Closed
Bug 877287
Opened 12 years ago
Closed 12 years ago
Assertion failure: !cx->compartment->activeAnalysis, at jsinterp.cpp:365 or Crash [@ js::ion::CodeGenerator::link] with Proxy
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla24
People
(Reporter: decoder, Assigned: djvj)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main22+])
Crash Data
Attachments
(5 files, 1 obsolete file)
1.24 KB,
text/plain
|
Details | |
623 bytes,
patch
|
h4writer
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
3.05 KB,
patch
|
bhackett1024
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
1.75 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
1.72 KB,
patch
|
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision e58336e81395 (run with --ion-eager):
this.__proto__ = null;
var p = Proxy.create({
has : function(id) {}
});
Object.prototype.__proto__ = p;
evaluate("var Uint16Array = 0;");
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
Crash is a null-deref, but marking s-s because other bugs with this assertion have been s-s.
Crash Signature: [@ js::ion::CodeGenerator::link]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 132895:e1bca8b56470
user: Jan de Mooij
date: Fri May 24 14:03:31 2013 +0200
summary: Bug 868431 - Disable Ion when Baseline is disabled, remove bailout-to-interpreter code. r=djvj
This iteration took 13.506 seconds to run.
Comment 4•12 years ago
|
||
Can you look into this, djvj, as Jandem is on PTO this week? Thanks!
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 5•12 years ago
|
||
CanEffectlesslyCallLookupGenericOnObject doesn't check for resolve hooks on object.
Attachment #758691 -
Flags: review?
Flags: needinfo?(kvijayan)
Assignee | ||
Updated•12 years ago
|
Assignee: general → kvijayan
Comment 6•12 years ago
|
||
I'm going to assume the regressing bug is correct.
status-b2g18:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox23:
--- → unaffected
status-firefox24:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox24:
--- → ?
Assignee | ||
Comment 7•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #6)
> I'm going to assume the regressing bug is correct.
I'm trying to find the specific patch/bug that brought this in.
Comment 8•12 years ago
|
||
Thanks!
Assignee | ||
Comment 9•12 years ago
|
||
Best candidate for offending bug/commit:
changeset: 106691:d142f2087917
user: Kannan Vijayan <kvijayan@mozilla.com>
date: Wed Aug 08 18:51:24 2012 -0400
summary: Bug 781214 - Ensure plain-ness of template object before looking up properties on it in jsop_initprop. (r=mjrosenb)
Assignee | ||
Updated•12 years ago
|
Attachment #758691 -
Flags: review? → review?(hv1989)
Updated•12 years ago
|
Assignee | ||
Comment 10•12 years ago
|
||
Try run looks good:
https://tbpl.mozilla.org/?tree=Try&rev=1b2f89d29acd
Updated•12 years ago
|
Attachment #758691 -
Flags: review?(hv1989) → review+
Assignee | ||
Comment 11•12 years ago
|
||
Assignee | ||
Comment 12•12 years ago
|
||
Setting in-testsuite? flag to remember to add this to the test suite after uplift to affected versions and suitable time has passed.
Flags: in-testsuite?
Assignee | ||
Comment 13•12 years ago
|
||
Can someone confirm that this resolves the issue in the affected releases?
Comment 14•12 years ago
|
||
Sadface:
Regression: Mozilla-Inbound-Non-PGO - V8 version 7 - Ubuntu HW 12.04 - 7.4% decrease
Regression: Mozilla-Inbound-Non-PGO - Kraken Benchmark - Ubuntu HW 12.04 - 5.01% increase
Regression: Mozilla-Inbound-Non-PGO - Dromaeo (CSS) - Ubuntu HW 12.04 - 5.2% decrease
Across the board, it seems. :(
Comment 16•12 years ago
|
||
(In reply to Kannan Vijayan [:djvj] from comment #11)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/7df36088f645
Merged to m-c:
https://hg.mozilla.org/mozilla-central/rev/7df36088f645
Leaving open for the perf regression.
Comment 17•12 years ago
|
||
(In reply to Joe Drew (:JOEDREW! \o/) from comment #14)
> Sadface:
>
> Regression: Mozilla-Inbound-Non-PGO - V8 version 7 - Ubuntu HW 12.04 - 7.4%
> decrease
> Regression: Mozilla-Inbound-Non-PGO - Kraken Benchmark - Ubuntu HW 12.04 -
> 5.01% increase
> Regression: Mozilla-Inbound-Non-PGO - Dromaeo (CSS) - Ubuntu HW 12.04 - 5.2%
> decrease
>
> Across the board, it seems. :(
The same is visible on all architectures including FFOS on awfy[1].
[1] http://www.arewefastyet.com/#machine=14
Comment 18•12 years ago
|
||
Just looked to JM, and JM didn't need this check. So I assume our check is wrong here. What is JM checking and IM isn't?
Assignee | ||
Comment 19•12 years ago
|
||
Check was too strict. Updated patch coming now.
