Closed
Bug 1295039
Opened 8 years ago
Closed 8 years ago
Crash [@ JSFlatString::isIndex] with use-after-free or Crash [@ js::gc::IsGCThingValidAfterMovingGC<js::gc::Cell>] or Assertion failure: JSString::isFlat(), at js/src/vm/String.h:751 or Assertion failure: isAtom(), at vm/String.h:459
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1301343
People
(Reporter: decoder, Assigned: jandem)
References
Details
(6 keywords, Whiteboard: [jsbugmon:][fuzzblocker])
Crash Data
Attachments
(3 files)
713.47 KB,
text/plain
|
Details | |
6.86 KB,
text/plain
|
Details | |
1.63 KB,
patch
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 6e191a55c3d2 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --ion-eager --ion-check-range-analysis --baseline-eager):
See attachment.
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00000000007d3cf8 in JSFlatString::isIndex (indexp=0x7fffffffb1ec, this=<optimized out>) at js/src/vm/String.h:751
#0 0x00000000007d3cf8 in JSFlatString::isIndex (indexp=0x7fffffffb1ec, this=<optimized out>) at js/src/vm/String.h:751
#1 js::AtomToId (atom=<optimized out>) at js/src/jsatominlines.h:44
#2 0x00000000008bda76 in INTERNED_STRING_TO_JSID (cx=cx@entry=0x0, str=str@entry=0x7ffff2554928) at js/src/jsapi.cpp:4996
#3 0x00000000008faff3 in js::detail::IdMatchesAtom (id=..., id@entry=..., atom=atom@entry=0x7ffff2554928) at js/src/jsfriendapi.cpp:1254
#4 0x0000000000d2058f in NON_INTEGER_ATOM_TO_JSID (atom=0x7ffff2554928) at js/src/jsfriendapi.h:2621
#5 js::gc::RewrapTaggedPointer<jsid, JSString>::wrap (thing=0x7ffff2554928) at js/src/gc/Marking.h:428
#6 DoCallbackFunctor<jsid>::operator()<JSString> (this=<synthetic pointer>, name=0x7ffff19a4418 "(IU\362\377\177", trc=<optimized out>, t=0x7ffff2554928) at js/src/gc/Tracer.cpp:62
#7 js::DispatchTyped<DoCallbackFunctor<jsid>, JS::CallbackTracer*&, char const*&> (iden=..., f=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Id.h:210
#8 DoCallback<jsid> (trc=<optimized out>, idp=idp@entry=0x7ffff19a4418, name=name@entry=0x1032d43 "group_property") at js/src/gc/Tracer.cpp:78
#9 0x0000000000d11fe5 in DispatchToTracer<jsid> (trc=trc@entry=0x7ffff693a208, thingp=0x7ffff19a4418, name=name@entry=0x1032d43 "group_property") at js/src/gc/Marking.cpp:664
#10 0x0000000000d1208a in js::TraceEdge<jsid> (trc=trc@entry=0x7ffff693a208, thingp=<optimized out>, name=name@entry=0x1032d43 "group_property") at js/src/gc/Marking.cpp:410
#11 0x0000000000d06291 in js::ObjectGroup::traceChildren (this=0x7ffff3373af0, trc=0x7ffff693a208) at js/src/gc/Marking.cpp:1208
#12 0x0000000000d29bc1 in js::TraceChildren (kind=<optimized out>, thing=0x7ffff3373af0, trc=0x7ffff693a208) at js/src/gc/Tracer.cpp:126
#13 js::gc::GCRuntime::startVerifyPreBarriers (this=this@entry=0x7ffff6965448) at js/src/gc/Verifier.cpp:223
#14 0x0000000000d29e56 in js::gc::GCRuntime::maybeVerifyPreBarriers (always=always@entry=false, this=0x7ffff6965448) at js/src/gc/Verifier.cpp:405
#15 js::gc::MaybeVerifyBarriers (cx=cx@entry=0x7ffff6965000, always=always@entry=false) at js/src/gc/Verifier.cpp:412
#16 0x000000000081fcff in js::jit::CheckOverRecursedWithExtra (cx=0x7ffff6965000, frame=0x7fffffffb4f8, extra=0, earlyCheck=<optimized out>) at js/src/jit/VMFunctions.cpp:180
#17 0x00007ffff7feb414 in ?? ()
[...]
#25 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff2554928 140737259063592
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffb220 140737488335392
rsp 0x7fffffffb1e0 140737488335328
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fdc740 140737353992000
r10 0x0 0
r11 0x0 0
r12 0x7ffff19a4418 140737246807064
r13 0x61 97
r14 0x7ffff693a208 140737330258440
r15 0x7ffff3373af0 140737273871088
rip 0x7d3cf8 <js::AtomToId(JSAtom*)+264>
=> 0x7d3cf8 <js::AtomToId(JSAtom*)+264>: movl $0x0,0x0
0x7d3d03 <js::AtomToId(JSAtom*)+275>: ud2
The attached testcase is unreduced because reduction makes it less reliable. At least one of the crashes in this bucket has a 0x4b4b pattern associated with it, so I assume this is a use-after-free. Marking s-s and sec-critical based on that.
