Closed
Bug 863261
Opened 11 years ago
Closed 11 years ago
IonMonkey: Assertion failure: ins->type() == MIRType_Value, at ion/IonBuilder.cpp:3099
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla23
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | + | fixed |
| firefox23 | + | verified |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: h4writer)
References
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update,ignore][adv-main22-])
Attachments
(1 file)
|
1.86 KB,
patch
|
nbp
:
review+
akeybl
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 3ada6a2fd0c6 (run with --ion-eager):
function TestCase(d) {
toPrinted(d)
}
function toPrinted(value) {}
function reportCompare (expected, actual, description) {
if (typeof description == "undefined")
toPrinted(expected);
new TestCase(description);
reportCompare();
}
reportCompare(Math['LN2'], Math['LN2'], 0);
|
Reporter | |
Comment 1•11 years ago
|
||
Not sure if this needs s-s but since previous similar asserts we're s-s, let's keep this one hidden until triaged. Requesting a bisect although I probably know already who's the right person for this ;)
Whiteboard: [jsbugmon:update,bisect]
|
Assignee | |
Comment 2•11 years ago
|
||
It depends on bug 796114 or bug 862100, i.e. FF22 is or will get affected.
Assignee: general → hv1989
Attachment #739062 -
Flags: review?(nicolas.b.pierron)
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 122585:437c955ff06d user: Nicolas B. Pierron date: Wed Jan 30 07:41:01 2013 -0800 summary: Bug 796114 - Inline with type-checked arguments. r=h4writer This iteration took 12.061 seconds to run.
|
||
Updated•11 years ago
|
Attachment #739062 -
Flags: review?(nicolas.b.pierron) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
Comment on attachment 739062 [details] [diff] [review] Always box unknown inputs (even when not adding type barrier) So I learned I have to ask sec approval. [Security approval request comment] How easily could an exploit be constructed based on the patch? A decent amount of knowledge about IM and inlining is needed and prior information on how to achieve this. Also it is harder in normal situation than our test environment. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No, I'll land the testcase after landing on aurora. FYI the commit line will be: Bug 863261: IonMonkey: Box unknown types when inlining, r=nbp Which older supported branches are affected by this flaw? aurora only If not all supported branches, which bug introduced the flaw? Bug 796114 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Same patch should apply to aurora How likely is this patch to cause regressions; how much testing does it need? Not much testing needed.
Attachment #739062 -
Flags: sec-approval?
|
||
Updated•11 years ago
|
status-firefox21:
--- → unaffected
status-firefox22:
--- → affected
status-firefox23:
--- → affected
tracking-firefox22:
--- → +
tracking-firefox23:
--- → +
|
|
||
Comment 6•11 years ago
|
||
Comment on attachment 739062 [details] [diff] [review] Always box unknown inputs (even when not adding type barrier) sec-approval+. Please nominate this patch (or Aurora specific one) for Aurora. Release management may want a security rating on it to judge severity but I expect we'll take it.
Attachment #739062 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 7•11 years ago
|
||
Comment on attachment 739062 [details] [diff] [review] Always box unknown inputs (even when not adding type barrier) [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 796114 User impact if declined: Possible crashes during compilation on special crafted scripts. That's the reason it took so long to find this issue. Testing completed (on m-c, etc.): Tested jit-tests. Can't test/land on m-c. Since today that code path is gone. Removed by a big improvement. Risk to taking this patch (and alternatives if risky): Very low. It moves some code a little bit higher, so the reason why this code is added also applies to the code in between. String or IDL/UUID changes made by this patch: /
Attachment #739062 -
Flags: approval-mozilla-aurora?
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 8•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8b1a7228674a).
|
||
Comment 9•11 years ago
|
||
We're assuming this is at least sec-high given the fact that this went through sec-approval. We'll approve this low risk regression fix.
Keywords: sec-high
|
|
||
Comment 10•11 years ago
|
||
Comment on attachment 739062 [details] [diff] [review] Always box unknown inputs (even when not adding type barrier) Please resolve this as fixed and change the target milestone to 22 once this has landed.
Attachment #739062 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 11•11 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #9) > We're assuming this is at least sec-high given the fact that this went > through sec-approval. We'll approve this low risk regression fix. To be clear, I didn't assume that. It is just that people have to ask for sec-high and sec-critical. If they ask for an unknown and it seems safe and appropriate, I'll approve but I do realize we want ratings for decisions on branches as well.
|
||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/4cf75b25cdc3 Same question as bug 863755. Our normal process it to not uplift to the branches until after the patch reaches m-c. Why was this procedure not followed here?
|
|
||
Comment 13•11 years ago
|
||
Explained in bug 863755, thanks!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 14•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main22-]
|
|
Assignee | |
Comment 15•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9063e9ebc320
Flags: in-testsuite+
|
||
Comment 16•11 years ago
|
||
Marking status-firefox23:verified based on comment 14.
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•