Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at dist/include/js/HeapAPI.h:145

RESOLVED FIXED in Firefox 50

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: terrence)

Tracking

(Blocks 1 bug, {assertion, regression, testcase})

Trunk
mozilla50
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 unaffected, firefox48 unaffected, firefox49 unaffected, firefox50 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

The following testcase crashes on mozilla-central revision 711963e8daa3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

var lfGlobal = newGlobal();
gczeal(4);
for (lfLocal in this) {}
lfGlobal.offThreadCompileScript(`
  var desc = {
    value: 'bar',
    value: false,
  };
`);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
#0  0x0000000000cd1ad8 in JS::shadow::Zone::runtimeFromMainThread (this=this@entry=0x7ffff6988000) at dist/include/js/HeapAPI.h:145
#1  js::RuntimeFromMainThreadIsHeapMajorCollecting (shadowZone=shadowZone@entry=0x7ffff6988000) at js/src/gc/Barrier.cpp:46
#2  0x00000000004a781a in js::gc::TenuredCell::writeBarrierPre (thing=0x7fffeee3f280) at js/src/gc/Heap.h:1317
#3  0x0000000000464561 in js::DispatchTyped<js::PreBarrierFunctor<JS::Value>>(js::PreBarrierFunctor<JS::Value>, JS::Value const&) (f=..., val=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1912
#4  0x00000000004bf8ba in js::InternalBarrierMethods<JS::Value>::preBarrier (v=...) at js/src/gc/Barrier.h:290
#5  js::WriteBarrieredBase<JS::Value>::pre (this=<optimized out>) at js/src/gc/Barrier.h:379
#6  js::HeapSlot::set (v=..., slot=0, kind=js::HeapSlot::Slot, owner=0x7fffeee4c0d0, this=<optimized out>) at js/src/gc/Barrier.h:692
#7  js::NativeObject::setSlot (this=0x7fffeee4c0d0, slot=0, value=...) at js/src/vm/NativeObject.h:827
#8  0x0000000000ad4e45 in js::NativeObject::setSlotWithType (overwriting=false, value=..., shape=0x7fffeee58ad8, cx=0x7ffff303a730, this=0x7fffeee4c0d0) at js/src/vm/NativeObject-inl.h:281
#9  UpdateShapeTypeAndValue (cx=cx@entry=0x7ffff303a730, obj=obj@entry=..., shape=shape@entry=..., value=...) at js/src/vm/NativeObject.cpp:1050
#10 0x0000000000ad6916 in AddOrChangeProperty (cx=cx@entry=0x7ffff303a730, obj=obj@entry=..., id=id@entry=..., desc=...) at js/src/vm/NativeObject.cpp:1169
#11 0x0000000000ad8160 in js::NativeDefineProperty (cx=cx@entry=0x7ffff303a730, obj=..., id=..., desc_=..., result=...) at js/src/vm/NativeObject.cpp:1387
#12 0x0000000000ad8bdb in js::NativeDefineProperty (cx=cx@entry=0x7ffff303a730, obj=..., obj@entry=..., id=..., id@entry=..., value=..., value@entry=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=1, result=...) at js/src/vm/NativeObject.cpp:1550
#13 0x0000000000ad931e in js::NativeDefineProperty (getter=0x0, setter=0x0, attrs=1, value=..., id=..., obj=..., cx=0x7ffff303a730) at js/src/vm/NativeObject.cpp:1587
#14 AddPlainObjectProperties (cx=cx@entry=0x7ffff303a730, obj=..., obj@entry=..., properties=properties@entry=0x7ffff69b55c0, nproperties=nproperties@entry=2) at js/src/vm/ObjectGroup.cpp:1152
#15 0x0000000000ad94ec in js::NewPlainObjectWithProperties (cx=cx@entry=0x7ffff303a730, properties=0x7ffff69b55c0, nproperties=nproperties@entry=2, newKind=<optimized out>) at js/src/vm/ObjectGroup.cpp:1165
#16 0x0000000000ad998b in js::ObjectGroup::newPlainObject (cx=cx@entry=0x7ffff303a730, properties=0x7ffff69b55c0, nproperties=2, newKind=newKind@entry=js::SingletonObject) at js/src/vm/ObjectGroup.cpp:1176
#17 0x0000000000cae24c in js::frontend::ParseNode::getConstantValue (this=this@entry=0x7ffff69ad2c8, cx=0x7ffff303a730, allowObjects=allowObjects@entry=js::frontend::ParseNode::AllowObjects, vp=..., vp@entry=..., compare=compare@entry=0x0, ncompare=ncompare@entry=0, newKind=js::SingletonObject) at js/src/frontend/BytecodeEmitter.cpp:5045
#18 0x0000000000caeb41 in js::frontend::BytecodeEmitter::emitSingletonInitialiser (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad2c8) at js/src/frontend/BytecodeEmitter.cpp:5067
#19 0x0000000000cc2c6b in js::frontend::BytecodeEmitter::emitObject (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad2c8) at js/src/frontend/BytecodeEmitter.cpp:8199
#20 0x0000000000cb210b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad2c8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9065
#21 0x0000000000cb7151 in js::frontend::BytecodeEmitter::emitSingleVariable (this=0x7ffff58a2a00, pn=<optimized out>, binding=0x7ffff69ad290, initializer=0x7ffff69ad2c8, emitOption=js::frontend::InitializeVars) at js/src/frontend/BytecodeEmitter.cpp:4670
#22 0x0000000000cbc101 in js::frontend::BytecodeEmitter::emitVariables (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad258, emitOption=emitOption@entry=js::frontend::InitializeVars) at js/src/frontend/BytecodeEmitter.cpp:4620
#23 0x0000000000cb1ded in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad258, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9002
#24 0x0000000000cc07be in js::frontend::BytecodeEmitter::emitStatementList (this=0x7ffff58a2a00, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7209
#25 0x0000000000cb214b in js::frontend::BytecodeEmitter::emitTree (this=0x7ffff58a2a00, pn=0x7ffff69ad220, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:8836
#26 0x0000000000cb3705 in BytecodeCompiler::compileScript (this=this@entry=0x7ffff58a1d50, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:539
#27 0x0000000000cb3b17 in js::frontend::CompileScript (cx=<optimized out>, alloc=alloc@entry=0x7ffff69f3248, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x0, extraSct=0x0, sourceObjectOut=0x7ffff69f32f0) at js/src/frontend/BytecodeCompiler.cpp:742
#28 0x0000000000a84f7e in js::ScriptParseTask::parse (this=0x7ffff69f3160) at js/src/vm/HelperThreads.cpp:277
#29 0x0000000000a8aa51 in js::HelperThread::handleParseWorkload (this=this@entry=0x7ffff696ec00, locked=...) at js/src/vm/HelperThreads.cpp:1527
#30 0x0000000000a8d281 in js::HelperThread::threadLoop (this=0x7ffff696ec00) at js/src/vm/HelperThreads.cpp:1717
#31 0x0000000000ab9ab1 in nspr::Thread::ThreadRoutine (arg=0x7ffff69411a0) at js/src/vm/PosixNSPR.cpp:45
#32 0x00007ffff7bc16fa in start_thread (arg=0x7ffff58a3700) at pthread_create.c:333
#33 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x0	0
rbx	0x7ffff6988000	140737330577408
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7ffff58a0c70	140737312853104
rsp	0x7ffff58a0c60	140737312853088
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff58a3700	140737312864000
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff6988000	140737330577408
r13	0x7fffeee4c0f0	140737201357040
r14	0x7ffff58a0fb8	140737312853944
r15	0x7fffeee4c0d0	140737201357008
rip	0xcd1ad8 <js::RuntimeFromMainThreadIsHeapMajorCollecting(JS::shadow::Zone*)+72>
=> 0xcd1ad8 <js::RuntimeFromMainThreadIsHeapMajorCollecting(JS::shadow::Zone*)+72>:	movl   $0x0,0x0
   0xcd1ae3 <js::RuntimeFromMainThreadIsHeapMajorCollecting(JS::shadow::Zone*)+83>:	ud2    


Not sure if this is a shell-only thing, marking s-s to be safe. This could also be the same issue as bug 1287395 but stacks and test case differ slightly.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0ca871e39a20
user:        Jan de Mooij
date:        Wed Jun 22 09:47:52 2016 +0200
summary:     Bug 1279295 - Create the runtime's JSContext when we create the runtime. r=luke

This iteration took 2.373 seconds to run.
Jan, is bug 1279295 a likely regressor?
Blocks: 1279295
Flags: needinfo?(jdemooij)
Hm, Terrence this looks similar to the other bug you fixed in this area last week?
Flags: needinfo?(jdemooij) → needinfo?(terrence)
Similar, but in the pre-barrier instead of in the read-barrier. I'll take it.
Assignee: nobody → terrence
Flags: needinfo?(terrence)
This is not sec sensitive. The barriers are caused by having the pre-barrier verifier enabled and would not happen outside that configuration.
Group: javascript-core-security
This is really ugly. The pre-barrier verifier captures a full-heap snapshot at the beginning, turns on all barriers and runs the mutator, then collects a second heap snapshot at the end and verifies that the barriers captured a superset of the new required edges. This process turns on barriers for all zones excluding OMT parse zones, but not excluding the atoms zone. Normally we just ensure that we never need barriers when running OMT parse tasks. We can't take that tack here because we verify at all times when we're not GCing, so we'd never be able to do OMT parsing. This would lose us our test coverage in this configuration and I think deadlock us as well -- I don't think that the system currently allows OMT parse tasks to be blocked forever. The only other option I see is to add a nasty check to the barrier itself. Note that the edges we're hitting here are just normal slots that happen to contain atoms, so I don't think blocking higher is going to work.

To summarize, we'd need to substantially re-architect the pre-barrier verifier, the OMT parse task handling, or hack yet one more test into the barrier. I've done the last for now.
Attachment #8772158 - Flags: review?(jcoppeard)
Comment on attachment 8772158 [details] [diff] [review]
fuzz_1287399-v0.diff

Review of attachment 8772158 [details] [diff] [review]:
-----------------------------------------------------------------

It's behind and ifdef so it's not too bad.
Attachment #8772158 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/41dafbfe894fceca7a2e464edced4d10e1bcdd77
Bug 1287399 - Allow the pre-barrier verifier to work in the presence of OMT parsing; r=jonco
https://hg.mozilla.org/mozilla-central/rev/41dafbfe894f
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Version: Trunk → 50 Branch
Version: 50 Branch → Trunk
Duplicate of this bug: 1287395
Depends on: 1289270
You need to log in before you can comment on or make changes to this bug.