IonMonkey: Assertion failure: isObject(), at ./dist/include/js/Value.h:1111 or Crash on Heap with invalid read

VERIFIED FIXED in Firefox 21

Status

()

defect
--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks 1 bug, 5 keywords)

Trunk
mozilla22
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox18 unaffected, firefox19 unaffected, firefox20 unaffected, firefox21+ fixed, firefox22 fixed, firefox-esr17 unaffected, b2g18 disabled)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

Reporter

Description

6 years ago
The following testcase asserts on mozilla-central revision fe298855f9d2 (run with --ion-eager):


var M4x4 = {};
M4x4.mul = function M4x4_mul(a, b, r) {
    a11 = a[0]
    return "this.getWeekOfYear() + ";    a22 = a[5]
};
M4x4.makeLookAt = function M4x4_makeLookAt() {
    tm1 = Float32Array(16);
    tm2 = Float32Array(16);
    r = new Float32Array(16)
    return M4x4.mul(tm1, tm2, r);
};
var jellyfish = {};
function jellyfishInstance() {}
jellyfishInstance.prototype.drawShadow = function () {
    pMatrix = M4x4.makeLookAt();
    M4x4.mul(M4x4.makeLookAt(), pMatrix, pMatrix);
}
    jellyfish[0] = new jellyfishInstance()
    for (var i = 0, j = 0; i < jellyfish.count, j < 30; ++j) {
        jellyfish[0].drawShadow();
}
Reporter

Comment 1

6 years ago
Debug trace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000be54bb in toObject (this=0x1369690) at ./dist/include/js/Value.h:1111
1111            MOZ_ASSERT(isObject());
(gdb) bt
#0  0x0000000000be54bb in toObject (this=0x1369690) at ./dist/include/js/Value.h:1111
#1  js::ion::IonBuilder::getTypedArrayLength (this=0x7fffffff30e0, obj=0x1369620) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:5443
#2  0x0000000000be5b4b in js::ion::IonBuilder::jsop_getelem_typed (this=0x7fffffff30e0, arrayType=6) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:5515
#3  0x0000000000be49b4 in js::ion::IonBuilder::jsop_getelem (this=0x7fffffff30e0) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:5305
#4  0x0000000000bc9a57 in js::ion::IonBuilder::inspectOpcode (this=0x7fffffff30e0, op=JSOP_GETELEM) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:1016
#5  0x0000000000bc7f3e in js::ion::IonBuilder::traverseBytecode (this=0x7fffffff30e0) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:687
#6  0x0000000000bc760c in js::ion::IonBuilder::buildInline (this=0x7fffffff30e0, callerBuilder=0x7fffffff4830, callerResumePoint=0x136a4f8, callInfo=...) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:486
#7  0x0000000000bd46bc in js::ion::IonBuilder::inlineScriptedCall (this=0x7fffffff4830, target=(JSFunction * const) 0x7ffff6036040 [object Function "M4x4_mul"], callInfo=...)
    at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:2910
#8  0x0000000000bd8f7f in js::ion::IonBuilder::inlineScriptedCalls (this=0x7fffffff4830, targets=..., originals=..., callInfo=...) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:3394
#9  0x0000000000bdda29 in js::ion::IonBuilder::jsop_call (this=0x7fffffff4830, argc=3, constructing=false) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:4034
#10 0x0000000000bc928a in js::ion::IonBuilder::inspectOpcode (this=0x7fffffff4830, op=JSOP_CALL) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:940
#11 0x0000000000bc7f3e in js::ion::IonBuilder::traverseBytecode (this=0x7fffffff4830) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:687
#12 0x0000000000bc760c in js::ion::IonBuilder::buildInline (this=0x7fffffff4830, callerBuilder=0x1359528, callerResumePoint=0x135fae8, callInfo=...) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:486
#13 0x0000000000bd46bc in js::ion::IonBuilder::inlineScriptedCall (this=0x1359528, target=(JSFunction * const) 0x7ffff6036140 [object Function "jellyfishInstance.prototype.drawShadow"], callInfo=...)
    at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:2910
#14 0x0000000000bd8f7f in js::ion::IonBuilder::inlineScriptedCalls (this=0x1359528, targets=..., originals=..., callInfo=...) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:3394
#15 0x0000000000bdda29 in js::ion::IonBuilder::jsop_call (this=0x1359528, argc=0, constructing=false) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:4034
#16 0x0000000000bc928a in js::ion::IonBuilder::inspectOpcode (this=0x1359528, op=JSOP_CALL) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:940
#17 0x0000000000bc7f3e in js::ion::IonBuilder::traverseBytecode (this=0x1359528) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:687
#18 0x0000000000bc5241 in js::ion::IonBuilder::build (this=0x1359528) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:349
#19 0x0000000000b8d28a in js::ion::SequentialCompileContext::compile (this=0x7fffffff62df, builder=0x1359528, graph=0x1359478, autoDelete=...) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1223
#20 0x0000000000b9bb72 in js::ion::IonCompile<js::ion::SequentialCompileContext> (cx=0x12f28b0, script=0x7ffff6027100, fun=0x0, osrPc=0x1307b8c  <incomplete sequence \343\232>, constructing=false, compileContext=...)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1184
#21 0x0000000000b95fca in js::ion::Compile<js::ion::SequentialCompileContext> (cx=0x12f28b0, script=0x7ffff6027100, fun=0x0, osrPc=0x1307b8c  <incomplete sequence \343\232>, constructing=false, compileContext=...)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1398
#22 0x0000000000b8da9c in js::ion::CanEnterAtBranch (cx=0x12f28b0, script=0x7ffff6027100, fp=..., pc=0x1307b8c  <incomplete sequence \343\232>, isConstructing=false)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1444
#23 0x0000000000628537 in js::Interpret (cx=0x12f28b0, entryFrame=0x7ffff62f4038, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:1397
#24 0x000000000061c430 in js::RunScript (cx=0x12f28b0, fp=0x7ffff62f4038) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:306
#25 0x000000000061ec65 in js::ExecuteKernel (cx=0x12f28b0, script=0x7ffff6027100, scopeChain=(JSObject &) @0x7ffff6023060 [object global] delegate, thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., result=0x0)
    at /srv/repos/mozilla-central/js/src/jsinterp.cpp:512
#26 0x000000000061ef7b in js::Execute (cx=0x12f28b0, script=0x7ffff6027100, scopeChainArg=(JSObject &) @0x7ffff6023060 [object global] delegate, rval=0x0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:552
#27 0x000000000048a22d in JS_ExecuteScript (cx=0x12f28b0, objArg=(JSObject *) 0x7ffff6023060 [object global] delegate, scriptArg=0x7ffff6027100, rval=0x0) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5508
#28 0x000000000040cc50 in Process (cx=0x12f28b0, obj_=(JSObject *) 0x7ffff6023060 [object global] delegate, filename=0x7fffffffe187 "test.js", forceTTY=false) at /srv/repos/mozilla-central/js/src/shell/js.cpp:577
#29 0x0000000000427267 in ProcessArgs (cx=0x12f28b0, obj_=(JSObject *) 0x7ffff6023060 [object global] delegate, op=0x7fffffffdcb0) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5098
#30 0x0000000000427457 in Shell (cx=0x12f28b0, op=0x7fffffffdcb0, envp=0x7fffffffdea8) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5135
#31 0x0000000000427e02 in main (argc=3, argv=0x7fffffffde88, envp=0x7fffffffdea8) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5351

