Closed
Bug 950452
Opened 11 years ago
Closed 11 years ago
Assertion failure: MIR instruction returned value with unexpected type, at jit/IonMacroAssembler.cpp:1219
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox26 | --- | wontfix |
firefox27 | + | fixed |
firefox28 | + | fixed |
firefox29 | + | fixed |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | fixed |
b2g-v1.3 | --- | fixed |
b2g-v1.3T | --- | fixed |
b2g-v1.4 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main27+])
Attachments
(2 files)
228 bytes,
text/plain
|
Details | |
913 bytes,
patch
|
jandem
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision c049cb230d77 (run with --fuzzing-safe --ion-eager):
var ff = new f("foo")
function f(y) {
y = +y;
};
Reporter | ||
Comment 1•11 years ago
|
||
Comment 2•11 years ago
|
||
function f(y) {
y = +y;
}
We add an MMul for the +y. Then in MBinaryArithInstruction::inferFallback, we give this MMul an empty resultTypeSet, because the argument has an empty resultTypeSet.
Then in IonBuilder::jsop_setarg, we detect this argument coercion pattern, but the MMul still has its empty TypeSet, and the type check fails.
Brian, can you take a look? It looks like this could also be a perf issue (the MMul has unknown type).
Flags: needinfo?(bhackett1024)
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/1b91cf5c8407
user: Jan de Mooij
date: Sat Dec 14 14:32:35 2013 +0100
summary: Bug 949475 - Add some debug-only sanity checks. r=bhackett
This iteration took 337.377 seconds to run.
Assignee | ||
Comment 4•11 years ago
|
||
Assignee: general → bhackett1024
Attachment #8348155 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Updated•11 years ago
|
Attachment #8348155 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•11 years ago
|
||
Comment on attachment 8348155 [details] [diff] [review]
patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not at all.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
Which older supported branches are affected by this flaw?
aurora through release
If not all supported branches, which bug introduced the flaw?
Bug 902508
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
trivial
How likely is this patch to cause regressions; how much testing does it need?
not at all
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 902508
User impact if declined: potential, difficult to trigger exploit
Testing completed (on m-c, etc.): none
Risk to taking this patch (and alternatives if risky): none
Attachment #8348155 -
Flags: sec-approval?
Attachment #8348155 -
Flags: approval-mozilla-beta?
Attachment #8348155 -
Flags: approval-mozilla-aurora?
Comment 6•11 years ago
|
||
We need to get a security rating on this issue before it can be approved. What are the implications of this as far as exploits, etc?
Assignee | ||
Comment 7•11 years ago
|
||
This should probably be critical, it would require a lot of knowledge about the engine's internals to exploit but could probably be done.
Keywords: sec-critical
Comment 8•11 years ago
|
||
Comment on attachment 8348155 [details] [diff] [review]
patch
Approve all things!
sec-approval+ granted, along with Aurora and Beta.
Attachment #8348155 -
Flags: sec-approval?
Attachment #8348155 -
Flags: sec-approval+
Attachment #8348155 -
Flags: approval-mozilla-beta?
Attachment #8348155 -
Flags: approval-mozilla-beta+
Attachment #8348155 -
Flags: approval-mozilla-aurora?
Attachment #8348155 -
Flags: approval-mozilla-aurora+
Assignee | ||
Updated•11 years ago
|
Keywords: checkin-needed
Updated•11 years ago
|
Blocks: 902508
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → affected
status-b2g-v1.3:
--- → affected
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox-esr24:
--- → unaffected
tracking-firefox27:
--- → +
tracking-firefox28:
--- → +
tracking-firefox29:
--- → +
Keywords: regression
Comment 9•11 years ago
|
||
Keywords: checkin-needed
Updated•11 years ago
|
Target Milestone: --- → mozilla29
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/1035869d1819
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/ab713e6d552d for apparently introducing a jit-test failure:
https://tbpl.mozilla.org/php/getParsedLog.php?id=32255377&tree=Mozilla-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=32255930&tree=Mozilla-Inbound
Comment 14•11 years ago
|
||
Brian, maybe we need to set the MMul's specialization as well.
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 15•11 years ago
|
||
OK, yes (it would be nice if binary arithmetic instructions were more robust here).
https://hg.mozilla.org/integration/mozilla-inbound/rev/0c2a1f9f76a0
Flags: needinfo?(bhackett1024)
Comment 17•11 years ago
|
||
setJitCompilerOption('ion.usecount.trigger', 5)
for (var i = 0; i < 99; i++) {
(function g(x) {
x = +x;
})()
}
Testcase generated by jsfunfuzz, run with --ion-parallel-compile=off and use m-c rev c049cb230d77
Reporter | ||
Comment 18•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #17)
> Testcase generated by jsfunfuzz, run with --ion-parallel-compile=off and use
> m-c rev c049cb230d77
Almost identical test is in comment 0, for the same revision. Please don't just add duplicate tests to the bugs, it doesn't serve a purpose here.
Comment 19•11 years ago
|
||
> Almost identical test is in comment 0, for the same revision. Please don't
> just add duplicate tests to the bugs, it doesn't serve a purpose here.
We clarified our strategy going forward - there was a bunch of confusion by folks around here (including me).
Comment 20•11 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #15)
> OK, yes (it would be nice if binary arithmetic instructions were more robust
> here).
>
> https://hg.mozilla.org/integration/mozilla-inbound/rev/0c2a1f9f76a0
Using TBPL builds, I've verified that the testcase in comment 17 was indeed fixed by this revision.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 22•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
Comment 23•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/db7f78ab4562
https://hg.mozilla.org/releases/mozilla-beta/rev/486381f7cf34
blocking-b2g: --- → koi?
Flags: in-testsuite?
Comment 25•11 years ago
|
||
Please provide a branch-specific patch for b2g26 uplift.
Flags: needinfo?(bhackett1024)
Keywords: branch-patch-needed
Assignee | ||
Comment 26•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #25)
> Please provide a branch-specific patch for b2g26 uplift.
I don't have a copy of the b2g tree but in IonBuilder.cpp this paragraph:
if (!otherUses) {
types::TypeSet *argTypes = types::TypeScript::ArgTypes(script(), arg);
// Update both the original and cloned type set.
argTypes->addType(cx, types::Type::UnknownType());
op->resultTypeSet()->addType(cx, types::Type::UnknownType());
}
Should be changed to:
if (!otherUses) {
types::TypeSet *argTypes = types::TypeScript::ArgTypes(script(), arg);
// Update both the original and cloned type set.
argTypes->addType(cx, types::Type::UnknownType());
op->resultTypeSet()->addType(cx, types::Type::UnknownType());
if (value->isMul()) {
value->setResultType(MIRType_Double);
value->toMul()->setSpecialization(MIRType_Double);
} else {
JS_ASSERT(value->type() == MIRType_Int32);
}
value->setResultTypeSet(nullptr);
}
Flags: needinfo?(bhackett1024)
Comment 27•11 years ago
|
||
That works, thanks :P
https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/349cceaaab42
Keywords: branch-patch-needed
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main27+]
Updated•11 years ago
|
status-b2g-v1.3T:
--- → fixed
status-b2g-v1.4:
--- → fixed
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•