Closed Bug 841462 Opened 11 years ago Closed 11 years ago

IonMonkey: Assertion failure: isObject(), at ./dist/include/js/Value.h:1111 or Crash on Heap with invalid read

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox18 --- unaffected
firefox19 --- unaffected
firefox20 --- unaffected
firefox21 + fixed
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- disabled

People

(Reporter: decoder, Assigned: dvander)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

fix
1.25 KB, patch
jandem
: review+
bajaj
: approval-mozilla-aurora+
abillings
: sec-approval+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision fe298855f9d2 (run with --ion-eager):


var M4x4 = {};
M4x4.mul = function M4x4_mul(a, b, r) {
    a11 = a[0]
    return "this.getWeekOfYear() + ";    a22 = a[5]
};
M4x4.makeLookAt = function M4x4_makeLookAt() {
    tm1 = Float32Array(16);
    tm2 = Float32Array(16);
    r = new Float32Array(16)
    return M4x4.mul(tm1, tm2, r);
};
var jellyfish = {};
function jellyfishInstance() {}
jellyfishInstance.prototype.drawShadow = function () {
    pMatrix = M4x4.makeLookAt();
    M4x4.mul(M4x4.makeLookAt(), pMatrix, pMatrix);
}
    jellyfish[0] = new jellyfishInstance()
    for (var i = 0, j = 0; i < jellyfish.count, j < 30; ++j) {
        jellyfish[0].drawShadow();
}
Debug trace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000be54bb in toObject (this=0x1369690) at ./dist/include/js/Value.h:1111
1111            MOZ_ASSERT(isObject());
(gdb) bt
#0  0x0000000000be54bb in toObject (this=0x1369690) at ./dist/include/js/Value.h:1111
#1  js::ion::IonBuilder::getTypedArrayLength (this=0x7fffffff30e0, obj=0x1369620) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:5443
#2  0x0000000000be5b4b in js::ion::IonBuilder::jsop_getelem_typed (this=0x7fffffff30e0, arrayType=6) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:5515
#3  0x0000000000be49b4 in js::ion::IonBuilder::jsop_getelem (this=0x7fffffff30e0) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:5305
#4  0x0000000000bc9a57 in js::ion::IonBuilder::inspectOpcode (this=0x7fffffff30e0, op=JSOP_GETELEM) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:1016
#5  0x0000000000bc7f3e in js::ion::IonBuilder::traverseBytecode (this=0x7fffffff30e0) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:687
#6  0x0000000000bc760c in js::ion::IonBuilder::buildInline (this=0x7fffffff30e0, callerBuilder=0x7fffffff4830, callerResumePoint=0x136a4f8, callInfo=...) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:486
#7  0x0000000000bd46bc in js::ion::IonBuilder::inlineScriptedCall (this=0x7fffffff4830, target=(JSFunction * const) 0x7ffff6036040 [object Function "M4x4_mul"], callInfo=...)
    at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:2910
#8  0x0000000000bd8f7f in js::ion::IonBuilder::inlineScriptedCalls (this=0x7fffffff4830, targets=..., originals=..., callInfo=...) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:3394
#9  0x0000000000bdda29 in js::ion::IonBuilder::jsop_call (this=0x7fffffff4830, argc=3, constructing=false) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:4034
#10 0x0000000000bc928a in js::ion::IonBuilder::inspectOpcode (this=0x7fffffff4830, op=JSOP_CALL) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:940
#11 0x0000000000bc7f3e in js::ion::IonBuilder::traverseBytecode (this=0x7fffffff4830) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:687
#12 0x0000000000bc760c in js::ion::IonBuilder::buildInline (this=0x7fffffff4830, callerBuilder=0x1359528, callerResumePoint=0x135fae8, callInfo=...) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:486
#13 0x0000000000bd46bc in js::ion::IonBuilder::inlineScriptedCall (this=0x1359528, target=(JSFunction * const) 0x7ffff6036140 [object Function "jellyfishInstance.prototype.drawShadow"], callInfo=...)
    at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:2910
#14 0x0000000000bd8f7f in js::ion::IonBuilder::inlineScriptedCalls (this=0x1359528, targets=..., originals=..., callInfo=...) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:3394
#15 0x0000000000bdda29 in js::ion::IonBuilder::jsop_call (this=0x1359528, argc=0, constructing=false) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:4034
#16 0x0000000000bc928a in js::ion::IonBuilder::inspectOpcode (this=0x1359528, op=JSOP_CALL) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:940
#17 0x0000000000bc7f3e in js::ion::IonBuilder::traverseBytecode (this=0x1359528) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:687
#18 0x0000000000bc5241 in js::ion::IonBuilder::build (this=0x1359528) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:349
#19 0x0000000000b8d28a in js::ion::SequentialCompileContext::compile (this=0x7fffffff62df, builder=0x1359528, graph=0x1359478, autoDelete=...) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1223
#20 0x0000000000b9bb72 in js::ion::IonCompile<js::ion::SequentialCompileContext> (cx=0x12f28b0, script=0x7ffff6027100, fun=0x0, osrPc=0x1307b8c  <incomplete sequence \343\232>, constructing=false, compileContext=...)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1184
#21 0x0000000000b95fca in js::ion::Compile<js::ion::SequentialCompileContext> (cx=0x12f28b0, script=0x7ffff6027100, fun=0x0, osrPc=0x1307b8c  <incomplete sequence \343\232>, constructing=false, compileContext=...)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1398
#22 0x0000000000b8da9c in js::ion::CanEnterAtBranch (cx=0x12f28b0, script=0x7ffff6027100, fp=..., pc=0x1307b8c  <incomplete sequence \343\232>, isConstructing=false)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1444
#23 0x0000000000628537 in js::Interpret (cx=0x12f28b0, entryFrame=0x7ffff62f4038, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:1397
#24 0x000000000061c430 in js::RunScript (cx=0x12f28b0, fp=0x7ffff62f4038) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:306
#25 0x000000000061ec65 in js::ExecuteKernel (cx=0x12f28b0, script=0x7ffff6027100, scopeChain=(JSObject &) @0x7ffff6023060 [object global] delegate, thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., result=0x0)
    at /srv/repos/mozilla-central/js/src/jsinterp.cpp:512
#26 0x000000000061ef7b in js::Execute (cx=0x12f28b0, script=0x7ffff6027100, scopeChainArg=(JSObject &) @0x7ffff6023060 [object global] delegate, rval=0x0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:552
#27 0x000000000048a22d in JS_ExecuteScript (cx=0x12f28b0, objArg=(JSObject *) 0x7ffff6023060 [object global] delegate, scriptArg=0x7ffff6027100, rval=0x0) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5508
#28 0x000000000040cc50 in Process (cx=0x12f28b0, obj_=(JSObject *) 0x7ffff6023060 [object global] delegate, filename=0x7fffffffe187 "test.js", forceTTY=false) at /srv/repos/mozilla-central/js/src/shell/js.cpp:577
#29 0x0000000000427267 in ProcessArgs (cx=0x12f28b0, obj_=(JSObject *) 0x7ffff6023060 [object global] delegate, op=0x7fffffffdcb0) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5098
#30 0x0000000000427457 in Shell (cx=0x12f28b0, op=0x7fffffffdcb0, envp=0x7fffffffdea8) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5135
#31 0x0000000000427e02 in main (argc=3, argv=0x7fffffffde88, envp=0x7fffffffdea8) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5351

Opt trace:

==5359== Invalid read of size 4
==5359==    at 0x402EC61: ???
==5359==    by 0xFFFA000000000009: ???
==5359==    by 0xFFF880000000000F: ???
==5359==    by 0x7031F7F: ???
==5359==    by 0x703703F: ???
==5359==    by 0x7031F7F: ???
==5359==    by 0x6B006F006F004B: ???
==5359==    by 0x5F2292F: ???
==5359==    by 0x602866F: ???
==5359==    by 0x4026791: ???
==5359==    by 0xC0: ???
==5359==    by 0x70270E8: ???
==5359==  Address 0x6b006f006f004c is not stack'd, malloc'd or (recently) free'd


S-s and sec-critical due to the opt-crash which looks particularly dangerous.
Keywords: crash, csec-wildptr, sec-critical
Whiteboard: [jsbugmon:update,bisect]
Assigning to David during CRITSMASH.
Assignee: general → dvander
status-firefox18: --- → wontfix
status-firefox19: --- → wontfix
status-firefox20: --- → affected
status-firefox21: --- → affected
status-firefox-esr17: --- → wontfix
Attached patch fixSplinter Review 
elementReadIsTypedArray doesn't guarantee the input is an object, just that if it is an object, it is a typed array.
Attachment #714162 - Flags: review?(jdemooij)
Attachment #714162 - Flags: review?(jdemooij) → review+
Comment on attachment 714162 [details] [diff] [review]
fix

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

18 through nightly.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This patch will apply on older branches.

How likely is this patch to cause regressions; how much testing does it need?

Unlikely, just tbpl/awfy.
Attachment #714162 - Flags: sec-approval?
Attachment #714162 - Flags: sec-approval? → sec-approval+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   119647:f11a8adb9a77
user:        Brian Hackett
date:        Wed Jan 23 08:43:40 2013 -0700
summary:     Bug 832578 - Tweaks to improve compilation of element accesses, r=dvander.

This iteration took 108.550 seconds to run.
https://hg.mozilla.org/mozilla-central/rev/5b56d8a519a5

Can we get a test checked in for this?
status-firefox22: --- → fixed
Flags: in-testsuite?
Target Milestone: --- → mozilla22
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Please go ahead with uplift nomination too, if low risk enough we'd want this in the next beta (landed before Tues Mar 12th)
This is marked tracking+ for 20, which is closing its doors soon. David, what's the plan on uplifts?
Flags: needinfo?(dvander)
The regression is due to Bug 832578 that landed in FF21. FF18-FF20 are unaffected. This only needs to get uplifted to FF21 (aurora currently)
status-firefox18: wontfixunaffected
status-firefox19: wontfixunaffected
status-firefox20: affectedunaffected
tracking-firefox20: + → ---
Flags: needinfo?(dvander)
Comment on attachment 714162 [details] [diff] [review]
fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #):
Bug 832578

User impact if declined:
Crashes

Testing completed (on m-c, etc.):
m-c, m-i for 1 month

Risk to taking this patch (and alternatives if risky):
Very low risk

String or UUID changes made by this patch: 
/
Attachment #714162 - Flags: approval-mozilla-aurora?
Attachment #714162 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: