Closed Bug 880228 Opened 11 years ago Closed 11 years ago

Assertion failure: (ptrBits & 0x7) == 0, at ./dist/include/js/Value.h:703 or Crash [@ GetValueType] or Crash [@ operator->]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
2.09 KB, text/plain
Details 
The following testcase asserts on mozilla-central revision 204de5b7e0a6 (run with --ion-eager):


o = 9;
Object.prototype.__proto__=null
evaluate('\
var o = {\
    "" : 2\
};\
var o = 430717;\
o.x = 4;\
', { noScriptRval : true } );
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
GetValueType (val=..., cx=<optimized out>) at ../jsinferinlines.h:201
201             return Type::ObjectType(&val.toObject());
#0  GetValueType (val=..., cx=<optimized out>) at ../jsinferinlines.h:201
#1  GetValueType (val=..., cx=<optimized out>) at js/src/jsinfer.cpp:5713
#2  js::types::TypeMonitorResult (cx=0x1624520, script=0x7ffff5e511c0, pc=0x1642da1 "\232", rval=...) at js/src/jsinfer.cpp:5729
#3  0x000000000068be8d in Monitor (rval=..., pc=0x1642da1 "\232", script=<optimized out>, cx=0x1624520) at ../jsinferinlines.h:965
#4  js::ion::DoGetNameFallback (cx=0x1624520, frame=<optimized out>, stub=0x16371a0, scopeChain=(JSObject * const) 0x7ffff5e4d060 [object global] delegate, res=$jsval((JSObject *) 0x7fff0006927d Cannot access memory at address 0x7fff0006927d)) at js/src/ion/BaselineIC.cpp:4915
#5  0x00007ffff7f97ea2 in ?? ()
#6  0x0000000000000000 in ?? ()
r13     0x6927d 140733193818749
=> 0x577ae8 <js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&)+200>:        mov    0x8(%r13),%rdx


In the original crash, the crashing function was operator-> so I assume we're operating on a corrupted object. If this object can be controlled, then it's likely sec-critical.
Crash Signature: [@ operator->] [@ GetValueType]
Keywords: crash, sec-critical
Whiteboard: [jsbugmon:update,bisect]
It would be good to get a bisect so we can know how far back this goes.
status-firefox24: --- → affected
tracking-firefox24: --- → +
Crash Signature: [@ operator->] [@ GetValueType] → [@ operator->] [@ GetValueType]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/e1bca8b56470
user:        Jan de Mooij
date:        Fri May 24 14:03:31 2013 +0200
summary:     Bug 868431 - Disable Ion when Baseline is disabled, remove bailout-to-interpreter code. r=djvj

This iteration took 11.611 seconds to run.
Needinfo from Jan based on comment 4.
Crash Signature: [@ operator->] [@ GetValueType] → [@ operator->] [@ GetValueType]
Flags: needinfo?(jdemooij)
Crash Signature: [@ operator->] [@ GetValueType] → [@ operator->] [@ GetValueType]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d79910d9e251).
Crash Signature: [@ operator->] [@ GetValueType] → [@ operator->] [@ GetValueType]
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Crash Signature: [@ operator->] [@ GetValueType] → [@ operator->] [@ GetValueType]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d79910d9e251).
JSBugMon: Fix Bisection requested, result:
Due to skipped revisions, the first good revision could be any of:
changeset:   http://hg.mozilla.org/mozilla-central/rev/b6652771e70f
user:        Chris Peterson
date:        Mon Jun 10 11:24:27 2013 -0700
summary:     Back out changeset 12cdc8931e48 (Bug 857730) to remove Android Contacts permission.

changeset:   http://hg.mozilla.org/mozilla-central/rev/7ecbdd658637
user:        Shu-yu Guo
date:        Mon Jun 10 12:10:13 2013 -0700
summary:     Bug 879723 - Make sure property types reflect inherited types from the prototype when specializing a setgname. (r=bhackett)

This iteration took 325.274 seconds to run.
Crash Signature: [@ operator->] [@ GetValueType] → [@ operator->] [@ GetValueType]
Shu-yu, is bug 879723 a possible fix?
Flags: needinfo?(jdemooij) → needinfo?(shu)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #8)
> Shu-yu, is bug 879723 a possible fix?

The test case looks like it might be triggering the same path I described in bug 879723, so it's possible that my patch fixed it.

 1) Setting a global var to be one type
 2) Mess with __proto__ to mark the global prototype to be marked unknownProperties
 3) Ion eager causes us to specialize on the wrong typeset since we weren't propagating unknownProperties in compiling JSOP_SETGNAME
 4) Set the same global var to be another type; Ion doesn't store the type tag
 5) Crash sometime later
Flags: needinfo?(shu)
s/to mark/to cause
Assuming fixed by bug 879723, as per comment 9.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
status-firefox24: affectedfixed
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Status: RESOLVED → VERIFIED
Crash Signature: [@ operator->] [@ GetValueType] → [@ operator->] [@ GetValueType]
JSBugMon: This bug has been automatically verified fixed.
Blocks: 868431
Crash Signature: [@ operator->] [@ GetValueType] → [@ operator->] [@ GetValueType]
status-b2g18: --- → unaffected
Keywords: regression
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: