Closed Bug 805747 Opened 7 years ago Closed 7 years ago

IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: <unknown>,

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla19
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 + fixed
firefox19 + fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Assigned: dvander)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main18-])

Attachments

(2 files)

Attached file stack
try {
    x = {}
    y = '';
    (function() {
        toString = (function() {
            x.s += y
        })
    })()
    print(this)
    Object.freeze(x)(verifyprebarriers())
} catch (e) {}
y = 'p'
for (m = 0, print; m < 9; ++m) {
    print(this)
}

asserts js debug and opt shell on m-c changeset 58c8080a1a7c with --ion-eager at Assertion failure: [barrier verifier] Unmarked edge: <unknown>,

s-s because older bugs with similar asserts have also been marked s-s, assuming sec-critical unless otherwise shown.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   111211:2583a19e59ef
user:        Kannan Vijayan
date:        Tue Oct 23 22:18:11 2012 -0400
summary:     Bug 795801 - IC StrictPropertyOp setters in IonMonkey. (r=dvander)
Assignee: general → kvijayan
(Stealing w/ permission)
Status: NEW → ASSIGNED
Helping david steal this.
Assignee: kvijayan → dvander
bug 795801 turned out to be a red herring. This is a pre-existing bug, the problem is that our setprop-add ICs don't respect an object's extensibility.
No longer blocks: 795801
Attached patch fixSplinter Review
Attachment #677160 - Flags: review?(kvijayan)
Attachment #677160 - Flags: review?(kvijayan) → review+
Comment on attachment 677160 [details] [diff] [review]
fix

[Security approval request comment]
How easily can the security issue be deduced from the patch?

Extremely difficult.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

Firefox 18.

If not all supported branches, which bug introduced the flaw?

IonMonkey.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Yes.

How likely is this patch to cause regressions; how much testing does it need?

Extremely unlikely, if anything needs only performance testing.
Attachment #677160 - Flags: sec-approval?
Attachment #677160 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/fb274a7b7b9d
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
(In reply to David Anderson [:dvander] from comment #6)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/fb274a7b7b9d

Can we please uplift this on aurora, if it has got the needed bake time/testing ?
Comment on attachment 677160 [details] [diff] [review]
fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #): IonMonkey
User impact if declined: Potential security bug
Testing completed (on m-c, etc.): Yes
Risk to taking this patch (and alternatives if risky): Extremely low
String or UUID changes made by this patch:
Attachment #677160 - Flags: approval-mozilla-aurora?
Attachment #677160 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [adv-main18-]
Can this be put in testsuite?
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.