Closed Bug 1435295 Opened 2 years ago Closed 2 years ago

Assertion failure: !unknownProperties(), at js/src/vm/TypeInference.cpp:2918 with OOM

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- verified

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, jsbugmon, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 841512e696b9 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

oomTest(new Function(`function execOffThread(source) {
    offThreadCompileModule(source);
    return finishOffThreadModule();
}
b = execOffThread("[1, 2, 3]")
`));


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000ca0b68 in js::ObjectGroup::markUnknown (this=0x7ffff47db190, cx=cx@entry=0x7ffff5f16000) at js/src/vm/TypeInference.cpp:2918
#0  0x0000000000ca0b68 in js::ObjectGroup::markUnknown (this=0x7ffff47db190, cx=cx@entry=0x7ffff5f16000) at js/src/vm/TypeInference.cpp:2918
#1  0x0000000000a09182 in js::gc::GCRuntime::mergeCompartments (this=this@entry=0x7ffff5f1a780, source=0x7ffff5f4c800, target=target@entry=0x7ffff5f3d800) at js/src/jsgc.cpp:7938
#2  0x0000000000a0989e in js::gc::MergeCompartments (source=<optimized out>, target=target@entry=0x7ffff5f3d800) at js/src/jsgc.cpp:7870
#3  0x0000000000b96b53 in js::GlobalHelperThreadState::mergeParseTaskCompartment (this=this@entry=0x7ffff5f06400, cx=cx@entry=0x7ffff5f16000, parseTask=0x7ffff4871000, global=..., global@entry=..., dest=0x7ffff5f3d800) at js/src/vm/HelperThreads.cpp:1721
#4  0x0000000000ba7f0c in js::GlobalHelperThreadState::finishParseTask<js::GlobalHelperThreadState::finishParseTask(JSContext*, js::ParseTaskKind, void*)::<lambda(js::ParseTask*)>, void> (finishCallback=<optimized out>, token=0x1, kind=js::ParseTaskKind::Module, cx=0x7ffff5f16000, this=0x7ffff5f06400) at js/src/vm/HelperThreads.cpp:1565
#5  js::GlobalHelperThreadState::finishParseTask (this=0x7ffff5f06400, cx=cx@entry=0x7ffff5f16000, kind=kind@entry=js::ParseTaskKind::Module, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1605
#6  0x0000000000ba84bc in js::GlobalHelperThreadState::finishModuleParseTask (this=<optimized out>, cx=0x7ffff5f16000, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1687
#7  0x0000000000977e74 in JS::FinishOffThreadModule (cx=<optimized out>, token=<optimized out>) at js/src/jsapi.cpp:4353
#8  0x00000000004624b3 in FinishOffThreadModule (cx=0x7ffff5f16000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:4863
#9  0x000032f6e54cee71 in ?? ()
[...]
#13 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff4857000	140737295773696
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffba60	140737488337504
rsp	0x7fffffffb980	140737488337280
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x7ffff47db190	140737295266192
r13	0x7ffff5f3d800	140737319786496
r14	0x7ffff5f16000	140737319624704
r15	0x7ffff4c90080	140737300201600
rip	0xca0b68 <js::ObjectGroup::markUnknown(JSContext*)+1112>
=> 0xca0b68 <js::ObjectGroup::markUnknown(JSContext*)+1112>:	movl   $0x0,0x0
   0xca0b73 <js::ObjectGroup::markUnknown(JSContext*)+1123>:	ud2


Marking s-s as a start because the unknownProperties assert can sometimes indicate a security problem.
Flags: needinfo?(jcoppeard)
Priority: -- → P1
I think we just need to check whether the object group has already been marked unknown here.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8948443 - Flags: review?(jdemooij)
Comment on attachment 8948443 [details] [diff] [review]
bug1435295-merge-oom

Review of attachment 8948443 [details] [diff] [review]:
-----------------------------------------------------------------

Ah yes.
Attachment #8948443 - Flags: review?(jdemooij) → review+
This was caused by the patch in bug 1432794.
Blocks: 1432794
https://hg.mozilla.org/mozilla-central/rev/d8ad38aef886
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.