Closed Bug 805747 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: <unknown>,

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla19
Tracking Flags:
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 + fixed
firefox19 + fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Assigned: dvander)

References

Details

(4 keywords, Whiteboard: [adv-main18-])

Attachments

(2 files)

stack
(deleted), text/plain
Details
fix
(deleted), patch
djvj
: review+
bajaj
: approval-mozilla-aurora+
abillings
: sec-approval+
Details | Diff | Splinter Review
Attached file stack (deleted) —
try { x = {} y = ''; (function() { toString = (function() { x.s += y }) })() print(this) Object.freeze(x)(verifyprebarriers()) } catch (e) {} y = 'p' for (m = 0, print; m < 9; ++m) { print(this) } asserts js debug and opt shell on m-c changeset 58c8080a1a7c with --ion-eager at Assertion failure: [barrier verifier] Unmarked edge: <unknown>, s-s because older bugs with similar asserts have also been marked s-s, assuming sec-critical unless otherwise shown. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 111211:2583a19e59ef user: Kannan Vijayan date: Tue Oct 23 22:18:11 2012 -0400 summary: Bug 795801 - IC StrictPropertyOp setters in IonMonkey. (r=dvander)
Assignee: general → kvijayan
(Stealing w/ permission)
Status: NEW → ASSIGNED
Helping david steal this.
Assignee: kvijayan → dvander
bug 795801 turned out to be a red herring. This is a pre-existing bug, the problem is that our setprop-add ICs don't respect an object's extensibility.
No longer blocks: 795801
Attached patch fix (deleted) — Splinter Review
Attachment #677160 - Flags: review?(kvijayan)
Attachment #677160 - Flags: review?(kvijayan) → review+
Comment on attachment 677160 [details] [diff] [review] fix [Security approval request comment] How easily can the security issue be deduced from the patch? Extremely difficult. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? Firefox 18. If not all supported branches, which bug introduced the flaw? IonMonkey. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yes. How likely is this patch to cause regressions; how much testing does it need? Extremely unlikely, if anything needs only performance testing.
Attachment #677160 - Flags: sec-approval?
Attachment #677160 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/fb274a7b7b9d
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox19: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
(In reply to David Anderson [:dvander] from comment #6) > https://hg.mozilla.org/integration/mozilla-inbound/rev/fb274a7b7b9d Can we please uplift this on aurora, if it has got the needed bake time/testing ?
Comment on attachment 677160 [details] [diff] [review] fix [Approval Request Comment] Bug caused by (feature/regressing bug #): IonMonkey User impact if declined: Potential security bug Testing completed (on m-c, etc.): Yes Risk to taking this patch (and alternatives if risky): Extremely low String or UUID changes made by this patch:
Attachment #677160 - Flags: approval-mozilla-aurora?
Attachment #677160 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
status-firefox-esr17: --- → unaffected
Whiteboard: [adv-main18-]
Can this be put in testsuite?
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: