Closed Bug 1335642 Opened 7 years ago Closed 7 years ago

Assertion failure: AtomIsMarked(zoneFromAnyThread(), v), at js/src/vm/NativeObject.h:844

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla54
Tracking Status
firefox-esr45 --- unaffected
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 + verified

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 9c06e744b1be (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

var g = newGlobal();
var b = g.eval(`
var b = /foo2/;
Object.defineProperty(b, "source", { get: () => {}});
`);
new RegExp(b).source;



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000046d328 in js::NativeObject::checkStoredValue (v=..., this=0x7ffff0697080) at js/src/vm/NativeObject.h:844
#0  0x000000000046d328 in js::NativeObject::checkStoredValue (v=..., this=0x7ffff0697080) at js/src/vm/NativeObject.h:844
#1  js::NativeObject::setSlot (this=0x7ffff0697080, slot=1, value=...) at js/src/vm/NativeObject.h:849
#2  0x0000000000b6c42d in js::RegExpObject::setSource (source=<optimized out>, this=0x7ffff0697080) at js/src/vm/RegExpObject.h:461
#3  js::RegExpObject::initIgnoringLastIndex (this=this@entry=0x7ffff0697080, source=..., flags=flags@entry=js::NoFlags) at js/src/vm/RegExpObject.cpp:311
#4  0x0000000000b6d085 in js::RegExpObject::initAndZeroLastIndex (this=0x7ffff0697080, source=..., source@entry=..., flags=flags@entry=js::NoFlags, cx=cx@entry=0x7ffff695e000) at js/src/vm/RegExpObject.cpp:318
#5  0x0000000000f1ad3b in js::regexp_construct (cx=cx@entry=0x7ffff695e000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/RegExp.cpp:477
#6  0x0000000000535d09 in js::CallJSNative (cx=cx@entry=0x7ffff695e000, native=native@entry=0xf1a610 <js::regexp_construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:262
#7  0x000000000053a347 in js::CallJSNativeConstructor (cx=cx@entry=0x7ffff695e000, native=0xf1a610 <js::regexp_construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:295
#8  0x000000000053209f in InternalConstruct (cx=0x7ffff695e000, args=...) at js/src/vm/Interpreter.cpp:551
[...]
#19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7975
rax	0x0	0
rbx	0x7ffff0697080	140737226829952
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffca40	140737488341568
rsp	0x7fffffffc990	140737488341392
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x1	1
r13	0x7fffffffca50	140737488341584
r14	0x7ffff06970b8	140737226830008
r15	0x1	1
rip	0x46d328 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+1224>
=> 0x46d328 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+1224>:	movl   $0x0,0x0
   0x46d333 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+1235>:	ud2    



GC assertion, looks particularly bad to me in combination with the stack/test. Marking s-s.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7311c06a7271
user:        Brian Hackett
date:        Mon Jan 30 06:31:47 2017 -0700
summary:     Bug 1324002 - Mark atoms separately in each zone, r=jonco,mccr8,peterv.

This iteration took 255.622 seconds to run.
Brian, is bug 1324002 a likely regressor?
Blocks: 1324002
Flags: needinfo?(bhackett1024)
Keywords: sec-high
[Tracking Requested - why for this release]:
Attached patch patchSplinter Review
Bug 1324002 fixed one place where regexp sources cross zone boundaries without being marked, but there are others and this marking should really be at the point where we actually use AutoCompartment.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8833035 - Flags: review?(jcoppeard)
Comment on attachment 8833035 [details] [diff] [review]
patch

[Security approval request comment]
If not all supported branches, which bug introduced the flaw?

Bug 1324002.  This is a GC hazard in code that is new in the tree.
Attachment #8833035 - Flags: sec-approval?
Tracking 54+ for this sec high issue.
Comment on attachment 8833035 [details] [diff] [review]
patch

Trunk only bugs don't need sec-approval. I'm clearing the request. Just check it in.
Attachment #8833035 - Flags: sec-approval?
Attachment #8833035 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/49a12a1d55a3
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Group: core-security-release
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: