Closed Bug 905903 Opened 11 years ago Closed 11 years ago

Assertion failure: [barrier verifier] Unmarked edge: baseline-monitor-stub-ioncode, at gc/Verifier.cpp:570 with setObjectMetadataCallback

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 --- wontfix
firefox25 --- wontfix
firefox26 + fixed
firefox27 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- fixed
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- fixed

People

(Reporter: decoder, Assigned: djvj)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update][fuzzblocker][adv-main26+])

Attachments

(3 files)

[crash-signature] Machine-readable crash signature
784 bytes, text/plain
Details
pre-barrier-fix.patch
882 bytes, patch
terrence
: review+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
pre-barrier-fix-esr24.patch
882 bytes, patch
abillings
: approval-mozilla-esr24+
Details | Diff | Splinter Review
The following testcase asserts on mozilla-central revision a8daa428ccbc (run with --fuzzing-safe): var lfcode = new Array(); lfcode.push(""); lfcode.push(""); lfcode.push("1"); lfcode.push(""); lfcode.push(""); lfcode.push(""); lfcode.push(""); lfcode.push("2"); lfcode.push("gczeal(4);"); lfcode.push("setObjectMetadataCallback(function(obj) {});"); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file) } function loadFile(lfVarx) { try { if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) { switch (lfRunTypeId) { case 2: new Function(lfVarx)(); break; } } else if (!isNaN(lfVarx)) { lfRunTypeId = parseInt(lfVarx); } } catch (lfVare) { } }
Again like bug 886850, same signature. Needinfo from Brian.
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/be1399f8f973 user: Brian Hackett date: Thu May 30 17:37:22 2013 -0600 summary: Bug 850026 - Allow metadata objects to be associated with JS objects, and add a hook for attaching metadata to newly created objects, r=luke. This iteration took 1.682 seconds to run.
Could you maybe look at this, djvj? It looks like it involves baseline. Thanks.
Flags: needinfo?(kvijayan)
Ok.
Assignee: general → kvijayan
Flags: needinfo?(kvijayan)
I'm going to mark this sec-high until we know that this is just some weirdness of setObjectMetadataCallback in particular.
Keywords: sec-high
Putting needinfo again on djvj. This keeps filling up my inbox day by day, it produces lots of signatures.
Flags: needinfo?(kvijayan)
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
This seems to be the issue: #0 js::jit::BaselineScript::purgeOptimizedStubs (this=0x95c5b68, zone=0x95cb248) at /home/kvijayan/Checkouts/mozilla-inbound/js/src/jit/BaselineJIT.cpp:796 #1 0x084f8882 in js::jit::FinishDiscardBaselineScript (fop=0x95942b0, script=0xf6f2b100) at /home/kvijayan/Checkouts/mozilla-inbound/js/src/jit/BaselineJIT.cpp:862 #2 0x08343c2c in js::ReleaseAllJITCode (fop=0x95942b0) at /home/kvijayan/Checkouts/mozilla-inbound/js/src/jsgc.cpp:4979 #3 0x083290b3 in js::SetObjectMetadataCallback (cx=0x95a6938, callback= 0x821af28 <ShellObjectMetadataCallback(JSContext*, JSObject**)>) It happens right before the verifier error. I suspect that purgeOptimizedStubs doesn't properly trace monitored stub chains. It may have something to do with the fact that purgeOptimizedStubs is called from a non-GC context.
Flags: needinfo?(kvijayan)
Found it. When clearing out the type monitored stubs, we clear out the optimized stubs, but we only actually trace the fallback stub. This makes no sense since the fallback stub is the one that survives the clearing out, and the optimized stubs are the ones that don't.
Attachment #808234 - Flags: review?(terrence)
Comment on attachment 808234 [details] [diff] [review] pre-barrier-fix.patch Review of attachment 808234 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay, but I wanted to make sure I understood what's going on here. r=me, Good find! ::: js/src/jit/BaselineIC.cpp @@ +466,5 @@ > { > if (zone->needsBarrier()) { > // We are removing edges from monitored stubs to gcthings (IonCode). > // Perform one final trace of all monitor stubs for incremental GC, > // as it must know about those edges. Could you update this comment to clarify what you explained in comment 9 of this bug?
Attachment #808234 - Flags: review?(terrence) → review+
(In reply to Terrence Cole [:terrence] from comment #10) > ::: js/src/jit/BaselineIC.cpp > @@ +466,5 @@ > > { > > if (zone->needsBarrier()) { > > // We are removing edges from monitored stubs to gcthings (IonCode). > > // Perform one final trace of all monitor stubs for incremental GC, > > // as it must know about those edges. > > Could you update this comment to clarify what you explained in comment 9 of > this bug? The comment actually correctly describes the new behaviour (we trace the monitor stubs). The problem was that the code prior to this patch wasn't actually implementing that behaviour, instead it was tracing just the fallback monitor stub.
Flags: needinfo?(bhackett1024)
status-firefox24: affectedwontfix
status-firefox27: --- → fixed
status-firefox-esr24: --- → affected
Target Milestone: --- → mozilla27
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.
status-b2g18: --- → unaffected
can we get a beta uplift nomination here? if this is low risk to land on beta we should get it in.
Flags: needinfo?(kvijayan)
Comment on attachment 808234 [details] [diff] [review] pre-barrier-fix.patch [Approval Request Comment] Bug caused by (feature/regressing bug #): N/A. Part of some core baseline code before it landed. User impact if declined: Use-after-free caused by incomplete tracing of objects. Testing completed (on m-c, etc.): Green in central for over a month. Risk to taking this patch (and alternatives if risky): Very low. String or IDL/UUID changes made by this patch: N/A
Attachment #808234 - Flags: approval-mozilla-beta?
Flags: needinfo?(kvijayan)
Keywords: csec-uaf
Attachment #808234 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
ESR24 patch needed - we'd like to go to build for ESR late Tuesday or Wednesday.
Flags: needinfo?(kvijayan)
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][adv-main26+]
[Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: Sec-high bug. User impact if declined: Garbage collection bug in tracing baseline ICs. Crashes. Use-after-free. Fix Landed on Version: Firefox 29 Risk to taking this patch (and alternatives if risky): Very low risk. String or UUID changes made by this patch: N/A See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info. ESR234 version
Attachment #8341743 - Flags: approval-mozilla-esr24?
Flags: needinfo?(kvijayan)
Attachment #8341743 - Flags: approval-mozilla-esr24? → approval-mozilla-esr24+
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: