Closed Bug 921470 Opened 6 years ago Closed 6 years ago

Assertion failure: [barrier verifier] Unmarked edge: baseline-monitor-typeobject, at gc/Verifier.cpp:569

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla29
Tracking Status
firefox26 --- wontfix
firefox27 + fixed
firefox28 + fixed
firefox29 + fixed
firefox-esr24 27+ fixed
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- fixed
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update,testComment=8,origRev=aa986b6ce882][adv-main27+][adv-esr24.3+])

Attachments

(2 files, 1 obsolete file)

The following testcase asserts on mozilla-central revision e4cd2242cc7d (threadsafe build, run with --fuzzing-safe --ion-eager --thread-count=2 --ion-parallel-compile=on):


var lfcode = new Array();
lfcode.push("");
lfcode.push("4");
lfcode.push("\
	gczeal(4);\
	function callback() {}\
	callback({});\
	setObjectMetadataCallback(callback);\
");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
}
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
            switch (lfRunTypeId) {
                case 4: eval("(function() { " + lfVarx + " })();"); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        }
    } catch (lfVare) {
        if (lfVare instanceof SyntaxError) {}
    }
}
This one doesn't reproduce on every run, might need to run it a few times.
Whiteboard: [jsbugmon:ignore]
Marking as fuzzblocker because this triggers again quite often and with a lot of signatures. Djvj, can you take a look?
Flags: needinfo?(kvijayan)
Whiteboard: [jsbugmon:ignore] → [jsbugmon:ignore][fuzzblocker]
Can I get the specific build command line?  I'm building a threadsafe debug build and running as you indicate (on the m-c revision you note), and I'm not able to replicate it.
Flags: needinfo?(kvijayan)
Got your build and checked it out.  Still can't reproduce on my machine (tried it 200 times):

for n in $(seq 200); do LD_LIBRARY_PATH=. ./js --fuzzing-safe --ion-eager --thread-count=2 --ion-parallel-compile=on /tmp/test.js ; done


Note sure what to do at this point outside of set up VPN for remote access and debug it on your guys' machines.  Can we start setting that up?
Are you assigned on this bug?
Flags: needinfo?(kvijayan)
Keywords: sec-high
Just set up VPN access to MountainView.  I can take this bug now, but I need login creds to a machine on which I can reproduce this issue.

Decoder, can you set this up?
Assignee: general → kvijayan
Flags: needinfo?(kvijayan) → needinfo?(choller)
I finally managed to reproduce this on one of the MV machines. This test is for a non-threadsafe build (m-c rev aa986b6ce882, opt and debug worked for me, both 32 and 64 bit, no options):


var lfcode = new Array();
lfcode.push("");
lfcode.push("const libdir = \"x\";");
lfcode.push("");
lfcode.push("2");
lfcode.push("");
lfcode.push("");
lfcode.push("2");
lfcode.push("gczeal(4,10);");
lfcode.push("");
lfcode.push("0");
lfcode.push("const libdir = \"x\";");
lfcode.push("setObjectMetadataCallback(function(obj) {});");
var lfRunTypeId = -1;
while (true) {
        var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
}
function loadFile(lfVarx) {
  try {
    switch (lfRunTypeId) {
       case 1: eval(lfVarx); break;
       default: evaluate(lfVarx); break;
    }
  } catch (lfVare) {
    if (lfVare instanceof SyntaxError) {}
  }
}


If this again doesn't reproduce, then I can now easily give you access to the machine the test is sitting on.
Flags: needinfo?(choller) → needinfo?(kvijayan)
Whiteboard: [jsbugmon:ignore][fuzzblocker] → [jsbugmon:update,bisect,testComment=8,origRev=aa986b6ce882]
Whiteboard: [jsbugmon:update,bisect,testComment=8,origRev=aa986b6ce882] → [jsbugmon:update,testComment=8,origRev=aa986b6ce882]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/be1399f8f973
user:        Brian Hackett
date:        Thu May 30 17:37:22 2013 -0600
summary:     Bug 850026 - Allow metadata objects to be associated with JS objects, and add a hook for attaching metadata to newly created objects, r=luke.

This iteration took 2.091 seconds to run.
Component: JavaScript Engine → JavaScript Engine: JIT
I'm unassigning myself from this bug because of the reproduction issues and because there area  bunch of other bugs on my plate.  keeping myself assigned to this prevents someone else who has time from picking it up and fixing it.
Assignee: kvijayan → nobody
Flags: needinfo?(kvijayan)
Attachment #811113 - Attachment is obsolete: true
decoder, are you still seeing this?
Flags: needinfo?(choller)
Yes, all the time :) one of the most annoying asserts (it's actually a whole group of asserts)
Flags: needinfo?(choller)
I can reproduce this with the testcase in comment 8.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attached patch PatchSplinter Review
The tracing code was correct when hasFallbackStub_, but did nothing when hasFallbackStub_ == false.
Attachment #8344724 - Flags: review?(kvijayan)
Attachment #8344724 - Flags: review?(kvijayan) → review+
Comment on attachment 8344724 [details] [diff] [review]
Patch

[Security approval request comment]
> How easily could an exploit be constructed based on the patch?
Not easily but it may be possible.

> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.

> Which older supported branches are affected by this flaw?
23+.

> If not all supported branches, which bug introduced the flaw?
Baseline JIT.

> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Very easy, low risk.

> How likely is this patch to cause regressions; how much testing does it need? Unlikely.
Attachment #8344724 - Flags: sec-approval?
Comment on attachment 8344724 [details] [diff] [review]
Patch

sec-approval for trunk.

We'd like this on Aurora and Beta too so it gets good bake time before the release in six weeks.
Attachment #8344724 - Flags: sec-approval? → sec-approval+
Rewriting the for-loop to a while-loop isn't really necessary, so to be safe this patch just removes the bogus if-condition.

https://hg.mozilla.org/integration/mozilla-inbound/rev/d887626fd6d6
Comment on attachment 8344724 [details] [diff] [review]
Patch

[Approval Request Comment]
User impact if declined: Crashes, security issues.
Fix Landed on Version: 29, will be backported to 27 and 28.
Risk to taking this patch (and alternatives if risky): Very low.
String or UUID changes made by this patch: None.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Baseline JIT.
User impact if declined: Crashes, security issues.
Testing completed (on m-c, etc.): On m-i.
Risk to taking this patch (and alternatives if risky): Very low.
String or IDL/UUID changes made by this patch: None.
Attachment #8344724 - Flags: approval-mozilla-esr24?
Attachment #8344724 - Flags: approval-mozilla-beta?
Attachment #8344724 - Flags: approval-mozilla-aurora?
landed on central https://hg.mozilla.org/mozilla-central/rev/d887626fd6d6
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Attachment #8344724 - Flags: approval-mozilla-esr24?
Attachment #8344724 - Flags: approval-mozilla-esr24+
Attachment #8344724 - Flags: approval-mozilla-beta?
Attachment #8344724 - Flags: approval-mozilla-beta+
Attachment #8344724 - Flags: approval-mozilla-aurora?
Attachment #8344724 - Flags: approval-mozilla-aurora+
Whiteboard: [jsbugmon:update,testComment=8,origRev=aa986b6ce882] → [jsbugmon:update,testComment=8,origRev=aa986b6ce882][adv-main27+][adv-esr24.3+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.