Closed
Bug 921470
Opened 11 years ago
Closed 11 years ago
Assertion failure: [barrier verifier] Unmarked edge: baseline-monitor-typeobject, at gc/Verifier.cpp:569
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
People
(Reporter: decoder, Assigned: jandem)
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update,testComment=8,origRev=aa986b6ce882][adv-main27+][adv-esr24.3+])
Attachments
(2 files, 1 obsolete file)
456 bytes,
text/plain
|
Details | |
1.06 KB,
patch
|
djvj
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr24+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision e4cd2242cc7d (threadsafe build, run with --fuzzing-safe --ion-eager --thread-count=2 --ion-parallel-compile=on): var lfcode = new Array(); lfcode.push(""); lfcode.push("4"); lfcode.push("\ gczeal(4);\ function callback() {}\ callback({});\ setObjectMetadataCallback(callback);\ "); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file) } function loadFile(lfVarx) { try { if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) { switch (lfRunTypeId) { case 4: eval("(function() { " + lfVarx + " })();"); break; } } else if (!isNaN(lfVarx)) { lfRunTypeId = parseInt(lfVarx); } } catch (lfVare) { if (lfVare instanceof SyntaxError) {} } }
Reporter | ||
Comment 1•11 years ago
|
||
This one doesn't reproduce on every run, might need to run it a few times.
Whiteboard: [jsbugmon:ignore]
Reporter | ||
Comment 2•11 years ago
|
||
Marking as fuzzblocker because this triggers again quite often and with a lot of signatures. Djvj, can you take a look?
Flags: needinfo?(kvijayan)
Whiteboard: [jsbugmon:ignore] → [jsbugmon:ignore][fuzzblocker]
Reporter | ||
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
Can I get the specific build command line? I'm building a threadsafe debug build and running as you indicate (on the m-c revision you note), and I'm not able to replicate it.
Flags: needinfo?(kvijayan)
Comment 5•11 years ago
|
||
Got your build and checked it out. Still can't reproduce on my machine (tried it 200 times): for n in $(seq 200); do LD_LIBRARY_PATH=. ./js --fuzzing-safe --ion-eager --thread-count=2 --ion-parallel-compile=on /tmp/test.js ; done Note sure what to do at this point outside of set up VPN for remote access and debug it on your guys' machines. Can we start setting that up?
Comment 7•11 years ago
|
||
Just set up VPN access to MountainView. I can take this bug now, but I need login creds to a machine on which I can reproduce this issue. Decoder, can you set this up?
Assignee: general → kvijayan
Flags: needinfo?(kvijayan) → needinfo?(choller)
Reporter | ||
Comment 8•11 years ago
|
||
I finally managed to reproduce this on one of the MV machines. This test is for a non-threadsafe build (m-c rev aa986b6ce882, opt and debug worked for me, both 32 and 64 bit, no options): var lfcode = new Array(); lfcode.push(""); lfcode.push("const libdir = \"x\";"); lfcode.push(""); lfcode.push("2"); lfcode.push(""); lfcode.push(""); lfcode.push("2"); lfcode.push("gczeal(4,10);"); lfcode.push(""); lfcode.push("0"); lfcode.push("const libdir = \"x\";"); lfcode.push("setObjectMetadataCallback(function(obj) {});"); var lfRunTypeId = -1; while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file) } function loadFile(lfVarx) { try { switch (lfRunTypeId) { case 1: eval(lfVarx); break; default: evaluate(lfVarx); break; } } catch (lfVare) { if (lfVare instanceof SyntaxError) {} } } If this again doesn't reproduce, then I can now easily give you access to the machine the test is sitting on.
Flags: needinfo?(choller) → needinfo?(kvijayan)
Whiteboard: [jsbugmon:ignore][fuzzblocker] → [jsbugmon:update,bisect,testComment=8,origRev=aa986b6ce882]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect,testComment=8,origRev=aa986b6ce882] → [jsbugmon:update,testComment=8,origRev=aa986b6ce882]
Reporter | ||
Comment 9•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/be1399f8f973 user: Brian Hackett date: Thu May 30 17:37:22 2013 -0600 summary: Bug 850026 - Allow metadata objects to be associated with JS objects, and add a hook for attaching metadata to newly created objects, r=luke. This iteration took 2.091 seconds to run.
Assignee | ||
Updated•11 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
Comment 10•11 years ago
|
||
I'm unassigning myself from this bug because of the reproduction issues and because there area bunch of other bugs on my plate. keeping myself assigned to this prevents someone else who has time from picking it up and fixing it.
