Closed Bug 1295039 Opened 8 years ago Closed 8 years ago

Crash [@ JSFlatString::isIndex] with use-after-free or Crash [@ js::gc::IsGCThingValidAfterMovingGC<js::gc::Cell>] or Assertion failure: JSString::isFlat(), at js/src/vm/String.h:751 or Assertion failure: isAtom(), at vm/String.h:459

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1301343
Tracking Status
firefox48 --- wontfix
firefox49 + wontfix
firefox50 --- fixed
firefox51 + fixed

People

(Reporter: decoder, Assigned: jandem)

References

Details

(6 keywords, Whiteboard: [jsbugmon:][fuzzblocker])

Crash Data

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 6e191a55c3d2 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --ion-eager --ion-check-range-analysis --baseline-eager): See attachment. Backtrace: received signal SIGSEGV, Segmentation fault. 0x00000000007d3cf8 in JSFlatString::isIndex (indexp=0x7fffffffb1ec, this=<optimized out>) at js/src/vm/String.h:751 #0 0x00000000007d3cf8 in JSFlatString::isIndex (indexp=0x7fffffffb1ec, this=<optimized out>) at js/src/vm/String.h:751 #1 js::AtomToId (atom=<optimized out>) at js/src/jsatominlines.h:44 #2 0x00000000008bda76 in INTERNED_STRING_TO_JSID (cx=cx@entry=0x0, str=str@entry=0x7ffff2554928) at js/src/jsapi.cpp:4996 #3 0x00000000008faff3 in js::detail::IdMatchesAtom (id=..., id@entry=..., atom=atom@entry=0x7ffff2554928) at js/src/jsfriendapi.cpp:1254 #4 0x0000000000d2058f in NON_INTEGER_ATOM_TO_JSID (atom=0x7ffff2554928) at js/src/jsfriendapi.h:2621 #5 js::gc::RewrapTaggedPointer<jsid, JSString>::wrap (thing=0x7ffff2554928) at js/src/gc/Marking.h:428 #6 DoCallbackFunctor<jsid>::operator()<JSString> (this=<synthetic pointer>, name=0x7ffff19a4418 "(IU\362\377\177", trc=<optimized out>, t=0x7ffff2554928) at js/src/gc/Tracer.cpp:62 #7 js::DispatchTyped<DoCallbackFunctor<jsid>, JS::CallbackTracer*&, char const*&> (iden=..., f=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Id.h:210 #8 DoCallback<jsid> (trc=<optimized out>, idp=idp@entry=0x7ffff19a4418, name=name@entry=0x1032d43 "group_property") at js/src/gc/Tracer.cpp:78 #9 0x0000000000d11fe5 in DispatchToTracer<jsid> (trc=trc@entry=0x7ffff693a208, thingp=0x7ffff19a4418, name=name@entry=0x1032d43 "group_property") at js/src/gc/Marking.cpp:664 #10 0x0000000000d1208a in js::TraceEdge<jsid> (trc=trc@entry=0x7ffff693a208, thingp=<optimized out>, name=name@entry=0x1032d43 "group_property") at js/src/gc/Marking.cpp:410 #11 0x0000000000d06291 in js::ObjectGroup::traceChildren (this=0x7ffff3373af0, trc=0x7ffff693a208) at js/src/gc/Marking.cpp:1208 #12 0x0000000000d29bc1 in js::TraceChildren (kind=<optimized out>, thing=0x7ffff3373af0, trc=0x7ffff693a208) at js/src/gc/Tracer.cpp:126 #13 js::gc::GCRuntime::startVerifyPreBarriers (this=this@entry=0x7ffff6965448) at js/src/gc/Verifier.cpp:223 #14 0x0000000000d29e56 in js::gc::GCRuntime::maybeVerifyPreBarriers (always=always@entry=false, this=0x7ffff6965448) at js/src/gc/Verifier.cpp:405 #15 js::gc::MaybeVerifyBarriers (cx=cx@entry=0x7ffff6965000, always=always@entry=false) at js/src/gc/Verifier.cpp:412 #16 0x000000000081fcff in js::jit::CheckOverRecursedWithExtra (cx=0x7ffff6965000, frame=0x7fffffffb4f8, extra=0, earlyCheck=<optimized out>) at js/src/jit/VMFunctions.cpp:180 #17 0x00007ffff7feb414 in ?? () [...] #25 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff2554928 140737259063592 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffb220 140737488335392 rsp 0x7fffffffb1e0 140737488335328 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fdc740 140737353992000 r10 0x0 0 r11 0x0 0 r12 0x7ffff19a4418 140737246807064 r13 0x61 97 r14 0x7ffff693a208 140737330258440 r15 0x7ffff3373af0 140737273871088 rip 0x7d3cf8 <js::AtomToId(JSAtom*)+264> => 0x7d3cf8 <js::AtomToId(JSAtom*)+264>: movl $0x0,0x0 0x7d3d03 <js::AtomToId(JSAtom*)+275>: ud2 The attached testcase is unreduced because reduction makes it less reliable. At least one of the crashes in this bucket has a 0x4b4b pattern associated with it, so I assume this is a use-after-free. Marking s-s and sec-critical based on that.