Reporter | ||
Comment 1•8 years ago
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 2•8 years ago
|
||
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Comment 3•8 years ago
|
||
JSBugMon: Bisection requested, failed due to error: Error: Failed to isolate test from comment
Comment 4•8 years ago
|
||
Naveed can you help find an owner for this sec-critical issue? Thanks!
This also may affect other versions than 51 from a quick glance at crash-stats.
status-firefox48:
--- → ?
status-firefox49:
--- → ?
status-firefox50:
--- → ?
Flags: needinfo?(nihsanullah)
Reporter | ||
Comment 5•8 years ago
|
||
This is an automated crash issue comment:
Summary: Crash [@ JSFlatString::isIndex]
Build version: mozilla-central revision 401ea746b1a9
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --thread-count=2 --disable-oom-functions --ion-eager
Testcase:
See attachment.
Backtrace:
received signal SIGSEGV, Segmentation fault.
JSFlatString::isIndex (indexp=0x7fffffffb13c, this=0x7ffff36a4250) at js/src/vm/String.h:755
#0 JSFlatString::isIndex (indexp=0x7fffffffb13c, this=0x7ffff36a4250) at js/src/vm/String.h:755
#1 js::AtomToId (atom=0x7ffff36a4250) at js/src/jsatominlines.h:44
#2 0x00000000008b9dd6 in INTERNED_STRING_TO_JSID (cx=cx@entry=0x0, str=str@entry=0x7ffff36a4250) at js/src/jsapi.cpp:4990
#3 0x00000000008f93a3 in js::detail::IdMatchesAtom (id=..., id@entry=..., atom=atom@entry=0x7ffff36a4250) at js/src/jsfriendapi.cpp:1279
#4 0x0000000000d352af in NON_INTEGER_ATOM_TO_JSID (atom=0x7ffff36a4250) at js/src/jsfriendapi.h:2607
#5 js::gc::RewrapTaggedPointer<jsid, JSString>::wrap (thing=0x7ffff36a4250) at js/src/gc/Marking.h:429
#6 DoCallbackFunctor<jsid>::operator()<JSString> (this=<synthetic pointer>, name=0x7ffff18b8d88 "PBj\363\377\177", trc=<optimized out>, t=0x7ffff36a4250) at js/src/gc/Tracer.cpp:62
#7 js::DispatchTyped<DoCallbackFunctor<jsid>, JS::CallbackTracer*&, char const*&> (iden=..., f=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Id.h:210
#8 DoCallback<jsid> (trc=<optimized out>, idp=idp@entry=0x7ffff18b8d88, name=name@entry=0x104e7b4 "group_property") at js/src/gc/Tracer.cpp:78
#9 0x0000000000d25b45 in DispatchToTracer<jsid> (trc=trc@entry=0x7fffffffb3e8, thingp=0x7ffff18b8d88, name=name@entry=0x104e7b4 "group_property") at js/src/gc/Marking.cpp:665
#10 0x0000000000d25bea in js::TraceEdge<jsid> (trc=trc@entry=0x7fffffffb3e8, thingp=<optimized out>, name=name@entry=0x104e7b4 "group_property") at js/src/gc/Marking.cpp:411
#11 0x0000000000d19541 in js::ObjectGroup::traceChildren (this=0x7ffff3676a00, trc=0x7fffffffb3e8) at js/src/gc/Marking.cpp:1382
#12 0x0000000000d3893d in js::TraceChildren (kind=<optimized out>, thing=0x7ffff3676a00, trc=0x7fffffffb3e8) at js/src/gc/Tracer.cpp:126
#13 JS::TraceChildren (trc=trc@entry=0x7fffffffb3e8, thing=...) at js/src/gc/Tracer.cpp:111
#14 0x0000000000d38b22 in CheckHeapTracer::check (this=this@entry=0x7fffffffb3e0, lock=...) at js/src/gc/Verifier.cpp:520
#15 0x0000000000d47935 in js::gc::CheckHeapAfterMovingGC (rt=<optimized out>) at js/src/gc/Verifier.cpp:542
#16 0x0000000000904425 in js::gc::GCRuntime::minorGC (this=0x7ffff695f958, reason=JS::gcreason::DEBUG_GC, phase=<optimized out>) at js/src/jsgc.cpp:6500
#17 0x0000000000930f31 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff695f958) at js/src/jsgc.cpp:6693
#18 0x0000000000cf9d08 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=this@entry=0x7ffff695f958, cx=cx@entry=0x7ffff695f000) at js/src/gc/Allocator.cpp:225
#19 0x0000000000d06c79 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=this@entry=0x7ffff695f958, cx=cx@entry=0x7ffff695f000, kind=kind@entry=js::gc::AllocKind::FIRST) at js/src/gc/Allocator.cpp:189