Opt trace:

==5359== Invalid read of size 4
==5359==    at 0x402EC61: ???
==5359==    by 0xFFFA000000000009: ???
==5359==    by 0xFFF880000000000F: ???
==5359==    by 0x7031F7F: ???
==5359==    by 0x703703F: ???
==5359==    by 0x7031F7F: ???
==5359==    by 0x6B006F006F004B: ???
==5359==    by 0x5F2292F: ???
==5359==    by 0x602866F: ???
==5359==    by 0x4026791: ???
==5359==    by 0xC0: ???
==5359==    by 0x70270E8: ???
==5359==  Address 0x6b006f006f004c is not stack'd, malloc'd or (recently) free'd


S-s and sec-critical due to the opt-crash which looks particularly dangerous.
Whiteboard: [jsbugmon:update,bisect]
Assigning to David during CRITSMASH.
Assignee: general → dvander
Posted patch fixSplinter Review
elementReadIsTypedArray doesn't guarantee the input is an object, just that if it is an object, it is a typed array.
Attachment #714162 - Flags: review?(jdemooij)
Attachment #714162 - Flags: review?(jdemooij) → review+
Comment on attachment 714162 [details] [diff] [review]
fix

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

18 through nightly.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This patch will apply on older branches.

How likely is this patch to cause regressions; how much testing does it need?

Unlikely, just tbpl/awfy.
Attachment #714162 - Flags: sec-approval?
Attachment #714162 - Flags: sec-approval? → sec-approval+
Reporter

Updated

6 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter

Comment 5

6 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   119647:f11a8adb9a77
user:        Brian Hackett
date:        Wed Jan 23 08:43:40 2013 -0700
summary:     Bug 832578 - Tweaks to improve compilation of element accesses, r=dvander.

This iteration took 108.550 seconds to run.
https://hg.mozilla.org/mozilla-central/rev/5b56d8a519a5

Can we get a test checked in for this?
Flags: in-testsuite?
Target Milestone: --- → mozilla22
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Reporter

Updated

6 years ago
Status: RESOLVED → VERIFIED
Reporter

Comment 8

6 years ago
JSBugMon: This bug has been automatically verified fixed.
Duplicate of this bug: 842025
Please go ahead with uplift nomination too, if low risk enough we'd want this in the next beta (landed before Tues Mar 12th)

Comment 11

6 years ago
This is marked tracking+ for 20, which is closing its doors soon. David, what's the plan on uplifts?
Flags: needinfo?(dvander)
The regression is due to Bug 832578 that landed in FF21. FF18-FF20 are unaffected. This only needs to get uplifted to FF21 (aurora currently)
Comment on attachment 714162 [details] [diff] [review]
fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #):
Bug 832578

User impact if declined:
Crashes

Testing completed (on m-c, etc.):
m-c, m-i for 1 month

Risk to taking this patch (and alternatives if risky):
Very low risk

String or UUID changes made by this patch: 
/
Attachment #714162 - Flags: approval-mozilla-aurora?
Attachment #714162 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Group: core-security
You need to log in before you can comment on or make changes to this bug.