Assertion failure: AtomIsMarked(zoneFromAnyThread(), v), at js/src/vm/NativeObject.h:844

VERIFIED FIXED in Firefox 54

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
11 months ago
8 months ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, 6 keywords)

Trunk
mozilla54
x86_64
Linux
assertion, csectype-uaf, jsbugmon, regression, sec-high, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr45 unaffected, firefox52 unaffected, firefox-esr52 unaffected, firefox53 unaffected, firefox54+ verified)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

11 months ago
The following testcase crashes on mozilla-central revision 9c06e744b1be (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

var g = newGlobal();
var b = g.eval(`
var b = /foo2/;
Object.defineProperty(b, "source", { get: () => {}});
`);
new RegExp(b).source;



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000046d328 in js::NativeObject::checkStoredValue (v=..., this=0x7ffff0697080) at js/src/vm/NativeObject.h:844
#0  0x000000000046d328 in js::NativeObject::checkStoredValue (v=..., this=0x7ffff0697080) at js/src/vm/NativeObject.h:844
#1  js::NativeObject::setSlot (this=0x7ffff0697080, slot=1, value=...) at js/src/vm/NativeObject.h:849
#2  0x0000000000b6c42d in js::RegExpObject::setSource (source=<optimized out>, this=0x7ffff0697080) at js/src/vm/RegExpObject.h:461
#3  js::RegExpObject::initIgnoringLastIndex (this=this@entry=0x7ffff0697080, source=..., flags=flags@entry=js::NoFlags) at js/src/vm/RegExpObject.cpp:311
#4  0x0000000000b6d085 in js::RegExpObject::initAndZeroLastIndex (this=0x7ffff0697080, source=..., source@entry=..., flags=flags@entry=js::NoFlags, cx=cx@entry=0x7ffff695e000) at js/src/vm/RegExpObject.cpp:318
#5  0x0000000000f1ad3b in js::regexp_construct (cx=cx@entry=0x7ffff695e000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/RegExp.cpp:477
#6  0x0000000000535d09 in js::CallJSNative (cx=cx@entry=0x7ffff695e000, native=native@entry=0xf1a610 <js::regexp_construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:262
#7  0x000000000053a347 in js::CallJSNativeConstructor (cx=cx@entry=0x7ffff695e000, native=0xf1a610 <js::regexp_construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:295
#8  0x000000000053209f in InternalConstruct (cx=0x7ffff695e000, args=...) at js/src/vm/Interpreter.cpp:551
[...]
#19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7975
rax	0x0	0
rbx	0x7ffff0697080	140737226829952
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffca40	140737488341568
rsp	0x7fffffffc990	140737488341392
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x1	1
r13	0x7fffffffca50	140737488341584
r14	0x7ffff06970b8	140737226830008
r15	0x1	1
rip	0x46d328 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+1224>
=> 0x46d328 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+1224>:	movl   $0x0,0x0
   0x46d333 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+1235>:	ud2    



GC assertion, looks particularly bad to me in combination with the stack/test. Marking s-s.

Updated

11 months ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

11 months ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7311c06a7271
user:        Brian Hackett
date:        Mon Jan 30 06:31:47 2017 -0700
summary:     Bug 1324002 - Mark atoms separately in each zone, r=jonco,mccr8,peterv.

This iteration took 255.622 seconds to run.
Brian, is bug 1324002 a likely regressor?
Blocks: 1324002
Flags: needinfo?(bhackett1024)

Updated

11 months ago
Keywords: sec-high
[Tracking Requested - why for this release]:
status-firefox53: --- → unaffected
tracking-firefox54: --- → ?
Keywords: csectype-uaf
(Assignee)

Comment 4

11 months ago
Created attachment 8833035 [details] [diff] [review]
patch

Bug 1324002 fixed one place where regexp sources cross zone boundaries without being marked, but there are others and this marking should really be at the point where we actually use AutoCompartment.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8833035 - Flags: review?(jcoppeard)
(Assignee)

Comment 5

11 months ago
Comment on attachment 8833035 [details] [diff] [review]
patch

[Security approval request comment]
If not all supported branches, which bug introduced the flaw?

Bug 1324002.  This is a GC hazard in code that is new in the tree.
Attachment #8833035 - Flags: sec-approval?
Tracking 54+ for this sec high issue.
tracking-firefox54: ? → +
Comment on attachment 8833035 [details] [diff] [review]
patch

Trunk only bugs don't need sec-approval. I'm clearing the request. Just check it in.
Attachment #8833035 - Flags: sec-approval?

Updated

11 months ago
Attachment #8833035 - Flags: review?(jcoppeard) → review+

Comment 8

11 months ago
https://hg.mozilla.org/mozilla-central/rev/49a12a1d55a3
Status: NEW → RESOLVED
Last Resolved: 11 months ago
status-firefox54: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54

Updated

11 months ago
Status: RESOLVED → VERIFIED
status-firefox54: fixed → verified

Comment 9

11 months ago
JSBugMon: This bug has been automatically verified fixed.
status-firefox52: --- → unaffected

Updated

10 months ago
Group: javascript-core-security → core-security-release
status-firefox-esr45: --- → unaffected
status-firefox-esr52: --- → unaffected
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.