1444894 - Assertion failure: zone->isGCSweepingOrCompacting(), at /src/mozilla-central/js/src/vm/TypeInference.cpp:4170

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P3)

Description

[Alex Gaynor [:Alex_Gaynor]]

Attachment: clusterfuzz-testcase-minimized-4784487490650112.js

(I'm not positive if this is security or not, but given that it's an assertion about GC state, better safe than sorry!)

This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer.

Please note that they apply a 90-day disclose timeline to all bugs.

root@4076a5064934:/src/mozilla-central/js/src# /out/js --cpu-count=2 --disable-oom-functions --fuzzing-safe clusterfuzz-testcase-minimized-4784487490650112.js
Assertion failure: zone->isGCSweepingOrCompacting(), at /src/mozilla-central/js/src/vm/TypeInference.cpp:4170
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3213==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000283f7c5 bp 0x7ffceb77ff30 sp 0x7ffceb77fd80 T0)
==3213==The signal is caused by a WRITE memory access.
==3213==Hint: address points to the zero page.
    #0 0x283f7c4 in JSScript::setTypesGeneration(unsigned int) /src/mozilla-central/js/src/vm/JSScript.h:1531:9
    #1 0x283f7c4 in JSScript::maybeSweepTypes(js::AutoClearTypeInferenceStateOnOOM*) /src/mozilla-central/js/src/vm/TypeInference.cpp:4416
    #2 0x282c3de in JSScript::types() /src/mozilla-central/js/src/vm/TypeInference-inl.h:1225:5
    #3 0x282c3de in js::TypeScript::ThisTypes(JSScript*) /src/mozilla-central/js/src/vm/TypeInference-inl.h:519
    #4 0x282c3de in JSScript::makeTypes(JSContext*) /src/mozilla-central/js/src/vm/TypeInference.cpp:3391
    #5 0x3827185 in JSScript::ensureHasTypes(JSContext*, js::AutoKeepTypeScripts&) /src/mozilla-central/js/src/vm/TypeInference-inl.h:1232:23
    #6 0x3827185 in js::jit::BaselineCompiler::compile() /src/mozilla-central/js/src/jit/BaselineCompiler.cpp:101
    #7 0xe860c9 in js::jit::BaselineCompile(JSContext*, JSScript*, bool) /src/mozilla-central/js/src/jit/BaselineJIT.cpp:255:36
    #8 0x192d6f1 in BaselineCompile(JSContext*, unsigned int, JS::Value*) /src/mozilla-central/js/src/builtin/TestingFunctions.cpp:5117:32
    #9 0x9d26c4 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/vm/JSContext-inl.h:290:15
    #10 0x9d26c4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/mozilla-central/js/src/vm/Interpreter.cpp:468
    #11 0x9d4c2f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/mozilla-central/js/src/vm/Interpreter.cpp:536:10
    #12 0x1ec334f in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/mozilla-central/js/src/proxy/Wrapper.cpp:176:12
    #13 0x1e58c28 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/mozilla-central/js/src/proxy/CrossCompartmentWrapper.cpp:358:23
    #14 0x1e8d982 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /src/mozilla-central/js/src/proxy/Proxy.cpp:510:21
    #15 0x1e93921 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /src/mozilla-central/js/src/proxy/Proxy.cpp:769:12
    #16 0x9d2f09 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/vm/JSContext-inl.h:290:15
    #17 0x9d2f09 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/mozilla-central/js/src/vm/Interpreter.cpp:450
    #18 0x9ac2c3 in js::CallFromStack(JSContext*, JS::CallArgs const&) /src/mozilla-central/js/src/vm/Interpreter.cpp:523:12
    #19 0x9ac2c3 in Interpret(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:3086
    #20 0x99329a in js::RunScript(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:418:12
    #21 0x9d8ef4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:701:15
    #22 0x9d9f0f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:733:12
    #23 0x1d7df92 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /src/mozilla-central/js/src/jsapi.cpp:4730:12
    #24 0x1d7e4bd in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /src/mozilla-central/js/src/jsapi.cpp:4763:12
    #25 0x6053c3 in RunFile(JSContext*, char const*, _IO_FILE*, bool) /src/mozilla-central/js/src/shell/js.cpp:833:14
    #26 0x6053c3 in Process(JSContext*, char const*, bool, FileKind) /src/mozilla-central/js/src/shell/js.cpp:1277
    #27 0x57a960 in ProcessArgs(JSContext*, js::cli::OptionParser*) /src/mozilla-central/js/src/shell/js.cpp:8547:14
    #28 0x57a960 in Shell(JSContext*, js::cli::OptionParser*, char**) /src/mozilla-central/js/src/shell/js.cpp:8939
    #29 0x57a960 in main /src/mozilla-central/js/src/shell/js.cpp:9410
    #30 0x7f7b225f182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #31 0x460d08 in _start (/out/js+0x460d08)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/mozilla-central/js/src/vm/JSScript.h:1531:9 in JSScript::setTypesGeneration(unsigned int)
==3213==ABORTING

Comment 1

[Jason Orendorff [:jorendorff]]

This calls baselineCompile, so my guess is it's shell-only, not sec-anything.

Comment 2

[Jason Orendorff [:jorendorff]]

Further minimized:

    gc();
    newGlobal().baselineCompile();

:Alex_Gaynor, this bug isn't security-sensitive, so I'd like to open it. Is there anything in the report that we shouldn't disclose?

Comment 3

[Jason Orendorff [:jorendorff]]

Missing AutoCompartment, derp.

<tcampbell> I really hope this isn't possible for the normal baseline mechanism...
<jorendorff> nah, you would normally only ever try to baseline-compile something you're already about to run
    ...or are compiling
    I'll add an assertion just in case, but I'm pretty sure this is just because of the new test function.
<tcampbell> Assertion would be good since the manifestation is scary TI GC bugs

Comment 4

[Jason Orendorff [:jorendorff]]

Attachment: Add a compartment assertion to js::BaselineCompile

Comment 5

[Nicolas B. Pierron [:nbp]]

Comment on attachment 8958202 [details] [diff] [review]
Add a compartment assertion to js::BaselineCompile

Review of attachment 8958202 [details] [diff] [review]:
-----------------------------------------------------------------

I agree with Jason, this is very unlikely to be an existing security issue as Baseline code is only generated when we are running or entering the JS function, but after switching compartment.

Comment 6

[Alex Gaynor [:Alex_Gaynor]]

(Re: issues making this public) Nope, for any OSS-Fuzz bug making the contents public ahead of their disclosure deadline is totally at our discretion.

Comment 7

[Nicolas B. Pierron [:nbp]]

Attachment: Add a compartment assertion to js::BaselineCompile.

Delta:
 - This patch wrap the AutoCompartment, such that String result are allocated
   within the same compartment as the caller. (jit-test/tests/basic/bug908915.js)
 - Add test case.

Comment 8

[Jason Orendorff [:jorendorff]]

Comment on attachment 8959518 [details] [diff] [review]
Add a compartment assertion to js::BaselineCompile.

Review of attachment 8959518 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch. Thanks.

Our simple little builtin keeps getting uglier. :(

Comment 9

[Pulsebot]

Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/92d4018c82ba
Add a compartment assertion to js::BaselineCompile. r=nbp,jorendorff

Comment 10

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/92d4018c82ba