Closed Bug 1364654 Opened 7 years ago Closed 7 years ago

crash: Assertion fauilure: ShellAllocationMetadataBuilder::build, at js/src/jscntxt.cpp:1504

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: kangyan91, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586 Steps to reproduce: The following testcase crashes on mozilla-central revision b043233ec04f. I build spiderMonkey with : cd js/src autoconf mkdir build_DBG.OBJ cd build_DBG.OBJ ../configure --enable-debug --disable-optimize make testcase.js : var propKeyEvaluated = false; var base = {}; var prop = { toString: function() { enableShellAllocationMetadataBuilder(!propKeyEvaluated); assertEq(byteSize(enableShellAllocationMetadataBuilder(prop + "function f(i) { i=i|0; for(;;) { if (i) { return i|0 } else { return i|0 } i = 1 } return i|0 } return f"))(3), 3); return ""; } }; var expr = function() { return 0; }; base[prop] >>= expr(); setSharedArrayBuffer(0, 0); Actual results: Assertion failure: [unhandlable oom] ShellAllocationMetadataBuilder::build, at /js/src/jscntxt.cpp:1504 Program received signal SIGSEGV, Segmentation fault. js::AutoEnterOOMUnsafeRegion::crash (this=<optimized out>, reason=0x0) at /js/src/jscntxt.cpp:1505 warning: Source file is more recent than executable. 1505 MOZ_CRASH(); backtrace: #0 0x0000000000e7ad4a in js::AutoEnterOOMUnsafeRegion::crash(char const*) (this=<optimized out>, reason=0x0) at /js/src/jscntxt.cpp:1505 #1 0x0000000000cda9a1 in ShellAllocationMetadataBuilder::build(JSContext*, JS::Handle<JSObject*>, js::AutoEnterOOMUnsafeRegion&) const (this=<optimized out>, cx=<optimized out>, oomUnsafe=...) at /js/src/builtin/TestingFunctions.cpp:1953 #2 0x0000000000e86562 in JSCompartment::setNewObjectMetadata(JSContext*, JS::Handle<JSObject*>) (this=0x7ffff6962800, cx=0x7ffff695d800, obj=...) at /js/src/jscompartment.cpp:1089 #3 0x0000000000f9e550 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) (cx=<optimized out>, obj=<optimized out>) at /js/src/jsobjinlines.h:313 #4 0x0000000000f9e550 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) (cx=0x7ffff6f6b9d0 <_IO_stdfile_2_lock>, kind=<optimized out>, heap=js::gc::TenuredHeap, shape=..., group=...) at /js/src/vm/NativeObject-inl.h:452 #5 0x0000000000fb5481 in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) (cx=0x7ffff695d800, group=..., kind=js::gc::OBJECT8, newKind=js::TenuredObject, initialShapeFlags=0) at /js/src/jsobj.cpp:677 #6 0x0000000000fb4b7e in js::NewObjectWithGivenTaggedProto(JSContext*, js::Class const*, JS::Handle<js::TaggedProto>, js::gc::AllocKind, js::NewObjectKind, unsigned int) (cx=0x7ffff695d800, clasp=0x2b4eca0 <js::SavedFrame::class_>, proto=..., allocKind=<optimized out>, newKind=js::TenuredObject, initialShapeFlags=0) at /js/src/jsobj.cpp:738 #7 0x0000000001361e8b in js::SavedFrame::create(JSContext*) (cx=0x7ffff695d800, newKind=js::TenuredObject, initialShapeFlags=0, clasp=<optimized out>, proto=...) at /js/src/jsobjinlines.h:543 #8 0x0000000001361e8b in js::SavedFrame::create(JSContext*) (newKind=js::TenuredObject, cx=<optimized out>, clasp=<optimized out>, proto=...) at /js/src/jsobjinlines.h:578 #9 0x0000000001361e8b in js::SavedFrame::create(JSContext*) (cx=0x7ffff695d800) at /js/src/vm/SavedStacks.cpp:532 #10 0x000000000136f26d in js::SavedStacks::getOrCreateSavedFrame(JSContext*, js::SavedFrame::HandleLookup) (cx=0x7ffff695d800, lookup=..., this=<optimized out>) at /js/src/vm/SavedStacks.cpp:1517 #11 0x000000000136f26d in js::SavedStacks::getOrCreateSavedFrame(JSContext*, js::SavedFrame::HandleLookup) (this=0x7ffff69628e8, cx=0x7ffff695d800, lookup=...) at /js/src/vm/SavedStacks.cpp:1504 #12 0x000000000136c3b5 in js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0x7ffff69628e8, cx=0x7ffff695d800, iter=..., frame=..., capture=<unknown type in /home-ext2/ky/mozilla-latest/js/src/build/js/src/shell/js, CU 0x35cf9c8, DIE 0x36f48cc>) at /js/src/vm/SavedStacks.cpp:1410 #13 0x000000000136a9d3 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0x7ffff69628e8, cx=0x7ffff695d800, frame=..., capture=<unknown type in /home-ext2/ky/mozilla-latest/js/src/build/js/src/shell/js, CU 0x35cf9c8, DIE 0x36f35c5>) at /js/src/vm/SavedStacks.cpp:1177 #14 0x0000000000e940c5 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) (cx=<optimized out>, stackp=..., capture=<optimized out>) at /js/src/jsapi.cpp:7084 #15 0x0000000000e940c5 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) (stack=..., cx=<optimized