Closed Bug 1444894 Opened 4 years ago Closed 4 years ago

Assertion failure: zone->isGCSweepingOrCompacting(), at /src/mozilla-central/js/src/vm/TypeInference.cpp:4170

Categories

(Core :: JavaScript: GC, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: jorendorff)

References

Details

(Keywords: oss-fuzz)

Attachments

(3 files)

(I'm not positive if this is security or not, but given that it's an assertion about GC state, better safe than sorry!)

This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer.

Please note that they apply a 90-day disclose timeline to all bugs.

root@4076a5064934:/src/mozilla-central/js/src# /out/js --cpu-count=2 --disable-oom-functions --fuzzing-safe clusterfuzz-testcase-minimized-4784487490650112.js
Assertion failure: zone->isGCSweepingOrCompacting(), at /src/mozilla-central/js/src/vm/TypeInference.cpp:4170
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3213==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000283f7c5 bp 0x7ffceb77ff30 sp 0x7ffceb77fd80 T0)
==3213==The signal is caused by a WRITE memory access.
==3213==Hint: address points to the zero page.
    #0 0x283f7c4 in JSScript::setTypesGeneration(unsigned int) /src/mozilla-central/js/src/vm/JSScript.h:1531:9
    #1 0x283f7c4 in JSScript::maybeSweepTypes(js::AutoClearTypeInferenceStateOnOOM*) /src/mozilla-central/js/src/vm/TypeInference.cpp:4416
    #2 0x282c3de in JSScript::types() /src/mozilla-central/js/src/vm/TypeInference-inl.h:1225:5
    #3 0x282c3de in js::TypeScript::ThisTypes(JSScript*) /src/mozilla-central/js/src/vm/TypeInference-inl.h:519
    #4 0x282c3de in JSScript::makeTypes(JSContext*) /src/mozilla-central/js/src/vm/TypeInference.cpp:3391
    #5 0x3827185 in JSScript::ensureHasTypes(JSContext*, js::AutoKeepTypeScripts&) /src/mozilla-central/js/src/vm/TypeInference-inl.h:1232:23
    #6 0x3827185 in js::jit::BaselineCompiler::compile() /src/mozilla-central/js/src/jit/BaselineCompiler.cpp:101
    #7 0xe860c9 in js::jit::BaselineCompile(JSContext*, JSScript*, bool) /src/mozilla-central/js/src/jit/BaselineJIT.cpp:255:36
    #8 0x192d6f1 in BaselineCompile(JSContext*, unsigned int, JS::Value*) /src/mozilla-central/js/src/builtin/TestingFunctions.cpp:5117:32
    #9 0x9d26c4 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/vm/JSContext-inl.h:290:15
    #10 0x9d26c4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/mozilla-central/js/src/vm/Interpreter.cpp:468
    #11 0x9d4c2f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/mozilla-central/js/src/vm/Interpreter.cpp:536:10
    #12 0x1ec334f in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/mozilla-central/js/src/proxy/Wrapper.cpp:176:12
    #13 0x1e58c28 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/mozilla-central/js/src/proxy/CrossCompartmentWrapper.cpp:358:23
    #14 0x1e8d982 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /src/mozilla-central/js/src/proxy/Proxy.cpp:510:21
    #15 0x1e93921 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /src/mozilla-central/js/src/proxy/Proxy.cpp:769:12
    #16 0x9d2f09 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/vm/JSContext-inl.h:290:15
    #17 0x9d2f09 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/mozilla-central/js/src/vm/Interpreter.cpp:450
    #18 0x9ac2c3 in js::CallFromStack(JSContext*, JS::CallArgs const&) /src/mozilla-central/js/src/vm/Interpreter.cpp:523:12
    #19 0x9ac2c3 in Interpret(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:3086
    #20 0x99329a in js::RunScript(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:418:12
    #21 0x9d8ef4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:701:15
    #22 0x9d9f0f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:733:12
    #23 0x1d7df92 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /src/mozilla-central/js/src/jsapi.cpp:4730:12
    #24 0x1d7e4bd in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /src/mozilla-central/js/src/jsapi.cpp:4763:12
    #25 0x6053c3 in RunFile(JSContext*, char const*, _IO_FILE*, bool) /src/mozilla-central/js/src/shell/js.cpp:833:14
    #26 0x6053c3 in Process(JSContext*, char const*, bool, FileKind) /src/mozilla-central/js/src/shell/js.cpp:1277
    #27 0x57a960 in ProcessArgs(JSContext*, js::cli::OptionParser*) /src/mozilla-central/js/src/shell/js.cpp:8547:14
    #28 0x57a960 in Shell(JSContext*, js::cli::OptionParser*, char**) /src/mozilla-central/js/src/shell/js.cpp:8939
    #29 0x57a960 in main /src/mozilla-central/js/src/shell/js.cpp:9410
    #30 0x7f7b225f182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #31 0x460d08 in _start (/out/js+0x460d08)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/mozilla-central/js/src/vm/JSScript.h:1531:9 in JSScript::setTypesGeneration(unsigned int)
==3213==ABORTING
Group: core-security → javascript-core-security
This calls baselineCompile, so my guess is it's shell-only, not sec-anything.
Further minimized:

    gc();
    newGlobal().baselineCompile();

:Alex_Gaynor, this bug isn't security-sensitive, so I'd like to open it. Is there anything in the report that we shouldn't disclose?
Flags: needinfo?(agaynor)
Missing AutoCompartment, derp.

<tcampbell> I really hope this isn't possible for the normal baseline mechanism...
<jorendorff> nah, you would normally only ever try to baseline-compile something you're already about to run
    ...or are compiling
    I'll add an assertion just in case, but I'm pretty sure this is just because of the new test function.
<tcampbell> Assertion would be good since the manifestation is scary TI GC bugs
Attachment #8958202 - Flags: review?(nicolas.b.pierron)
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
Group: javascript-core-security
Comment on attachment 8958202 [details] [diff] [review]
Add a compartment assertion to js::BaselineCompile

Review of attachment 8958202 [details] [diff] [review]:
-----------------------------------------------------------------

I agree with Jason, this is very unlikely to be an existing security issue as Baseline code is only generated when we are running or entering the JS function, but after switching compartment.
Attachment #8958202 - Flags: review?(nicolas.b.pierron) → review+
(Re: issues making this public) Nope, for any OSS-Fuzz bug making the contents public ahead of their disclosure deadline is totally at our discretion.
Flags: needinfo?(agaynor)
Priority: -- → P3
Delta:
 - This patch wrap the AutoCompartment, such that String result are allocated
   within the same compartment as the caller. (jit-test/tests/basic/bug908915.js)
 - Add test case.
Attachment #8959518 - Flags: review?(jorendorff)
Comment on attachment 8959518 [details] [diff] [review]
Add a compartment assertion to js::BaselineCompile.

Review of attachment 8959518 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch. Thanks.

Our simple little builtin keeps getting uglier. :(
Attachment #8959518 - Flags: review?(jorendorff) → review+
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/92d4018c82ba
Add a compartment assertion to js::BaselineCompile. r=nbp,jorendorff
https://hg.mozilla.org/mozilla-central/rev/92d4018c82ba
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Blocks: 1440431
You need to log in before you can comment on or make changes to this bug.