Closed Bug 926847 Opened 6 years ago Closed 6 years ago

Assertion failure: hasSlot() && !hasMissingSlot(), at ../vm/Shape.h:1161 or Crash [@ PropertyReadNeedsTypeBarrier] (jit)

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox25 --- unaffected
firefox26 --- unaffected
firefox27 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 2 open bugs)

Details

(6 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
1003 bytes, text/plain
Details
patch
1.18 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 23bd0deec359 (run with --fuzzing-safe --ion-eager):


a = "".__proto__;
b = unescape().__proto__;
for (var i = 0; i < 1000 ; i++) {
    a.__defineSetter__("valueOf", function() {});
    - b.valueOf;
}
Crash trace from opt-build:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000768b8b in PropertyReadNeedsTypeBarrier (cx=0x1423620, constraints=0x143d738, object=0x7ffff6943161, name=<optimized out>, observed=0x14222e0) at js/src/jit/MIR.cpp:2797
2797            if (shape &&
#0  0x0000000000768b8b in PropertyReadNeedsTypeBarrier (cx=0x1423620, constraints=0x143d738, object=0x7ffff6943161, name=<optimized out>, observed=0x14222e0) at js/src/jit/MIR.cpp:2797
#1  0x0000000000771de7 in js::jit::PropertyReadNeedsTypeBarrier (cx=0x1423620, propertycx=<optimized out>, constraints=0x143d738, object=0x7ffff6943161, name=0x7ffff6a23fe0, observed=0x14222e0, updateObserved=true) at js/src/jit/MIR.cpp:2842
#2  0x0000000000772003 in js::jit::PropertyReadNeedsTypeBarrier (cx=0x1423620, propertycx=0x0, constraints=0x143d738, obj=<optimized out>, name=0x7ffff6a23fe0, observed=0x14222e0) at js/src/jit/MIR.cpp:2862
#3  0x00000000006f7493 in js::jit::IonBuilder::jsop_getprop (this=0x143d760, name=0x7ffff6a23fe0) at js/src/jit/IonBuilder.cpp:8047
#4  0x00000000006f2ac8 in js::jit::IonBuilder::inspectOpcode (this=0x143d760, op=<optimized out>) at js/src/jit/IonBuilder.cpp:1593
#5  0x00000000006f3c44 in js::jit::IonBuilder::traverseBytecode (this=0x143d760) at js/src/jit/IonBuilder.cpp:1172
#6  0x00000000006f47bf in js::jit::IonBuilder::build (this=0x143d760) at js/src/jit/IonBuilder.cpp:612
#7  0x00000000006c64d3 in js::jit::IonCompile (cx=0x1423620, script=<optimized out>, baselineFrame=0x7fffffffd1f8, osrPc=0x14cacd0 "\343\001\232", constructing=<optimized out>, executionMode=js::SequentialExecution) at js/src/jit/Ion.cpp:1612
rax     0x0     -1970324836974592
rcx     0x9422ba8       155331496
=> 0x768b8b <PropertyReadNeedsTypeBarrier(JSContext*, js::types::CompilerConstraintList*, js::types::TypeObjectKey*, js::PropertyName*, js::types::TypeSet*)+283>:      cmp    %rax,(%rcx)


Bad crash with a slot assertion, assuming sec-critical.
Crash Signature: [@ PropertyReadNeedsTypeBarrier]
Keywords: crash, csec-wildptr, sec-critical
Whiteboard: [jsbugmon:update,bisect]
Another testcase:

__defineSetter__("eval", function() {});
x = this;
x;
(function() {
    x.eval
})()

asserts js debug shell on m-c changeset 23bd0deec359 with --ion-eager at Assertion failure: hasSlot() && !hasMissingSlot(), at vm/Shape.h

My configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/f613d7363bd2
user:        Brian Hackett
date:        Mon Oct 14 12:13:41 2013 -0600
summary:     Bug 924611 - Don't create lazy type objects and type properties in IonBuilder, r=jandem.

Brian, is bug 924611 a possible regressor?
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/f613d7363bd2
user:        Brian Hackett
date:        Mon Oct 14 12:13:41 2013 -0600
summary:     Bug 924611 - Don't create lazy type objects and type properties in IonBuilder, r=jandem.

This iteration took 0.778 seconds to run.
Attached patch patchSplinter Review
Assignee: general → bhackett1024
Attachment #817875 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Attachment #817875 - Flags: review?(jdemooij) → review+
fixed in mozilla-central -> https://hg.mozilla.org/mozilla-central/rev/aa29389b72f3
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox27: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.