Closed Bug 1035371 Opened 6 years ago Closed 6 years ago

Crash [@ js::gc::MarkKind] or Assertion failure: kind == MapAllocToTraceKind(cell->tenuredGetAllocKind()), at gc/Marking.cpp

Categories

(Core :: JavaScript: GC, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla33
Tracking Status
firefox32 --- unaffected
firefox33 --- verified
firefox-esr24 --- unaffected
firefox-esr31 --- unaffected

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(3 files)

Attached file stack
x = function() {};
y = new WeakMap;
selectforgc({});;
y.set(x, Symbol());

asserts js debug shell on m-c changeset 1dc6b294800d with --ion-eager --ion-offthread-compile=off at Assertion failure: kind == MapAllocToTraceKind(cell->tenuredGetAllocKind()), at gc/Marking.cpp

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140623115045" and the hash "611283da02bf".
The "bad" changeset has the timestamp "20140623122048" and the hash "cd2894ed2c76".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=611283da02bf&tochange=cd2894ed2c76

Jason, I set this to s-s but I'm not sure what its security rating should be, as it involves selectforgc. I'm also guessing bug 645416 might be related.
Flags: needinfo?(jorendorff)
It looks like weak map key marking is interacting badly with symbols somehow.
Attached file stack for opt crash
Run with --ion-eager --ion-offthread-compile=off on an opt build.

This may be accessing 0x4f4f4f4ffffff000.

Configuration parameters:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
Crash Signature: [@ js::gc::MarkKind]
Keywords: crash
Summary: Assertion failure: kind == MapAllocToTraceKind(cell->tenuredGetAllocKind()), at gc/Marking.cpp → Crash [@ js::gc::MarkKind] or Assertion failure: kind == MapAllocToTraceKind(cell->tenuredGetAllocKind()), at gc/Marking.cpp
Group: javascript-core-security
What's happening is that we put a symbol value into the weak map, but when we come to mark it it's tagged as an object!  I don't understand how this is possible.
This sounds bad, so I'm marking it critical.
Keywords: sec-critical
IsValueMarked() and IsValueAboutToBeFinalized() needed updating to know about symbols.
Assignee: nobody → jcoppeard
Attachment #8456811 - Flags: review?(terrence)
Comment on attachment 8456811 [details] [diff] [review]
bug1035371-symbol-crash

Review of attachment 8456811 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!

::: js/src/gc/Marking.cpp
@@ +728,5 @@
>          JS_ASSERT(v->toGCThing());
>          void *thing = v->toGCThing();
>          trc->setTracingLocation((void *)v);
>          MarkKind(trc, &thing, v->gcKind());
>          if (v->isString())

Don't forget to brace the first block as well.
Attachment #8456811 - Flags: review?(terrence) → review+
Flags: needinfo?(jorendorff)
https://hg.mozilla.org/mozilla-central/rev/1bb59a022bff
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.