Closed
Bug 1341033
Opened 7 years ago
Closed 7 years ago
Assertion failure: rt->gc.atomMarking.atomIsMarked(compartment->zone(), cell), at js/src/jscntxtinlines.h:97
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
VERIFIED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | verified |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(6 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.09 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 47391e531350 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --no-threads --disable-oom-functions --ion-eager --ion-check-range-analysis --baseline-eager --ion-extra-checks): function assert(mustBeTrue, message) {}; (function createHostObject(global) { var FunctionToString = global.Function.prototype.toString; var ReflectApply = global.Reflect.apply; var NewGlobal = global.newGlobal; global.$ = { createRealm() { var newGlobalObject = NewGlobal(); var createHostObjectFn = ReflectApply(FunctionToString, createHostObject, []); newGlobalObject.Function(`${createHostObjectFn} createHostObject(this);`)(); return newGlobalObject.$; }, global, }; })(this); var OSymbol = $.createRealm().global.Symbol; var parent = Symbol.for([1, 2, 3]); assert.e(OSymbol.keyFor(parent), 'parent'); Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000535718 in js::CompartmentChecker::checkAtom (cell=<optimized out>, this=<optimized out>) at js/src/jscntxtinlines.h:97 #1 js::CompartmentChecker::check (symbol=<optimized out>, this=<optimized out>) at js/src/jscntxtinlines.h:112 #2 js::CompartmentChecker::check (this=0x7ffd2879e260, v=...) at js/src/jscntxtinlines.h:121 #3 0x0000000000535915 in js::CompartmentChecker::check<JS::Value> (handle=..., this=0x7ffd2879e260) at js/src/jscntxtinlines.h:88 #4 js::assertSameCompartmentDebugOnly<JS::MutableHandle<JS::Value> > (t1=..., cx=0x7fdbe2c71000) at js/src/jscntxtinlines.h:217 #5 js::CallJSNative (cx=cx@entry=0x7fdbe2c71000, native=0x8500c0 <js::SymbolObject::keyFor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:283 #6 0x000000000053087a in js::InternalCallOrConstruct (cx=cx@entry=0x7fdbe2c71000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:463 #7 0x0000000000530c06 in InternalCall (cx=cx@entry=0x7fdbe2c71000, args=...) at js/src/vm/Interpreter.cpp:508 #8 0x0000000000530d5e in js::Call (cx=cx@entry=0x7fdbe2c71000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:527 #9 0x0000000000a40e6c in js::Wrapper::call (this=this@entry=0x1f03fa0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7fdbe2c71000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:165 #10 0x0000000000a2e5ea in js::CrossCompartmentWrapper::call (this=0x1f03fa0 <js::CrossCompartmentWrapper::singleton>, cx=0x7fdbe2c71000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:351 #11 0x0000000000a35d43 in js::Proxy::call (cx=cx@entry=0x7fdbe2c71000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:421 #12 0x0000000000a35eee in js::proxy_Call (cx=0x7fdbe2c71000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:662 #13 0x00000000005357e8 in js::CallJSNative (cx=cx@entry=0x7fdbe2c71000, native=0xa35db0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:281 #14 0x0000000000530b1f in js::InternalCallOrConstruct (cx=cx@entry=0x7fdbe2c71000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:451 #15 0x0000000000530c06 in InternalCall (cx=cx@entry=0x7fdbe2c71000, args=...) at js/src/vm/Interpreter.cpp:508 #16 0x0000000000530d2a in js::CallFromStack (cx=cx@entry=0x7fdbe2c71000, args=...) at js/src/vm/Interpreter.cpp:514 #17 0x0000000000602c2e in js::jit::DoCallFallback (cx=0x7fdbe2c71000, frame=0x7ffd2879ec08, stub_=<optimized out>, argc=<optimized out>, vp=0x7ffd2879eba8, res=...) at js/src/jit/BaselineIC.cpp:2500 #18 0x00002084f9834c24 in ?? () [...] #42 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fdbe42b1d00 140582402596096 rcx 0x7fdbe2f276fd 140582382106365 rdx 0x0 0 rsi 0x7fdbe31f6770 140582385051504 rdi 0x7fdbe31f5540 140582385046848 rbp 0x7ffd2879e240 140725282529856 rsp 0x7ffd2879e230 140725282529840 r8 0x7fdbe31f6770 140582385051504 r9 0x7fdbe4303740 140582402930496 r10 0x0 0 r11 0x0 0 r12 0x7ffd2879e260 140725282529888 r13 0x7ffd2879e260 140725282529888 r14 0x8500c0 8716480 r15 0x7ffd2879e490 140725282530448 rip 0x535718 <js::CompartmentChecker::check(JS::Value const&)+376> => 0x535718 <js::CompartmentChecker::check(JS::Value const&)+376>: movl $0x0,0x0 0x535723 <js::CompartmentChecker::check(JS::Value const&)+387>: ud2 Marking s-s because this is a compartment mismatch involving a GC assert.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7311c06a7271 user: Brian Hackett date: Mon Jan 30 06:31:47 2017 -0700 summary: Bug 1324002 - Mark atoms separately in each zone, r=jonco,mccr8,peterv. This iteration took 0.696 seconds to run.
Updated•7 years ago
|
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 2•7 years ago
|
||
SymbolObject::keyFor is returning the description for a symbol, which is not guaranteed to be marked in the current zone. While keyFor() could mark the description, there's no guarantee the description is marked in any zone and it could already have been collected. I think we need to make sure that if an atom is marked in a zone then all its children are marked in that zone as well. The only place this is necessary is for symbol descriptions; JitCode atoms could have children too (though probably not) but they are traced in every GC and aren't a concern.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8839434 -
Flags: review?(jcoppeard)
Updated•7 years ago
|
Attachment #8839434 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Comment 3•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/dfe978698167
Updated•7 years ago
|
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox-esr45:
--- → unaffected
Component: JavaScript Engine → JavaScript: GC
Keywords: csectype-uaf,
sec-high
https://hg.mozilla.org/mozilla-central/rev/dfe978698167
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
Comment 5•7 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•