Attached file Testcase
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
JSBugMon: Bisection requested, failed due to error: Error: Failed to isolate test from comment
Naveed can you help find an owner for this sec-critical issue? Thanks! This also may affect other versions than 51 from a quick glance at crash-stats.
Flags: needinfo?(nihsanullah)
This is an automated crash issue comment: Summary: Crash [@ JSFlatString::isIndex] Build version: mozilla-central revision 401ea746b1a9 Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --thread-count=2 --disable-oom-functions --ion-eager Testcase: See attachment. Backtrace: received signal SIGSEGV, Segmentation fault. JSFlatString::isIndex (indexp=0x7fffffffb13c, this=0x7ffff36a4250) at js/src/vm/String.h:755 #0 JSFlatString::isIndex (indexp=0x7fffffffb13c, this=0x7ffff36a4250) at js/src/vm/String.h:755 #1 js::AtomToId (atom=0x7ffff36a4250) at js/src/jsatominlines.h:44 #2 0x00000000008b9dd6 in INTERNED_STRING_TO_JSID (cx=cx@entry=0x0, str=str@entry=0x7ffff36a4250) at js/src/jsapi.cpp:4990 #3 0x00000000008f93a3 in js::detail::IdMatchesAtom (id=..., id@entry=..., atom=atom@entry=0x7ffff36a4250) at js/src/jsfriendapi.cpp:1279 #4 0x0000000000d352af in NON_INTEGER_ATOM_TO_JSID (atom=0x7ffff36a4250) at js/src/jsfriendapi.h:2607 #5 js::gc::RewrapTaggedPointer<jsid, JSString>::wrap (thing=0x7ffff36a4250) at js/src/gc/Marking.h:429 #6 DoCallbackFunctor<jsid>::operator()<JSString> (this=<synthetic pointer>, name=0x7ffff18b8d88 "PBj\363\377\177", trc=<optimized out>, t=0x7ffff36a4250) at js/src/gc/Tracer.cpp:62 #7 js::DispatchTyped<DoCallbackFunctor<jsid>, JS::CallbackTracer*&, char const*&> (iden=..., f=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Id.h:210 #8 DoCallback<jsid> (trc=<optimized out>, idp=idp@entry=0x7ffff18b8d88, name=name@entry=0x104e7b4 "group_property") at js/src/gc/Tracer.cpp:78 #9 0x0000000000d25b45 in DispatchToTracer<jsid> (trc=trc@entry=0x7fffffffb3e8, thingp=0x7ffff18b8d88, name=name@entry=0x104e7b4 "group_property") at js/src/gc/Marking.cpp:665 #10 0x0000000000d25bea in js::TraceEdge<jsid> (trc=trc@entry=0x7fffffffb3e8, thingp=<optimized out>, name=name@entry=0x104e7b4 "group_property") at js/src/gc/Marking.cpp:411 #11 0x0000000000d19541 in js::ObjectGroup::traceChildren (this=0x7ffff3676a00, trc=0x7fffffffb3e8) at js/src/gc/Marking.cpp:1382 #12 0x0000000000d3893d in js::TraceChildren (kind=<optimized out>, thing=0x7ffff3676a00, trc=0x7fffffffb3e8) at js/src/gc/Tracer.cpp:126 #13 JS::TraceChildren (trc=trc@entry=0x7fffffffb3e8, thing=...) at js/src/gc/Tracer.cpp:111 #14 0x0000000000d38b22 in CheckHeapTracer::check (this=this@entry=0x7fffffffb3e0, lock=...) at js/src/gc/Verifier.cpp:520 #15 0x0000000000d47935 in js::gc::CheckHeapAfterMovingGC (rt=<optimized out>) at js/src/gc/Verifier.cpp:542 #16 0x0000000000904425 in js::gc::GCRuntime::minorGC (this=0x7ffff695f958, reason=JS::gcreason::DEBUG_GC, phase=<optimized out>) at js/src/jsgc.cpp:6500 #17 0x0000000000930f31 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff695f958) at js/src/jsgc.cpp:6693 #18 0x0000000000cf9d08 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=this@entry=0x7ffff695f958, cx=cx@entry=0x7ffff695f000) at js/src/gc/Allocator.cpp:225 #19 0x0000000000d06c79 