Start: e64a440f0c8b9f2cd539929c77e611d2de49c6e2 (20220421083230)
End: 201252c849f427b49422fffea6ca65e36cdade1d (20220421084833)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e64a440f0c8b9f2cd539929c77e611d2de49c6e2&tochange=201252c849f427b49422fffea6ca65e36cdade1d

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Marking regression from the range in comment 6.

status-firefox100: --- → unaffected
status-firefox99: --- → unaffected
status-firefox-esr91: --- → unaffected
Regressed by: 1765397

Save volatile output register before calling post-write barrier. r=jandem
https://hg.mozilla.org/integration/autoland/rev/f83b275450b27f49396bc919af8d4a98fb75edcb
https://hg.mozilla.org/mozilla-central/rev/f83b275450b2

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox101: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220425213655-66db1b509316.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox101: fixedverified
Keywords: bugmon
Has Regression Range: --- → yes
Flags: in-testsuite+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: