Closed Bug 780451 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ ExpressionDecompiler::decompilePC] or "Assertion failure: pcdepth + ndefs <= StackDepth(script)," or "Assertion failure: pcdepth >= nuses,"

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox14 --- unaffected
firefox15 --- unaffected
firefox16 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: nbp)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][ion:p1:fx18])

Attachments

(3 files)

Attached file stack
M: with("") {
    break M
}
try {
    /x/ ({
        e: f
    })
} catch (e) {}
this.i.d

asserts js debug shell on IonMonkey changeset 0bc212d0183b without any CLI arguments at Assertion failure: pcdepth + ndefs <= StackDepth(script),

autoBisect shows this is probably related to the following changeset: (not sure how true this is)

The first bad revision is:
changeset:   103173:0bc212d0183b
tag:         tip
parent:      103059:b457b592f609
parent:      103172:a7fadfbad932
user:        David Anderson
date:        Fri Aug 03 18:58:30 2012 -0700
summary:     Merge from mozilla-central.
This testcase looks related and seems to have a similar regressing range:

try {} catch (N if '') {}
this.z.z

(pass in the testcases as CLI arguments)

Assertion failure: pcdepth >= nuses,
Summary: IonMonkey: "Assertion failure: pcdepth + ndefs <= StackDepth(script)," → IonMonkey: "Assertion failure: pcdepth + ndefs <= StackDepth(script)," or "Assertion failure: pcdepth >= nuses,"
Some of these testcases cause (hard-to-reproduce) crashes / invalid reads as recorded by Valgrind involving ExpressionDecompiler::decompilePC and accessing weird memory addresses.
Group: core-security
Summary: IonMonkey: "Assertion failure: pcdepth + ndefs <= StackDepth(script)," or "Assertion failure: pcdepth >= nuses," → IonMonkey: Crash [@ ExpressionDecompiler::decompilePC] or "Assertion failure: pcdepth + ndefs <= StackDepth(script)," or "Assertion failure: pcdepth >= nuses,"
Attached file stack from opt crash
Stack showing weird memory address of 0x74006900000000 being accessed.
Whiteboard: [fuzzblocker]
Whiteboard: [fuzzblocker] → [fuzzblocker][ion:p1:fx18]
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
OS: Mac OS X → All
A hidden goto (break) was used to jump over a bunch of unused instruction and cause the ReconstructPCStack function to produce a wrong stack depth by restoring the pcdepth took state saved before the GOTO evaluation.

+ The GOTO now check if the previous instructions were hidden (in which case the GOTO will be to) and update the pcdepth with the value of the hidden pcdepth.

+ Add an assertion to compare the result of the script analysis when the analysis has information about the bytecode
Attachment #650329 - Flags: review?(luke)
Attachment #650329 - Flags: review?(bhackett1024)
Attachment #650329 - Flags: review?(luke) → review+
Attachment #650329 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/c0195737650c
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Depends on: 781660
Depends on: 794286
Group: core-security
You need to log in before you can comment on or make changes to this bug.