Closed
Bug 905903
Opened 11 years ago
Closed 11 years ago
Assertion failure: [barrier verifier] Unmarked edge: baseline-monitor-stub-ioncode, at gc/Verifier.cpp:570 with setObjectMetadataCallback
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla27
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | --- | wontfix |
firefox25 | --- | wontfix |
firefox26 | + | fixed |
firefox27 | --- | fixed |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | fixed |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | fixed |
People
(Reporter: decoder, Assigned: djvj)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][fuzzblocker][adv-main26+])
Attachments
(3 files)
784 bytes,
text/plain
|
Details | |
882 bytes,
patch
|
terrence
:
review+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
882 bytes,
patch
|
abillings
:
approval-mozilla-esr24+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision a8daa428ccbc (run with --fuzzing-safe):
var lfcode = new Array();
lfcode.push("");
lfcode.push("");
lfcode.push("1");
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("2");
lfcode.push("gczeal(4);");
lfcode.push("setObjectMetadataCallback(function(obj) {});");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
switch (lfRunTypeId) {
case 2: new Function(lfVarx)(); break;
}
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) {
}
}
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Again like bug 886850, same signature. Needinfo from Brian.
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/be1399f8f973
user: Brian Hackett
date: Thu May 30 17:37:22 2013 -0600
summary: Bug 850026 - Allow metadata objects to be associated with JS objects, and add a hook for attaching metadata to newly created objects, r=luke.
This iteration took 1.682 seconds to run.
Updated•11 years ago
|
status-firefox23:
--- → unaffected
status-firefox24:
--- → affected
status-firefox25:
--- → affected
status-firefox26:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox26:
--- → +
Comment 4•11 years ago
|
||
Could you maybe look at this, djvj? It looks like it involves baseline. Thanks.
Flags: needinfo?(kvijayan)
Comment 6•11 years ago
|
||
I'm going to mark this sec-high until we know that this is just some weirdness of setObjectMetadataCallback in particular.
Keywords: sec-high
Reporter | ||
Comment 7•11 years ago
|
||
Putting needinfo again on djvj. This keeps filling up my inbox day by day, it produces lots of signatures.
Flags: needinfo?(kvijayan)
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Assignee | ||
Comment 8•11 years ago
|
||
This seems to be the issue:
#0 js::jit::BaselineScript::purgeOptimizedStubs (this=0x95c5b68, zone=0x95cb248)
at /home/kvijayan/Checkouts/mozilla-inbound/js/src/jit/BaselineJIT.cpp:796
#1 0x084f8882 in js::jit::FinishDiscardBaselineScript (fop=0x95942b0, script=0xf6f2b100)
at /home/kvijayan/Checkouts/mozilla-inbound/js/src/jit/BaselineJIT.cpp:862
#2 0x08343c2c in js::ReleaseAllJITCode (fop=0x95942b0)
at /home/kvijayan/Checkouts/mozilla-inbound/js/src/jsgc.cpp:4979
#3 0x083290b3 in js::SetObjectMetadataCallback (cx=0x95a6938, callback=
0x821af28 <ShellObjectMetadataCallback(JSContext*, JSObject**)>)
It happens right before the verifier error. I suspect that purgeOptimizedStubs doesn't properly trace monitored stub chains. It may have something to do with the fact that purgeOptimizedStubs is called from a non-GC context.
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 9•11 years ago
|
||
Found it. When clearing out the type monitored stubs, we clear out the optimized stubs, but we only actually trace the fallback stub. This makes no sense since the fallback stub is the one that survives the clearing out, and the optimized stubs are the ones that don't.
Attachment #808234 -
Flags: review?(terrence)
Comment 10•11 years ago
|
||
Comment on attachment 808234 [details] [diff] [review]
pre-barrier-fix.patch
Review of attachment 808234 [details] [diff] [review]:
-----------------------------------------------------------------
Sorry for the delay, but I wanted to make sure I understood what's going on here.
r=me, Good find!
::: js/src/jit/BaselineIC.cpp
@@ +466,5 @@
> {
> if (zone->needsBarrier()) {
> // We are removing edges from monitored stubs to gcthings (IonCode).
> // Perform one final trace of all monitor stubs for incremental GC,
> // as it must know about those edges.
Could you update this comment to clarify what you explained in comment 9 of this bug?
Attachment #808234 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 11•11 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #10)
> ::: js/src/jit/BaselineIC.cpp
> @@ +466,5 @@
> > {
> > if (zone->needsBarrier()) {
> > // We are removing edges from monitored stubs to gcthings (IonCode).
> > // Perform one final trace of all monitor stubs for incremental GC,
> > // as it must know about those edges.
>
> Could you update this comment to clarify what you explained in comment 9 of
> this bug?
The comment actually correctly describes the new behaviour (we trace the monitor stubs). The problem was that the code prior to this patch wasn't actually implementing that behaviour, instead it was tracing just the fallback monitor stub.
Assignee | ||
Updated•11 years ago
|
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 12•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 14•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 16•11 years ago
|
||
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.
status-b2g18:
--- → unaffected
Comment 17•11 years ago
|
||
can we get a beta uplift nomination here? if this is low risk to land on beta we should get it in.
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 18•11 years ago
|
||
Comment on attachment 808234 [details] [diff] [review]
pre-barrier-fix.patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #):
N/A. Part of some core baseline code before it landed.
User impact if declined:
Use-after-free caused by incomplete tracing of objects.
Testing completed (on m-c, etc.):
Green in central for over a month.
Risk to taking this patch (and alternatives if risky):
Very low.
String or IDL/UUID changes made by this patch:
N/A
Attachment #808234 -
Flags: approval-mozilla-beta?
Assignee | ||
Updated•11 years ago
|
Flags: needinfo?(kvijayan)
Updated•11 years ago
|
Attachment #808234 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 19•11 years ago
|
||
Comment 20•11 years ago
|
||
status-b2g-v1.2:
--- → fixed
Comment 21•11 years ago
|
||
ESR24 patch needed - we'd like to go to build for ESR late Tuesday or Wednesday.
Flags: needinfo?(kvijayan)
Updated•11 years ago
|
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][adv-main26+]
Assignee | ||
Comment 22•11 years ago
|
||
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
Sec-high bug.
User impact if declined:
Garbage collection bug in tracing baseline ICs. Crashes. Use-after-free.
Fix Landed on Version:
Firefox 29
Risk to taking this patch (and alternatives if risky):
Very low risk.
String or UUID changes made by this patch:
N/A
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
ESR234 version
Attachment #8341743 -
Flags: approval-mozilla-esr24?
Flags: needinfo?(kvijayan)
Updated•11 years ago
|
Attachment #8341743 -
Flags: approval-mozilla-esr24? → approval-mozilla-esr24+
Comment 23•11 years ago
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•