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=this@entry=0x7ffff695f958, cx=cx@entry=0x7ffff695f000, kind=kind@entry=js::gc::AllocKind::FIRST) at js/src/gc/Allocator.cpp:189 #20 0x0000000000d08364 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff695f000, kind=kind@entry=js::gc::AllocKind::FIRST, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x1d7bb60 <JSFunction::class_>) at js/src/gc/Allocator.cpp:47 #21 0x000000000093c0ae in JSObject::create (cx=0x7ffff695f000, kind=js::gc::AllocKind::FIRST, heap=js::gc::TenuredHeap, shape=..., group=...) at js/src/jsobjinlines.h:377 #22 0x000000000095647f in NewObject (cx=0x7ffff695f000, group=..., kind=js::gc::AllocKind::FIRST, newKind=js::SingletonObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:667 #23 0x0000000000957206 in js::NewObjectWithClassProtoCommon (cx=cx@entry=0x7ffff695f000, clasp=clasp@entry=0x1d7bb60 <JSFunction::class_>, protoArg=..., protoArg@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FIRST, newKind=newKind@entry=js::SingletonObject) at js/src/jsobj.cpp:787 #24 0x0000000000932a48 in js::NewObjectWithClassProto (newKind=js::SingletonObject, allocKind=js::gc::AllocKind::FIRST, proto=..., clasp=0x1d7bb60 <JSFunction::class_>, cx=0x7ffff695f000) at js/src/jsobjinlines.h:726 #25 js::NewFunctionWithProto (cx=cx@entry=0x7ffff695f000, native=0xc2e2c0 <Reflect_defineProperty(JSContext*, unsigned int, JS::Value*)>, nargs=3, flags=flags@entry=JSFunction::NATIVE_FUN, enclosingEnv=enclosingEnv@entry=..., atom=..., proto=..., allocKind=js::gc::AllocKind::FIRST, newKind=js::SingletonObject, protoHandling=js::NewFunctionClassProto) at js/src/jsfun.cpp:1984 #26 0x0000000000935161 in js::NewNativeFunction (cx=cx@entry=0x7ffff695f000, native=<optimized out>, nargs=<optimized out>, atom=..., atom@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FIRST, newKind=newKind@entry=js::GenericObject) at js/src/jsfun.cpp:1921 #27 0x00000000008c8dc7 in JS::NewFunctionFromSpec (cx=cx@entry=0x7ffff695f000, fs=fs@entry=0x1d87af0 <methods+80>, id=id@entry=...) at js/src/jsapi.cpp:3413 #28 0x000000000095a9bf in DefineFunctionFromSpec (intrinsic=js::NotIntrinsic, flags=0, fs=0x1d87af0 <methods+80>, obj=..., cx=0x7ffff695f000) at js/src/jsobj.cpp:2913 #29 js::DefineFunctions (cx=cx@entry=0x7ffff695f000, obj=..., fs=0x1d87af0 <methods+80>, fs@entry=0x1d87aa0 <methods>, intrinsic=intrinsic@entry=js::NotIntrinsic) at js/src/jsobj.cpp:2929 #30 0x00000000008ca3d0 in JS_DefineFunctions (cx=cx@entry=0x7ffff695f000, obj=..., fs=fs@entry=0x1d87aa0 <methods>) at js/src/jsapi.cpp:3619 #31 0x0000000000c41165 in js::InitReflect (cx=cx@entry=0x7ffff695f000, obj=..., obj@entry=...) at js/src/builtin/Reflect.cpp:376 #32 0x0000000000aa6ae6 in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7ffff695f000, global=..., key=key@entry=JSProto_Reflect) at js/src/vm/GlobalObject.cpp:170 #33 0x0000000000aa7068 in js::GlobalObject::ensureConstructor (cx=cx@entry=0x7ffff695f000, global=..., global@entry=..., key=key@entry=JSProto_Reflect) at js/src/vm/GlobalObject.cpp:123 #34 0x00000000008c5c57 in JS_ResolveStandardClass (cx=0x7ffff695f000, obj=..., id=..., resolved=0x7fffffffbde0) at js/src/jsapi.cpp:1050 #35 0x0000000000abbae0 in js::CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject-inl.h:397 #36 js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff695f000, obj=obj@entry=..., id=id@entry=..., propp=propp@entry=..., donep=donep@entry=0x7fffffffbecf) at js/src/vm/NativeObject-inl.h:485 #37 0x0000000000ae2067 in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff695f000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2022 #38 0x0000000000ae2850 in js::NativeGetProperty (cx=cx@entry=0x7ffff695f000, obj=..., obj@entry=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2066 #39 0x0000000000c5d075 in js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff695f000) at js/src/vm/NativeObject.h:1491 #40 js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:846 #41 js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:862 #42 JS_InitReflectParse (cx=cx@entry=0x7ffff695f000, global=global@entry=...) at js/src/builtin/ReflectParse.cpp:3717 #43 0x000000000045d889 in NewGlobalObject (cx=cx@entry=0x7ffff695f000, options=..., principals=principals@entry=0x0) at js/src/shell/js.cpp:6754 #44 0x000000000045dd39 in NewGlobal (cx=0x7ffff695f000, argc=<optimized out>, vp=0x7fffffffc2d0) at js/src/shell/js.cpp:4483 #45 0x00007ffff7e49635 in ?? () #46 0x00007fffffffc32a in ?? () #47 0x00007fffffffc2a8 in ?? () #48 0x0000000000000000 in ?? () rax 0x4b4b4b4b 1263225675 rbx 0x7ffff36a4250 140737277215312 rcx 0x0 0 rdx 0x585 1413 rsi 0x7fffffffb0d0 140737488335056 rdi 0xfffe4b4b4b4b4b4b -480163195565237 rbp 0x7fffffffb170 140737488335216 rsp 0x7fffffffb130 140737488335152 r8 0x217a 8570 r9 0x8000 32768 r10 0x7ffff1b02000 140737248239616 r11 0xf 15 r12 0x7fffffffb140 140737488335168 r13 0x16 22 r14 0x7fffffffb3e8 140737488335848 r15 0x7ffff3676a00 140737277028864 rip 0x7d18f9 <js::AtomToId(JSAtom*)+153> => 0x7d18f9 <js::AtomToId(JSAtom*)+153>: movzbl (%rdi),%eax 0x7d18fc <js::AtomToId(JSAtom*)+156>: sub $0x30,%eax The attached testcase is smaller and should still be fairly reliable.
Flags: needinfo?(jcoppeard)
Crash Signature: [@ JSFlatString::isIndex] → [@ JSFlatString::isIndex] [@ js::gc::IsGCThingValidAfterMovingGC<js::gc::Cell>]
Summary: Crash [@ JSFlatString::isIndex] with use-after-free or Assertion failure: JSString::isFlat(), at js/src/vm/String.h:751 → Crash [@ JSFlatString::isIndex] with use-after-free or Crash [@ js::gc::IsGCThingValidAfterMovingGC<js::gc::Cell>] or Assertion failure: JSString::isFlat(), at js/src/vm/String.h:751 or Assertion failure: isAtom(), at vm/String.h:459
Whiteboard: [jsbugmon:] → [jsbugmon:][fuzzblocker]
Reproduced. We're tracing an ObjectGroup which has a swept atom as one of its propery IDs during an incremental GC. It's not clear at the moment why this is happening. It may be related to off thread ion compilation since that seems to be necessary to reproduce this and compilations are being attached between the GC slices in this case.
The lazy link patches to link pending builders, when we have too many of them, might have exposed this. I think we don't mark a script, but still link a pending IonBuilder for this script. That can cause GC hazards when we finish the compilation and store untraced pointers in other objects (in this case, we add a property to an ObjectGroup).
Depends on: 1301343
Jan said he would write a patch for this so clearing my needinfo.
Flags: needinfo?(jcoppeard)
Assignee: nobody → jdemooij
Flags: needinfo?(nihsanullah)
Probably too late for 49 but please do mark it as affected once you find the regression range
How far back does this issue go? What releases are affected?
Attached patch bug1295039Splinter Review
Is this what you had in mind? I verified that this fixes the crash in comment 5.
Attachment #8793712 - Flags: review?(jdemooij)
Comment on attachment 8793712 [details] [diff] [review] bug1295039 Yeah but we also have to trace the compilations that are in progress. The patch in bug 1301343 fixes this as well, so I'd prefer just landing that.
Attachment #8793712 - Flags: review?(jdemooij)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Mark 51 fixed as bug 1301343 was fixed.
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: