Closed Bug 930327 Opened 6 years ago Closed 6 years ago

Assertion failure: [infer failure] Missing type in object [0xf7025480] value: bool, at jsinfer.cpp:292

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla28
Tracking Status
firefox25 --- unaffected
firefox26 + fixed
firefox27 + fixed
firefox28 + fixed
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase asserts on mozilla-central revision 21d97baadc05 (run with --ion-eager):


function MyObject( value ) {
  this.value = value;
  value &= value;
}
ForIn_1(new MyObject(true));
function ForIn_1( object) {
  for ( property in object ) {
    object[property] == eval(property) 
  }
}
S-s because infer failures can be security-relevant. Brian, can you look at this?
Flags: needinfo?(bhackett1024)
What does autobisect say?
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/81b505e9a435
user:        Brian Hackett
date:        Thu Oct 17 10:21:05 2013 -0600
summary:     Bug 925962 - Track expected contents of stack type sets in compiler constraints, r=jandem.

This iteration took 0.841 seconds to run.
Brian, is bug 925962 likely related?
Blocks: 925962
Marking sec-high for the infer failure.  Adjust as desired.
Keywords: sec-high
Attached patch patchSplinter Review
This is an older issue actually, I think this problem was introduced in bug 902508.  When deoptimizing argument type sets that are immediately coerced to integers we don't account for previous uses of the argument which may now be miscompiled.  Before bug 925962 we still didn't add freeze constraints until the end of the compilation so were still vulnerable to this problem.
Assignee: general → bhackett1024
Attachment #828843 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Comment on attachment 828843 [details] [diff] [review]
patch

Review of attachment 828843 [details] [diff] [review]:
-----------------------------------------------------------------

No risk patch that affects aurora and beta but not release.
Attachment #828843 - Flags: approval-mozilla-beta?
Attachment #828843 - Flags: approval-mozilla-aurora?
Attachment #828843 - Flags: review?(jdemooij) → review+
Blocks: 902508
No longer blocks: 925962
Comment on attachment 828843 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

Aurora/Beta.

If not all supported branches, which bug introduced the flaw?

bug 902508

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Simple

How likely is this patch to cause regressions; how much testing does it need?

None
Attachment #828843 - Flags: sec-approval?
Comment on attachment 828843 [details] [diff] [review]
patch

Setting approvals. This looks simple so let's get it in.
Attachment #828843 - Flags: sec-approval?
Attachment #828843 - Flags: sec-approval+
Attachment #828843 - Flags: approval-mozilla-beta?
Attachment #828843 - Flags: approval-mozilla-beta+
Attachment #828843 - Flags: approval-mozilla-aurora?
Attachment #828843 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/integration/mozilla-inbound/rev/d69e44285df8

Can we land the test for this at some point?
Flags: in-testsuite-
Once this is on Aurora and Beta, we can land the test since the problem isn't in a final release (yet).
https://hg.mozilla.org/mozilla-central/rev/d69e44285df8
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.