#20 0x0000000000d08364 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff695f000, kind=kind@entry=js::gc::AllocKind::FIRST, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x1d7bb60 <JSFunction::class_>) at js/src/gc/Allocator.cpp:47
#21 0x000000000093c0ae in JSObject::create (cx=0x7ffff695f000, kind=js::gc::AllocKind::FIRST, heap=js::gc::TenuredHeap, shape=..., group=...) at js/src/jsobjinlines.h:377
#22 0x000000000095647f in NewObject (cx=0x7ffff695f000, group=..., kind=js::gc::AllocKind::FIRST, newKind=js::SingletonObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:667
#23 0x0000000000957206 in js::NewObjectWithClassProtoCommon (cx=cx@entry=0x7ffff695f000, clasp=clasp@entry=0x1d7bb60 <JSFunction::class_>, protoArg=..., protoArg@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FIRST, newKind=newKind@entry=js::SingletonObject) at js/src/jsobj.cpp:787
#24 0x0000000000932a48 in js::NewObjectWithClassProto (newKind=js::SingletonObject, allocKind=js::gc::AllocKind::FIRST, proto=..., clasp=0x1d7bb60 <JSFunction::class_>, cx=0x7ffff695f000) at js/src/jsobjinlines.h:726
#25 js::NewFunctionWithProto (cx=cx@entry=0x7ffff695f000, native=0xc2e2c0 <Reflect_defineProperty(JSContext*, unsigned int, JS::Value*)>, nargs=3, flags=flags@entry=JSFunction::NATIVE_FUN, enclosingEnv=enclosingEnv@entry=..., atom=..., proto=..., allocKind=js::gc::AllocKind::FIRST, newKind=js::SingletonObject, protoHandling=js::NewFunctionClassProto) at js/src/jsfun.cpp:1984
#26 0x0000000000935161 in js::NewNativeFunction (cx=cx@entry=0x7ffff695f000, native=<optimized out>, nargs=<optimized out>, atom=..., atom@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FIRST, newKind=newKind@entry=js::GenericObject) at js/src/jsfun.cpp:1921
#27 0x00000000008c8dc7 in JS::NewFunctionFromSpec (cx=cx@entry=0x7ffff695f000, fs=fs@entry=0x1d87af0 <methods+80>, id=id@entry=...) at js/src/jsapi.cpp:3413
#28 0x000000000095a9bf in DefineFunctionFromSpec (intrinsic=js::NotIntrinsic, flags=0, fs=0x1d87af0 <methods+80>, obj=..., cx=0x7ffff695f000) at js/src/jsobj.cpp:2913
#29 js::DefineFunctions (cx=cx@entry=0x7ffff695f000, obj=..., fs=0x1d87af0 <methods+80>, fs@entry=0x1d87aa0 <methods>, intrinsic=intrinsic@entry=js::NotIntrinsic) at js/src/jsobj.cpp:2929
#30 0x00000000008ca3d0 in JS_DefineFunctions (cx=cx@entry=0x7ffff695f000, obj=..., fs=fs@entry=0x1d87aa0 <methods>) at js/src/jsapi.cpp:3619
#31 0x0000000000c41165 in js::InitReflect (cx=cx@entry=0x7ffff695f000, obj=..., obj@entry=...) at js/src/builtin/Reflect.cpp:376
#32 0x0000000000aa6ae6 in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7ffff695f000, global=..., key=key@entry=JSProto_Reflect) at js/src/vm/GlobalObject.cpp:170
#33 0x0000000000aa7068 in js::GlobalObject::ensureConstructor (cx=cx@entry=0x7ffff695f000, global=..., global@entry=..., key=key@entry=JSProto_Reflect) at js/src/vm/GlobalObject.cpp:123
#34 0x00000000008c5c57 in JS_ResolveStandardClass (cx=0x7ffff695f000, obj=..., id=..., resolved=0x7fffffffbde0) at js/src/jsapi.cpp:1050
#35 0x0000000000abbae0 in js::CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject-inl.h:397
#36 js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff695f000, obj=obj@entry=..., id=id@entry=..., propp=propp@entry=..., donep=donep@entry=0x7fffffffbecf) at js/src/vm/NativeObject-inl.h:485
#37 0x0000000000ae2067 in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff695f000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2022
#38 0x0000000000ae2850 in js::NativeGetProperty (cx=cx@entry=0x7ffff695f000, obj=..., obj@entry=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2066
#39 0x0000000000c5d075 in js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff695f000) at js/src/vm/NativeObject.h:1491
#40 js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:846
#41 js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:862
