Closed Bug 1341033 Opened 3 years ago Closed 3 years ago

Assertion failure: rt->gc.atomMarking.atomIsMarked(compartment->zone(), cell), at js/src/jscntxtinlines.h:97

Categories

(Core :: JavaScript: GC, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla54
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- verified

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(7 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 47391e531350 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --no-threads --disable-oom-functions --ion-eager --ion-check-range-analysis --baseline-eager --ion-extra-checks):

function assert(mustBeTrue, message) {};
(function createHostObject(global) {
    var FunctionToString = global.Function.prototype.toString;
    var ReflectApply = global.Reflect.apply;
    var NewGlobal = global.newGlobal;
    global.$ = {
        createRealm() {
                var newGlobalObject = NewGlobal();
                var createHostObjectFn = ReflectApply(FunctionToString, createHostObject, []);
                newGlobalObject.Function(`${createHostObjectFn} createHostObject(this);`)();
                return newGlobalObject.$;
            },
            global,
    };
})(this);
var OSymbol = $.createRealm().global.Symbol;
var parent = Symbol.for([1, 2, 3]);
assert.e(OSymbol.keyFor(parent), 'parent');


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000535718 in js::CompartmentChecker::checkAtom (cell=<optimized out>, this=<optimized out>) at js/src/jscntxtinlines.h:97
#1  js::CompartmentChecker::check (symbol=<optimized out>, this=<optimized out>) at js/src/jscntxtinlines.h:112
#2  js::CompartmentChecker::check (this=0x7ffd2879e260, v=...) at js/src/jscntxtinlines.h:121
#3  0x0000000000535915 in js::CompartmentChecker::check<JS::Value> (handle=..., this=0x7ffd2879e260) at js/src/jscntxtinlines.h:88
#4  js::assertSameCompartmentDebugOnly<JS::MutableHandle<JS::Value> > (t1=..., cx=0x7fdbe2c71000) at js/src/jscntxtinlines.h:217
#5  js::CallJSNative (cx=cx@entry=0x7fdbe2c71000, native=0x8500c0 <js::SymbolObject::keyFor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:283
#6  0x000000000053087a in js::InternalCallOrConstruct (cx=cx@entry=0x7fdbe2c71000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:463
#7  0x0000000000530c06 in InternalCall (cx=cx@entry=0x7fdbe2c71000, args=...) at js/src/vm/Interpreter.cpp:508
#8  0x0000000000530d5e in js::Call (cx=cx@entry=0x7fdbe2c71000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:527
#9  0x0000000000a40e6c in js::Wrapper::call (this=this@entry=0x1f03fa0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7fdbe2c71000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:165
#10 0x0000000000a2e5ea in js::CrossCompartmentWrapper::call (this=0x1f03fa0 <js::CrossCompartmentWrapper::singleton>, cx=0x7fdbe2c71000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:351
#11 0x0000000000a35d43 in js::Proxy::call (cx=cx@entry=0x7fdbe2c71000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:421
#12 0x0000000000a35eee in js::proxy_Call (cx=0x7fdbe2c71000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:662
#13 0x00000000005357e8 in js::CallJSNative (cx=cx@entry=0x7fdbe2c71000, native=0xa35db0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:281
#14 0x0000000000530b1f in js::InternalCallOrConstruct (cx=cx@entry=0x7fdbe2c71000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:451
#15 0x0000000000530c06 in InternalCall (cx=cx@entry=0x7fdbe2c71000, args=...) at js/src/vm/Interpreter.cpp:508
#16 0x0000000000530d2a in js::CallFromStack (cx=cx@entry=0x7fdbe2c71000, args=...) at js/src/vm/Interpreter.cpp:514
#17 0x0000000000602c2e in js::jit::DoCallFallback (cx=0x7fdbe2c71000, frame=0x7ffd2879ec08, stub_=<optimized out>, argc=<optimized out>, vp=0x7ffd2879eba8, res=...) at js/src/jit/BaselineIC.cpp:2500
#18 0x00002084f9834c24 in ?? ()
[...]
#42 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fdbe42b1d00	140582402596096
rcx	0x7fdbe2f276fd	140582382106365
rdx	0x0	0
rsi	0x7fdbe31f6770	140582385051504
rdi	0x7fdbe31f5540	140582385046848
rbp	0x7ffd2879e240	140725282529856
rsp	0x7ffd2879e230	140725282529840
r8	0x7fdbe31f6770	140582385051504
r9	0x7fdbe4303740	140582402930496
r10	0x0	0
r11	0x0	0
r12	0x7ffd2879e260	140725282529888
r13	0x7ffd2879e260	140725282529888
r14	0x8500c0	8716480
r15	0x7ffd2879e490	140725282530448
rip	0x535718 <js::CompartmentChecker::check(JS::Value const&)+376>
=> 0x535718 <js::CompartmentChecker::check(JS::Value const&)+376>:	movl   $0x0,0x0
   0x535723 <js::CompartmentChecker::check(JS::Value const&)+387>:	ud2    


Marking s-s because this is a compartment mismatch involving a GC assert.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7311c06a7271
user:        Brian Hackett
date:        Mon Jan 30 06:31:47 2017 -0700
summary:     Bug 1324002 - Mark atoms separately in each zone, r=jonco,mccr8,peterv.

This iteration took 0.696 seconds to run.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
SymbolObject::keyFor is returning the description for a symbol, which is not guaranteed to be marked in the current zone.  While keyFor() could mark the description, there's no guarantee the description is marked in any zone and it could already have been collected.  I think we need to make sure that if an atom is marked in a zone then all its children are marked in that zone as well.  The only place this is necessary is for symbol descriptions; JitCode atoms could have children too (though probably not) but they are traced in every GC and aren't a concern.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8839434 - Flags: review?(jcoppeard)
Attachment #8839434 - Flags: review?(jcoppeard) → review+
Component: JavaScript Engine → JavaScript: GC
https://hg.mozilla.org/mozilla-central/rev/dfe978698167
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.