Assertion failure: [infer failure] Missing type pushed 0: void, at jsinfer.cpp:352

VERIFIED FIXED in Firefox 13

Status

()

Product:
Core
Component:
JavaScript Engine
Importance:
--
critical
Status:
VERIFIED FIXED
Reported:
7 years ago
Modified:
6 years ago

People

(Reporter: decoder, Assigned: billm)

Tracking

(Blocks: 1 bug, 4 keywords)

Version:
Trunk
Target:
mozilla15
Platform:
x86
All
Keywords:
assertion, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Duplicates:
746150, 747334, 748547
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox12 unaffected, firefox13+ fixed, firefox14+ fixed, firefox15+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:critical] js-triage-needed [advisory-tracking+])

Attachments

(1 attachment)

patch
1.80 KB, patch
bhackett
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
(Reporter)

Description

7 years ago 
The following test asserts on mozilla-central revision 17af008937e3 (options -m -a -n):


a = 'a';
b = [,];
exhaustiveSliceTest("exhaustive slice test 1", a);
exhaustiveSliceTest("exhaustive slice test 2", b);
function exhaustiveSliceTest(testname, a){
  x = 0
  var y = 0;
  countHeap();
  for (y=a.length; y + a.length; y--) 
    var b  = a.slice(x,y);
}


This one involves the shell-only function "countHeap", but I don't know if this is a shell-only bug or just revealing a real bug. Maybe related to bug 746150? S-s until triaged.

Comment 1

7 years ago 
taking a guess that countHeap() shouldn't affect inference correctness and assigning sg:critical
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed

Comment 2

7 years ago 
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   86695:fbef6a165cf8
user:        Bill McCloskey
date:        Fri Feb 10 18:32:08 2012 -0800
summary:     Bug 723313 - Stop using conservative stack scanner for VM stack marking (r=luke,bhackett)
Keywords: regression
OS: Linux → All
Blocks: 723313

Comment 3

7 years ago 
Marking flags based on regression window in comment 2.
status-firefox-esr10: --- → unaffected
status-firefox12: --- → unaffected
status-firefox13: --- → affected
status-firefox14: --- → affected
status-firefox15: --- → affected
tracking-firefox13: --- → ?
tracking-firefox14: --- → ?
tracking-firefox15: --- → ?
tracking-firefox13: ? → +
tracking-firefox14: ? → +
tracking-firefox15: ? → +
 (Assignee)

Comment 4

7 years ago 
Created attachment 619797 [details] [diff] [review]
patch

Here's the scenario:

1. Code sets y to 0.
2. GC happens. y is dead, so we overwrite it with undefined.
3. Code sets y to 1. As an optimization, it doesn't update the type tag. It incorrectly assumes it hasn't changed since step 1.

The easiest thing to do is to leave the type tag alone in step 2 while fixing up any pointers. The only tags we actually need to worry about are object and string. And we can come up with a dummy string and a dummy object as replacements. The only concern is that this code shouldn't cause the dummy object to be leaked. For objects, I used the global as the dummy. Luke says that the stack frame shouldn't outlive its global, so this seems safe.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #619797 - Flags: review?(bhackett1024)
Duplicate of this bug: 746150
Attachment #619797 - Flags: review?(bhackett1024) → review+
 (Assignee)

Comment 7

7 years ago 
https://hg.mozilla.org/mozilla-central/rev/c296a4cfe0d6
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
 (Reporter)

Comment 8

7 years ago 
JSBugMon: This bug has been automatically verified fixed.
 (Reporter)

Updated

7 years ago
Status: RESOLVED → VERIFIED
 (Assignee)

Comment 9

7 years ago 
Comment on attachment 619797 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): bug 723313
User impact if declined: This may cause crashes or be exploitable.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Low. We used to overwrite a stack slot with a dummy value, now we overwrite it with a slightly different dummy value.
String changes made by this patch: None
Attachment #619797 - Flags: approval-mozilla-beta?
Attachment #619797 - Flags: approval-mozilla-aurora?
Attachment #619797 - Flags: approval-mozilla-beta?
Attachment #619797 - Flags: approval-mozilla-beta+
Attachment #619797 - Flags: approval-mozilla-aurora?
Attachment #619797 - Flags: approval-mozilla-aurora+
 (Assignee)

Comment 10

7 years ago 
https://hg.mozilla.org/releases/mozilla-aurora/rev/6114cf84a407
https://hg.mozilla.org/releases/mozilla-beta/rev/7dfc84b36390
status-firefox13: affected → fixed
status-firefox14: affected → fixed
status-firefox15: affected → fixed
Group: core-security
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [advisory-tracking+]
 (Reporter)

Updated

6 years ago
Duplicate of this bug: 747334
 (Reporter)

Updated

6 years ago
Duplicate of this bug: 748547
 (Reporter)

Comment 13

6 years ago 
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug747926.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.