Closed Bug 951497 Opened 10 years ago Closed 10 years ago

Crash [@ js::jit::AssertValidStringPtr] or Opt-Crash [@ js::EqualStrings]

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla29
Tracking Status
firefox26 --- unaffected
firefox27 + fixed
firefox28 + fixed
firefox29 + fixed
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision b980c2dee2e7 (run with --fuzzing-safe --ion-eager):


var GLOBAL = this + '';
function TestCase(n, d, e, a) {
  this.passed = getTestCaseResult(e, a);
}
TestCase.prototype.dump = function () {}
function getTestCaseResult(expected, actual) {
    return actual == expected;
}
function writeHeaderToLog( string ) {}
evaluate('\
var SECTION = "proto_8";\
writeHeaderToLog(SECTION);\
function Employee ( name, dept ) {\
  this.dept = "general";\
}\
function WorkerBee ( name, dept, projs ) {\
  this.base = Employee;\
}\
WorkerBee.prototype = new Employee();\
function Engineer ( name, projs, machine ) {\
  this.base = WorkerBee;\
  this.base(projs)\
}\
Engineer.prototype = new WorkerBee();\
var pat = new Engineer();\
for ( var machine in 6) base(projs, [17, 42]);\
new TestCase( SECTION, "pat.dept", "engineering", pat.dept);\
', { noScriptRval : true });
Crash Signature: [@ js::jit::AssertValidStringPtr] or Opt-Crash [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
Whiteboard: [jsbugmon:update,bisect]
Crash Signature: [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/81b505e9a435
user:        Brian Hackett
date:        Thu Oct 17 10:21:05 2013 -0600
summary:     Bug 925962 - Track expected contents of stack type sets in compiler constraints, r=jandem.

This iteration took 366.526 seconds to run.
Crash Signature: [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
The definite properties analysis relies on the stack type sets in a script reflecting types which IonBuilder assumed were there, so that the definite properties information is invalidated properly when the information changes (the analysis looks for type sets containing singleton functions inlined by the builder).  Since bug 925962, however, the type sets are not updated until FinishCompilation, which is never called by the definite properties analysis, and the necessary constraints aren't added.
Assignee: nobody → bhackett1024
Attachment #8350355 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Comment on attachment 8350355 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not at all.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

Aurora -> Beta

If not all supported branches, which bug introduced the flaw?

bug 925962

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Trivial.

How likely is this patch to cause regressions; how much testing does it need?

Not at all.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 925962
User impact if declined: potential exploit
Testing completed (on m-c, etc.): none
Risk to taking this patch (and alternatives if risky): none
Attachment #8350355 - Flags: sec-approval?
Attachment #8350355 - Flags: approval-mozilla-beta?
Attachment #8350355 - Flags: approval-mozilla-aurora?
This needs a security rating in order to get sec-approval (and for any potential advisories). 

Is this crash exploitable? Can it be triggered by web content or just via the shell?
Comment on attachment 8350355 [details] [diff] [review]
patch

sec-approval+.
Attachment #8350355 - Flags: sec-approval?
Attachment #8350355 - Flags: sec-approval+
Attachment #8350355 - Flags: approval-mozilla-beta?
Attachment #8350355 - Flags: approval-mozilla-beta+
Attachment #8350355 - Flags: approval-mozilla-aurora?
Attachment #8350355 - Flags: approval-mozilla-aurora+
Keywords: checkin-needed
Attachment #8350355 - Flags: review?(jdemooij) → review+
is "Add type constraints at the right time" a good commit message for this?
Flags: in-testsuite?
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/5c02a8ed40ca
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
JSBugMon: This bug has been automatically verified fixed.
https://hg.mozilla.org/releases/mozilla-aurora/rev/9b1fc11fc883
https://hg.mozilla.org/releases/mozilla-beta/rev/fcd21692c906
Crash Signature: [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
Group: core-security
You need to log in before you can comment on or make changes to this bug.