Closed Bug 842424 Opened 11 years ago Closed 11 years ago

IonMonkey: Assertion failure: addr % CellSize == 0, at ../../gc/Heap.h:831

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox20 --- unaffected
firefox21 --- fixed
firefox22 --- verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

patch
1.93 KB, patch
terrence
: review+
bajaj
: approval-mozilla-aurora+
abillings
: sec-approval+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 0acbd06d48a9 (run with --ion-eager):


gczeal(4);
function Employee ( name, dept ) {
  for each(b in [0, -0]) {}    
  this.dept = dept || "general";
}
function Manager () {}
Manager.prototype = new Employee();
Debug backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0804c117 in js::gc::Cell::address (this=0x42) at ../../gc/Heap.h:831
831         JS_ASSERT(addr % CellSize == 0);
(gdb) bt
#0  0x0804c117 in js::gc::Cell::address (this=0x42) at ../../gc/Heap.h:831
#1  0x0804c267 in js::gc::Cell::arenaHeader (this=0x42) at ../../gc/Heap.h:947
#2  0x0807fc17 in js::gc::Cell::getAllocKind (this=0x42) at ../gc/Heap.h:970
#3  0x081a57fd in js::gc::GetGCThingTraceKind (thing=0x42) at ../jsgcinlines.h:59
#4  0x085e4bc2 in js::gc::MarkKind (trc=0x8cc5f34, thingp=0xffff8a00, kind=JSTRACE_OBJECT) at /srv/repos/mozilla-central/js/src/gc/Marking.cpp:353
#5  0x085e59b7 in MarkValueInternal (trc=0x8cc5f34, v=0xf7433050) at /srv/repos/mozilla-central/js/src/gc/Marking.cpp:473
#6  0x085e79c1 in js::gc::MarkValueUnbarriered (trc=0x8cc5f34, v=0xf7433050, name=0x8a93499 "write barrier") at /srv/repos/mozilla-central/js/src/gc/Marking.cpp:697
#7  0x087632c0 in js::ion::MarkValueFromIon (rt=0x8cc5d50, vp=0xf7433050) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:2164
#8  0xf7fc8349 in ?? ()


S-s due to GC-related assertion.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   120953:53a09e22d034
user:        Terrence Cole
date:        Mon Jan 28 11:01:54 2013 -0800
summary:     Bug 706885 - Do not store singletons in the Nursery; r=bhackett

This iteration took 99.199 seconds to run.
Needinfo from Terrence based on comment 2.
Flags: needinfo?(terrence)
The thing that's being marked is a busted pointer. I have no idea how the implicated change could have caused this, but then I'm not terribly familiar with exactly how Ion uses the singleton property. I'm going to forward the needinfo to Brian, since he does actually know this and will probably have a much better idea what might be going wrong here.
Flags: needinfo?(terrence) → needinfo?(bhackett1024)
Attached patch patchSplinter Review 
There was a missing use of newKind that caused 'new' objects which are supposed to have singleton type to not have singleton type.  Their properties were then cleared, causing them to go out of sync with their type information --- they were marked as definitely having properties when they actually didn't have any, and Ion invoked a pre barrier on a slot of the object which did not correspond to any property, which in debug builds is a poisoned ObjectValue(42).
Attachment #716040 - Flags: review?(terrence)
Flags: needinfo?(bhackett1024)
Keywords: sec-high
Blocks: 706885
Keywords: regression
Comment on attachment 716040 [details] [diff] [review]
patch

Review of attachment 716040 [details] [diff] [review]:
-----------------------------------------------------------------

Nice assertion!
Attachment #716040 - Flags: review?(terrence) → review+
Comment on attachment 716040 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

not at all

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

no

Which older supported branches are affected by this flaw?

only aurora is affected, no release branches

How likely is this patch to cause regressions; how much testing does it need?

tbpl is fine
Attachment #716040 - Flags: sec-approval?
Attachment #716040 - Flags: sec-approval? → sec-approval+
Comment on attachment 716040 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 706885
User impact if declined: potential exploit
Testing completed (on m-c, etc.): on m-c
Risk to taking this patch (and alternatives if risky): none
Attachment #716040 - Flags: approval-mozilla-aurora?
Followup to remove the nice assertion.  It didn't build on any compiler other than the one I tested on, and I don't think it adds that much.

https://hg.mozilla.org/integration/mozilla-inbound/rev/48c067a87ba2
https://hg.mozilla.org/mozilla-central/rev/48c067a87ba2
https://hg.mozilla.org/mozilla-central/rev/5b0002d4b427
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox21: --- → affected
status-firefox22: --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Assignee: general → bhackett1024
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Attachment #716040 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Group: core-security
Verified the fix using a built js from mozilla-beta-af3011f1cccb (latest mozilla beta source atm) and the testcase from bug description: no assesrtions.
status-firefox22: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: