Closed Bug 1343876 Opened 3 years ago Closed 3 years ago

Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Heap.h:1262

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1342101
Tracking Status
firefox53 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision e91de6fb2b3d (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis --ion-extra-checks --baseline-eager --ion-offthread-compile=off):

See attachment.


Backtrace:

 received signal SIGSEGV, Segmentation fault.
#0  0x00000000004f93f8 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1262
#1  0x0000000000bdbfa3 in JSObject::zone (this=<optimized out>) at js/src/jsobj.h:302
#2  js::FunctionScope::Data::zone (this=0x7fffdafbae50) at js/src/vm/Scope.cpp:608
#3  js::GCManagedDeletePolicy<js::FunctionScope::Data>::operator() (ptr=0x7fffdafbae50, this=<optimized out>) at js/src/gc/Zone.h:889
#4  mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> >::reset (aPtr=0x0, this=<optimized out>) at dist/include/mozilla/UniquePtr.h:343
#5  mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> >::~UniquePtr (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/mozilla/UniquePtr.h:288
#6  js::DispatchWrapper<mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> > >::~DispatchWrapper (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/js/RootingAPI.h:711
#7  JS::Rooted<mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> > >::~Rooted (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/js/RootingAPI.h:790
#8  0x0000000000bd47e0 in js::FunctionScope::clone (cx=cx@entry=0x7fffdcd8a000, scope=scope@entry=..., fun=..., fun@entry=..., enclosing=..., enclosing@entry=...) at js/src/vm/Scope.cpp:700
#9  0x00000000009f7a95 in js::CloneScriptIntoFunction (cx=cx@entry=0x7fffdcd8a000, enclosingScope=enclosingScope@entry=..., fun=fun@entry=..., src=src@entry=...) at js/src/jsscript.cpp:3533
#10 0x0000000000bb1cae in JSRuntime::cloneSelfHostedFunctionScript (this=<optimized out>, cx=cx@entry=0x7fffdcd8a000, name=..., name@entry=..., targetFun=targetFun@entry=...) at js/src/vm/SelfHosting.cpp:3228
#11 0x0000000000987d1a in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7fffdcd8a000, fun=fun@entry=...) at js/src/jsfun.cpp:1509
#12 0x00000000004631cc in JSFunction::getOrCreateScript (cx=<optimized out>, fun=...) at js/src/jsfun.h:421
#13 0x0000000000536297 in js::InternalCallOrConstruct (cx=cx@entry=0x7fffdcd8a000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:451
#14 0x00000000005365f6 in InternalCall (cx=cx@entry=0x7fffdcd8a000, args=...) at js/src/vm/Interpreter.cpp:493
#15 0x000000000053674e in js::Call (cx=cx@entry=0x7fffdcd8a000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:512
#16 0x00000000009d6010 in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=0x7fffdcd8a000) at js/src/vm/Interpreter.h:96
#17 MaybeCallMethod (cx=cx@entry=0x7fffdcd8a000, obj=..., obj@entry=..., id=..., id@entry=..., vp=vp@entry=...) at js/src/jsobj.cpp:2982
#18 0x00000000009da7a5 in JS::OrdinaryToPrimitive (cx=cx@entry=0x7fffdcd8a000, obj=obj@entry=..., hint=hint@entry=JSTYPE_NUMBER, vp=..., vp@entry=...) at js/src/jsobj.cpp:3065
#19 0x00000000009dac95 in js::ToPrimitiveSlow (cx=cx@entry=0x7fffdcd8a000, preferredType=preferredType@entry=JSTYPE_NUMBER, vp=..., vp@entry=...) at js/src/jsobj.cpp:3113
#20 0x0000000000990fc2 in js::ToPrimitive (vp=..., preferredType=JSTYPE_NUMBER, cx=0x7fffdcd8a000) at js/src/jsobj.h:1063
#21 js::ToNumberSlow (cx=cx@entry=0x7fffdcd8a000, v_=..., out=out@entry=0x7fffdbdfd060) at js/src/jsnum.cpp:1584
#22 0x0000000000991a96 in js::ToInt32Slow (cx=cx@entry=0x7fffdcd8a000, v=..., out=out@entry=0x7fffdbdfd0dc) at js/src/jsnum.cpp:1718
#23 0x00000000005395b2 in JS::ToInt32 (cx=cx@entry=0x7fffdcd8a000, v=..., v@entry=..., out=out@entry=0x7fffdbdfd0dc) at dist/include/js/Conversions.h:167
#24 0x0000000000809232 in js::BitLsh (out=<synthetic pointer>, rhs=..., lhs=..., cx=0x7fffdcd8a000) at js/src/vm/Interpreter-inl.h:777
#25 js::jit::DoBinaryArithFallback (cx=0x7fffdcd8a000, payload=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., ret=...) at js/src/jit/SharedIC.cpp:751
#26 0x0000188a95e10634 in ?? ()
[...]
#56 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff699b000	140737330655232
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffdbdfc840	140736882264128
rsp	0x7fffdbdfc830	140736882264112
r8	0x7ffff6ef7770	140737336276848
r9	0x7fffdbdff700	140736882276096
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffdbdfc8f0	140736882264304
r13	0x7fffdbdfca10	140736882264592
r14	0x7fffdbdfc910	140736882264336
r15	0x7fffdcd8a000	140736898572288
rip	0x4f93f8 <js::gc::TenuredCell::zone() const+344>
=> 0x4f93f8 <js::gc::TenuredCell::zone() const+344>:	movl   $0x0,0x0
   0x4f9403 <js::gc::TenuredCell::zone() const+355>:	ud2    


This is the same assert as bug 1342101 but I'm not sure if this is the same bug as the stacks seem to be different. The test also seems to be fairly stable compared to the other bug.
Attached file Testcase
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Keywords: sec-high
Yes this looks like bug 1342101.
Jan, should we mark this bug as a duplicate?
If not, please say why and mark it as a blocke. We'll wait for bug 1342101 to be fixed until we retest then.
Flags: needinfo?(jdemooij)
Yup this is the same issue as bug 1342101.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Duplicate of bug: 1342101
FF54 was fixed in bug 1342101. Mark 54 fixed here.
(In reply to Gerry Chang [:gchang] from comment #6)
> FF54 was fixed in bug 1342101. Mark 54 fixed here.

Actually, Firefox 53 was, not 54.
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.