Assignee: kvijayan → nobody
Flags: needinfo?(kvijayan)
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Comment 11•11 years ago
|
||
Attachment #811113 -
Attachment is obsolete: true
Reporter | ||
Comment 13•11 years ago
|
||
Yes, all the time :) one of the most annoying asserts (it's actually a whole group of asserts)
Flags: needinfo?(choller)
Assignee | ||
Comment 14•11 years ago
|
||
I can reproduce this with the testcase in comment 8.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Assignee | ||
Comment 15•11 years ago
|
||
The tracing code was correct when hasFallbackStub_, but did nothing when hasFallbackStub_ == false.
Attachment #8344724 -
Flags: review?(kvijayan)
Updated•11 years ago
|
Attachment #8344724 -
Flags: review?(kvijayan) → review+
Assignee | ||
Comment 16•11 years ago
|
||
Comment on attachment 8344724 [details] [diff] [review] Patch [Security approval request comment] > How easily could an exploit be constructed based on the patch? Not easily but it may be possible. > Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. > Which older supported branches are affected by this flaw? 23+. > If not all supported branches, which bug introduced the flaw? Baseline JIT. > Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Very easy, low risk. > How likely is this patch to cause regressions; how much testing does it need? Unlikely.
Attachment #8344724 -
Flags: sec-approval?
Comment 17•11 years ago
|
||
Comment on attachment 8344724 [details] [diff] [review] Patch sec-approval for trunk. We'd like this on Aurora and Beta too so it gets good bake time before the release in six weeks.
Attachment #8344724 -
Flags: sec-approval? → sec-approval+
Comment 18•11 years ago
|
||
ESR24 as well.
status-b2g-v1.2:
--- → affected
status-firefox29:
--- → affected
status-firefox-esr24:
--- → affected
tracking-firefox27:
--- → +
tracking-firefox28:
--- → +
tracking-firefox29:
--- → +
Assignee | ||
Comment 19•11 years ago
|
||
Rewriting the for-loop to a while-loop isn't really necessary, so to be safe this patch just removes the bogus if-condition. https://hg.mozilla.org/integration/mozilla-inbound/rev/d887626fd6d6
Assignee | ||
Comment 20•11 years ago
|
||
Comment on attachment 8344724 [details] [diff] [review] Patch [Approval Request Comment] User impact if declined: Crashes, security issues. Fix Landed on Version: 29, will be backported to 27 and 28. Risk to taking this patch (and alternatives if risky): Very low. String or UUID changes made by this patch: None. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info. [Approval Request Comment] Bug caused by (feature/regressing bug #): Baseline JIT. User impact if declined: Crashes, security issues. Testing completed (on m-c, etc.): On m-i. Risk to taking this patch (and alternatives if risky): Very low. String or IDL/UUID changes made by this patch: None.
Attachment #8344724 -
Flags: approval-mozilla-esr24?
Attachment #8344724 -
Flags: approval-mozilla-beta?
Attachment #8344724 -
Flags: approval-mozilla-aurora?
Comment 21•11 years ago
|
||
landed on central https://hg.mozilla.org/mozilla-central/rev/d887626fd6d6
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 22•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
Attachment #8344724 -
Flags: approval-mozilla-esr24?
Attachment #8344724 -
Flags: approval-mozilla-esr24+
Attachment #8344724 -
Flags: approval-mozilla-beta?
Attachment #8344724 -
Flags: approval-mozilla-beta+
Attachment #8344724 -
Flags: approval-mozilla-aurora?
Attachment #8344724 -
Flags: approval-mozilla-aurora+
Updated•11 years ago
|
tracking-firefox-esr24:
--- → 27+
Assignee | ||
Comment 23•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/86e26e292344 https://hg.mozilla.org/releases/mozilla-beta/rev/90af7e816b88 ESR24 tree is closed. Ryan, can you take care of b2g and esr24? Thanks.
Updated•11 years ago
|
Keywords: checkin-needed
Comment 24•11 years ago
|
||
In my queue.
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.3:
--- → fixed
Keywords: checkin-needed
Comment 25•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/d965e4f200f4 https://hg.mozilla.org/releases/mozilla-esr24/rev/17babc2c47ec
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,testComment=8,origRev=aa986b6ce882] → [jsbugmon:update,testComment=8,origRev=aa986b6ce882][adv-main27+][adv-esr24.3+]
Updated•10 years ago
|
status-b2g-v1.3T:
--- → fixed
status-b2g-v1.4:
--- → fixed
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•