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 20•12 years ago
|
||
Fixes massive regression by passing the name being looked up to the checker function. If the property is defined on a current object as a native property, checks for resolve hook on that object and its prototypes can be skipped.
Attachment #759163 -
Flags: review?(hv1989)
Comment 21•12 years ago
|
||
Comment on attachment 759163 [details] [diff] [review]
Fix massive regression.
Review of attachment 759163 [details] [diff] [review]:
-----------------------------------------------------------------
Nice, let's remove that regression ;)
Attachment #759163 -
Flags: review?(hv1989) → review+
Comment 22•12 years ago
|
||
Comment on attachment 759163 [details] [diff] [review]
Fix massive regression.
Review of attachment 759163 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/ion/IonBuilder.cpp
@@ +5258,5 @@
> {
> while (obj) {
> if (!obj->isNative())
> return false;
> + if (obj->nativeLookup(cx, id))
I think this check makes more sense after the next if.
Assignee | ||
Comment 23•12 years ago
|
||
I looked through the call path of JSObject::lookupGeneric, and I can't find a single call to the lookupProperty hook. There are calls to the lookupGeneric hook in the path, but not lookupProperty.
I'm changing the patch to reflect review comment as well as the above observation.
Attachment #759163 -
Attachment is obsolete: true
Attachment #759248 -
Flags: review?(hv1989)
Assignee | ||
Updated•12 years ago
|
Attachment #759248 -
Flags: review?(hv1989) → review?(bhackett1024)
Updated•12 years ago
|
Attachment #759248 -
Flags: review?(bhackett1024) → review+
![]() |
||
Comment 24•12 years ago
|
||
Comment on attachment 759248 [details] [diff] [review]
Fix regression, v2.
You may want to add comments in nativeLookup and its callees to adjust this code if their code ever changes...
Assignee | ||
Comment 25•12 years ago
|
||
Boris: Added comments in relevant places. Thanks for the suggestion.
Committed:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f98048e391b7
Comment 26•12 years ago
|
||
Probably doesn't happen, but something could have some of the other lookup stubs and not this one.
Comment 27•12 years ago
|
||
(In reply to Kannan Vijayan [:djvj] from comment #25)
> Boris: Added comments in relevant places. Thanks for the suggestion.
>
> Committed:
> https://hg.mozilla.org/integration/mozilla-inbound/rev/f98048e391b7
Fix acknowledged by AWFY on FFOS [1], other architectures are not yet updated.
[1] http://www.arewefastyet.com/#machine=14
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 28•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9ca690835a5e).
Comment 30•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 31•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Assignee | ||
Comment 33•12 years ago
|
||
Comment on attachment 758691 [details] [diff] [review]
Fix CanEffectlesslyCallLookupGenericOnObject
[Approval Request Comment]
Bug caused by (feature/regressing bug #):
Bug 781214
User impact if declined:
Javascript correctness error - Property hooks may be called unnecessarily.
Testing completed (on m-c, etc.):
Three days clean on m-c.
Risk to taking this patch (and alternatives if risky):
Low.
String or IDL/UUID changes made by this patch:
None.
Attachment #758691 -
Flags: approval-mozilla-beta?
Attachment #758691 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 34•12 years ago
|
||
> User impact if declined:
> Javascript correctness error - Property hooks may be called unnecessarily.
Also: security issue. We should never execute JS code while Ion-compiling, but this bug allows for that to happen.
Assignee | ||
Comment 35•12 years ago
|
||
Comment on attachment 759248 [details] [diff] [review]
Fix regression, v2.
[Approval Request Comment]
Bug caused by (feature/regressing bug #):
Bug 781214
User impact if declined:
Regression introduced by above patch. Either both of these patches should be approved, or neither should be approved.
Testing completed (on m-c, etc.):
Three days clean on m-c.
Risk to taking this patch (and alternatives if risky):
Low.
String or IDL/UUID changes made by this patch:
None.
Attachment #759248 -
Flags: approval-mozilla-beta?
Attachment #759248 -
Flags: approval-mozilla-aurora?
Comment 36•12 years ago
|
||
What is the security rating of this bug? That's a prerequisite for tracking/landing.
![]() |
||
Comment 37•12 years ago
|
||
(In reply to Alex Keybl [:akeybl] (out till 6/10) from comment #36)
> What is the security rating of this bug? That's a prerequisite for
> tracking/landing.
Setting needinfo.
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 38•12 years ago
|
||
I have to punt this question to bhackett. Brian, what are the security implications of running JS code inadvertantly when doing Ion compilation? Is it serious?
Flags: needinfo?(bhackett1024)
Comment 39•12 years ago
|
||
It's pretty bad if code runs during compilation --- mainly, no invalidation will occur until the original compilation finishes, so if the JS code executes any jitcode it could induce a crash or exploit by changing the jitcode's type assumptions before calling it.
