Closed
Bug 1335642
Opened 7 years ago
Closed 7 years ago
Assertion failure: AtomIsMarked(zoneFromAnyThread(), v), at js/src/vm/NativeObject.h:844
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox52 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | + | verified |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.81 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 9c06e744b1be (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe): var g = newGlobal(); var b = g.eval(` var b = /foo2/; Object.defineProperty(b, "source", { get: () => {}}); `); new RegExp(b).source; Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000046d328 in js::NativeObject::checkStoredValue (v=..., this=0x7ffff0697080) at js/src/vm/NativeObject.h:844 #0 0x000000000046d328 in js::NativeObject::checkStoredValue (v=..., this=0x7ffff0697080) at js/src/vm/NativeObject.h:844 #1 js::NativeObject::setSlot (this=0x7ffff0697080, slot=1, value=...) at js/src/vm/NativeObject.h:849 #2 0x0000000000b6c42d in js::RegExpObject::setSource (source=<optimized out>, this=0x7ffff0697080) at js/src/vm/RegExpObject.h:461 #3 js::RegExpObject::initIgnoringLastIndex (this=this@entry=0x7ffff0697080, source=..., flags=flags@entry=js::NoFlags) at js/src/vm/RegExpObject.cpp:311 #4 0x0000000000b6d085 in js::RegExpObject::initAndZeroLastIndex (this=0x7ffff0697080, source=..., source@entry=..., flags=flags@entry=js::NoFlags, cx=cx@entry=0x7ffff695e000) at js/src/vm/RegExpObject.cpp:318 #5 0x0000000000f1ad3b in js::regexp_construct (cx=cx@entry=0x7ffff695e000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/RegExp.cpp:477 #6 0x0000000000535d09 in js::CallJSNative (cx=cx@entry=0x7ffff695e000, native=native@entry=0xf1a610 <js::regexp_construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:262 #7 0x000000000053a347 in js::CallJSNativeConstructor (cx=cx@entry=0x7ffff695e000, native=0xf1a610 <js::regexp_construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:295 #8 0x000000000053209f in InternalConstruct (cx=0x7ffff695e000, args=...) at js/src/vm/Interpreter.cpp:551 [...] #19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7975 rax 0x0 0 rbx 0x7ffff0697080 140737226829952 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffca40 140737488341568 rsp 0x7fffffffc990 140737488341392 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x1 1 r13 0x7fffffffca50 140737488341584 r14 0x7ffff06970b8 140737226830008 r15 0x1 1 rip 0x46d328 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+1224> => 0x46d328 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+1224>: movl $0x0,0x0 0x46d333 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+1235>: ud2 GC assertion, looks particularly bad to me in combination with the stack/test. Marking s-s.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7311c06a7271 user: Brian Hackett date: Mon Jan 30 06:31:47 2017 -0700 summary: Bug 1324002 - Mark atoms separately in each zone, r=jonco,mccr8,peterv. This iteration took 255.622 seconds to run.
Brian, is bug 1324002 a likely regressor?
Blocks: 1324002
Flags: needinfo?(bhackett1024)
Comment 3•7 years ago
|
||
[Tracking Requested - why for this release]:
Assignee | ||
Comment 4•7 years ago
|
||
Bug 1324002 fixed one place where regexp sources cross zone boundaries without being marked, but there are others and this marking should really be at the point where we actually use AutoCompartment.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8833035 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 5•7 years ago
|
||
Comment on attachment 8833035 [details] [diff] [review] patch [Security approval request comment] If not all supported branches, which bug introduced the flaw? Bug 1324002. This is a GC hazard in code that is new in the tree.
Attachment #8833035 -
Flags: sec-approval?
Comment 7•7 years ago
|
||
Comment on attachment 8833035 [details] [diff] [review] patch Trunk only bugs don't need sec-approval. I'm clearing the request. Just check it in.
Attachment #8833035 -
Flags: sec-approval?
Updated•7 years ago
|
Attachment #8833035 -
Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/49a12a1d55a3
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
Comment 9•7 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•7 years ago
|
status-firefox52:
--- → unaffected
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Updated•7 years ago
|
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•