#42 JS_InitReflectParse (cx=cx@entry=0x7ffff695f000, global=global@entry=...) at js/src/builtin/ReflectParse.cpp:3717
#43 0x000000000045d889 in NewGlobalObject (cx=cx@entry=0x7ffff695f000, options=..., principals=principals@entry=0x0) at js/src/shell/js.cpp:6754
#44 0x000000000045dd39 in NewGlobal (cx=0x7ffff695f000, argc=<optimized out>, vp=0x7fffffffc2d0) at js/src/shell/js.cpp:4483
#45 0x00007ffff7e49635 in ?? ()
#46 0x00007fffffffc32a in ?? ()
#47 0x00007fffffffc2a8 in ?? ()
#48 0x0000000000000000 in ?? ()
rax 0x4b4b4b4b 1263225675
rbx 0x7ffff36a4250 140737277215312
rcx 0x0 0
rdx 0x585 1413
rsi 0x7fffffffb0d0 140737488335056
rdi 0xfffe4b4b4b4b4b4b -480163195565237
rbp 0x7fffffffb170 140737488335216
rsp 0x7fffffffb130 140737488335152
r8 0x217a 8570
r9 0x8000 32768
r10 0x7ffff1b02000 140737248239616
r11 0xf 15
r12 0x7fffffffb140 140737488335168
r13 0x16 22
r14 0x7fffffffb3e8 140737488335848
r15 0x7ffff3676a00 140737277028864
rip 0x7d18f9 <js::AtomToId(JSAtom*)+153>
=> 0x7d18f9 <js::AtomToId(JSAtom*)+153>: movzbl (%rdi),%eax
0x7d18fc <js::AtomToId(JSAtom*)+156>: sub $0x30,%eax
The attached testcase is smaller and should still be fairly reliable.
Reporter | ||
Comment 6•8 years ago
|
||
Reporter | ||
Updated•8 years ago
|
Flags: needinfo?(jcoppeard)
Reporter | ||
Updated•8 years ago
|
Crash Signature: [@ JSFlatString::isIndex] → [@ JSFlatString::isIndex]
[@ js::gc::IsGCThingValidAfterMovingGC<js::gc::Cell>]
Summary: Crash [@ JSFlatString::isIndex] with use-after-free or Assertion failure: JSString::isFlat(), at js/src/vm/String.h:751 → Crash [@ JSFlatString::isIndex] with use-after-free or Crash [@ js::gc::IsGCThingValidAfterMovingGC<js::gc::Cell>] or Assertion failure: JSString::isFlat(), at js/src/vm/String.h:751 or Assertion failure: isAtom(), at vm/String.h:459
Whiteboard: [jsbugmon:] → [jsbugmon:][fuzzblocker]
Comment 7•8 years ago
|
||
Reproduced. We're tracing an ObjectGroup which has a swept atom as one of its propery IDs during an incremental GC. It's not clear at the moment why this is happening. It may be related to off thread ion compilation since that seems to be necessary to reproduce this and compilations are being attached between the GC slices in this case.
Assignee | ||
Comment 8•8 years ago
|
||
The lazy link patches to link pending builders, when we have too many of them, might have exposed this.
I think we don't mark a script, but still link a pending IonBuilder for this script. That can cause GC hazards when we finish the compilation and store untraced pointers in other objects (in this case, we add a property to an ObjectGroup).
Depends on: 1301343
Comment 9•8 years ago
|
||
Jan said he would write a patch for this so clearing my needinfo.
Flags: needinfo?(jcoppeard)
Updated•8 years ago
|
Assignee: nobody → jdemooij
Flags: needinfo?(nihsanullah)
Comment 10•8 years ago
|
||
Probably too late for 49 but please do mark it as affected once you find the regression range
tracking-firefox49:
--- → +
Comment 11•8 years ago
|
||
How far back does this issue go? What releases are affected?
tracking-firefox51:
--- → +
Comment 12•8 years ago
|
||
Is this what you had in mind? I verified that this fixes the crash in comment 5.
Attachment #8793712 -
Flags: review?(jdemooij)
Assignee | ||
Comment 13•8 years ago
|
||
Comment on attachment 8793712 [details] [diff] [review]
bug1295039
Yeah but we also have to trace the compilations that are in progress.
The patch in bug 1301343 fixes this as well, so I'd prefer just landing that.
Attachment #8793712 -
Flags: review?(jdemooij)
Assignee | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Comment 15•8 years ago
|
||
Mark 51 fixed as bug 1301343 was fixed.
Updated•8 years ago
|
Updated•8 years ago
|
status-firefox50:
--- → fixed
Updated•7 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•