Flags: needinfo?(bhackett1024)
Updated•12 years ago
|
Keywords: sec-critical
Updated•12 years ago
|
Attachment #758691 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•12 years ago
|
Attachment #759248 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•12 years ago
|
Comment 40•12 years ago
|
||
Comment 41•12 years ago
|
||
Backed out for jit-test failures.
https://hg.mozilla.org/releases/mozilla-aurora/rev/40c9d5acd1b7
https://tbpl.mozilla.org/php/getParsedLog.php?id=24080191&tree=Mozilla-Aurora
Comment 42•12 years ago
|
||
Our final beta build is on Monday. Is this safe to land given the recent failures? Makes me a bit more concerned.
Assignee | ||
Comment 43•12 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #42)
> Our final beta build is on Monday. Is this safe to land given the recent
> failures? Makes me a bit more concerned.
No, it's not. Bug 882834 needs to land first. But I can't land that yet because it causes mochitest and browser chrome test failures.
I thought the beta build got frozen next week (June 24)? I was hoping to get these in this week, before that window.
Flags: needinfo?(kvijayan)
![]() |
||
Comment 44•12 years ago
|
||
June 24 is when the release happens.
Updated•12 years ago
|
Comment 45•12 years ago
|
||
Comment on attachment 758691 [details] [diff] [review]
Fix CanEffectlesslyCallLookupGenericOnObject
Too late for our final beta of FF22.
Attachment #758691 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
Updated•12 years ago
|
Attachment #759248 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
Comment 46•12 years ago
|
||
djvj is going to make the case on the security list to take this in FF22 once he's completed the regression fixes.
Assignee | ||
Comment 47•12 years ago
|
||
Talked with bhackett with this for a while and he suggested a much more minor, safer, simpler fix that would address the sec-crit issues for release.
The main issue here is running JS code while ion-compiling JS code. The solution he proposed was just to take the debug-only ASSERTs that check for this, and turn them into runtime soft checks that throw exceptions.
I'm jit-testing a patch for this right now, but attaching and requesting beta approval for it in the meantime.
Assignee | ||
Comment 48•12 years ago
|
||
This throws "undefined" as an exception if we encounter the activeAnalysis flag on the compartment when trying to interpret.
Attachment #763673 -
Flags: review?(bhackett1024)
Comment 49•12 years ago
|
||
Comment on attachment 763673 [details] [diff] [review]
Make the activeAnalysis check into a soft check.
Review of attachment 763673 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jsinterp.cpp
@@ +394,5 @@
> {
> JS_ASSERT(args.length() <= StackSpace::ARGS_LENGTH_MAX);
> JS_ASSERT(!cx->compartment->activeAnalysis);
>
> + // Even on optimized builds, never allow execution of JS code when compiling.
rm the 'even on optimized builds' bit.
@@ +396,5 @@
> JS_ASSERT(!cx->compartment->activeAnalysis);
>
> + // Even on optimized builds, never allow execution of JS code when compiling.
> + if (cx->compartment->activeAnalysis) {
> + cx->setPendingException(UndefinedValue());
I think it would be better to throw a real error here. Something like this should be fine:
JS_ReportError(cx, "Can't run scripts during analysis");
@@ +1050,5 @@
> + // Even on optimized builds, never allow execution of JS code when compiling.
> + if (cx->compartment->activeAnalysis) {
> + cx->setPendingException(UndefinedValue());
> + return Interpret_Error;
> + }
Ditto the above (or consolidate these into a helper method).
Attachment #763673 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 50•12 years ago
|
||
With comments addressed above.
Assignee | ||
Comment 51•12 years ago
|
||
Comment on attachment 763682 [details] [diff] [review]
UPDATED: Make the activeAnalysis check into a soft check.
[Approval Request Comment]
Bug caused by (feature/regressing bug #):
Bug 781214
User impact if declined:
Exploitable security issue, controlled native code execution.
This patch disables all code execution while compilation is occurring. This not only prevents the bug mentioned above, but also prevents this entire class of bugs. If some other exploitable path is found which allows an attacker to run JS code from within the browser, this patch will ensure that it throws an exception instead of running the exploit.
Testing completed (on m-c, etc.):
jit-tests on x86-32 and x86-64.
Risk to taking this patch (and alternatives if risky):
Very low.
String or IDL/UUID changes made by this patch:
None.
Attachment #763682 -
Flags: approval-mozilla-beta?
Attachment #763682 -
Flags: approval-mozilla-aurora?
Comment 52•12 years ago
|
||
Comment on attachment 763682 [details] [diff] [review]
UPDATED: Make the activeAnalysis check into a soft check.
Thanks for coming up with a very low risk fix on such a short timeline!
Attachment #763682 -
Flags: approval-mozilla-beta?
Attachment #763682 -
Flags: approval-mozilla-beta+
Attachment #763682 -
Flags: approval-mozilla-aurora?
Attachment #763682 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 53•12 years ago
|
||
Updated•12 years ago
|
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main22+]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•