out>) at /js/src/jsexn.cpp:361 #16 0x0000000000e940c5 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) (cx=<optimized out>, reportp=0x7fffffefdda0, callback=<optimized out>, userRef=<optimized out>) at /js/src/jsexn.cpp:680 #17 0x0000000000e6ae25 in js::ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) (callback=<optimized out>, userRef=0x0, cx=<optimized out>, reportp=<optimized out>) at /js/src/jscntxt.cpp:291 #18 0x0000000000e6ae25 in js::ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) (cx=<optimized out>, flags=<optimized out>, callback=<optimized out>, userRef=0x0, errorNumber=<optimized out>, argumentsType=js::ArgumentsAreASCII, ap=0x2b72b00 <__afl_area_ptr>) at /js/src/jscntxt.cpp:890 #19 0x0000000000e36c3b in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) (cx=0x7ffff695d800, errorCallback=0xe36c50 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=116, ap=0x1e9f463 <.L.str.98>) at /js/src/jsapi.cpp:5775 #20 0x0000000000e36c3b in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) (cx=0x7ffff6f6a1c0 <_IO_2_1_stderr_>, errorCallback=0x0, userRef=0x2b74c80 <gMozCrashReason>, errorNumber=4160518016) at /js/src/jsapi.cpp:5765 #21 0x0000000000e763b2 in js::ReportOverRecursed(JSContext*, unsigned int) (maybecx=0x7ffff695d800, errorNumber=116) at /js/src/jscntxt.cpp:379 #22 0x00000000005fe127 in js::RunScript(JSContext*, js::RunState&) (cx=0x7ffff695d800, limit=<optimized out>) at /js/src/jsfriendapi.h:1017 #23 0x00000000005fe127 in js::RunScript(JSContext*, js::RunState&) (cx=0x7ffff695d800) at /js/src/jsfriendapi.h:1040 #24 0x00000000005fe127 in js::RunScript(JSContext*, js::RunState&) (cx=0x7ffff695d800, state=...) at /js/src/vm/Interpreter.cpp:347 #25 0x000000000062507f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7ffff695d800, args=..., construct=<optimized out>) at /js/src/vm/Interpreter.cpp:473 #26 0x00000000006256eb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (cx=0x7ffff6f6a1c0 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=...) at /js/src/vm/Interpreter.cpp:519 #27 0x0000000000fcd4b5 in MaybeCallMethod(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) (thisObj=<optimized out>, rval=..., cx=<optimized out>, fval=...) at /js/src/vm/Interpreter.h:96 …………………… register info: rax 0x1e9f463 32109667 rbx 0x7fffffefc650 140737487291984 rcx 0x2b74c80 45567104 rdx 0x0 0 rsi 0x7ffff6f6b9d0 140737336752592 rdi 0x7ffff6f6a1c0 140737336746432 rbp 0x7fffffefca60 0x7fffffefca60 rsp 0x7fffffefc650 0x7fffffefc650 r8 0x7ffff7fc7780 140737353906048 r9 0x616c6c697a6f6d2f 7020105119445249327 r10 0x7fffffefc410 140737487291408 r11 0x7ffff6c18e20 140737333268000 r12 0x7ffff695d800 140737330403328 r13 0x2b72b00 45558528 r14 0x1eaeca9 32173225 r15 0xe44330 14959408 rip 0xe7ad4a 0xe7ad4a <js::AutoEnterOOMUnsafeRegion::crash(char const*)+114> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 $pc: => 0xe7ad4a <js::AutoEnterOOMUnsafeRegion::crash(char const*)+114>: movl $0x5e1,0x0 0xe7ad55 <js::AutoEnterOOMUnsafeRegion::crash(char const*)+125>: callq 0x485cd0 <abort()> 0xe7ad5a <MOZ_ReportAssertionFailure(char const*, char const*, int)>: push %rbp 0xe7ad5b <MOZ_ReportAssertionFailure(char const*, char const*, int)+1>: mov %rsp,%rbp 0xe7ad5e <MOZ_ReportAssertionFailure(char const*, char const*, int)+4>: push %r14 0xe7ad60 <MOZ_ReportAssertionFailure(char const*, char const*, int)+6>: push %rbx 0xe7ad61 <MOZ_ReportAssertionFailure(char const*, char const*, int)+7>: mov %rdi,%rbx 0xe7ad64 <MOZ_ReportAssertionFailure(char const*, char const*, int)+10>: mov %fs:0x0,%rax 0xe7ad6d <MOZ_ReportAssertionFailure(char const*, char const*, int)+19>: lea -0x8(%rax),%rax 0xe7ad74 <MOZ_ReportAssertionFailure(char const*, char const*, int)+26>: movslq (%rax),%rcx
Jim, is this something you could look at? Or fitzgen?
Flags: needinfo?(jimb)
This is an intentional crash because we detected a lack of memory. Not exploitable.
Group: core-security
Here's a shorter program that causes the same crash: enableShellAllocationMetadataBuilder(); var prop = { toString: function() { prop + "xxxxxxxxxxxxxxxxx"; } } prop + ""; Disappointing though it may be, there are certain conditions under which an OOM crash is correct behavior for SpiderMonkey. In particular, running out of memory during a call to the allocation metadata builder is fatal.
Flags: needinfo?(jimb)
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.