Closed
Bug 1456460
Opened 7 years ago
Closed 7 years ago
Assertion failure: !JS::CurrentThreadIsHeapMinorCollecting(), at mozilla-central/js/src/vm/TypeInference.cpp:4191
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
DUPLICATE
of bug 1455599
Tracking | Status | |
---|---|---|
firefox61 | --- | affected |
People
(Reporter: Alex_Gaynor, Unassigned)
Details
(Keywords: oss-fuzz)
Attachments
(1 file)
2.56 KB,
application/x-javascript
|
Details |
This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer. I am refiling it in our issue tracker.
Please note that they apply a 90-day disclose timeline to all bugs.
(I think this may be a dupe of bug 1455599, but I can't see it :-)
/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe --ion-aa=flow-sensitive /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-40.js
[Environment] ASAN_OPTIONS = redzone=1024:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1
Assertion failure: !JS::CurrentThreadIsHeapMinorCollecting(), at mozilla-central/js/src/vm/TypeInference.cpp:4191
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000023cf0fb bp 0x7fffdaef6580 sp 0x7fffdaef6320 T0)
==3352==The signal is caused by a WRITE memory access.
==3352==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x23cf0fa in AssertGCStateForSweep(JS::Zone*) mozilla-central/js/src/vm/TypeInference.cpp:4187:5
#1 0x23cf0fa in js::ObjectGroup::sweep(js::AutoClearTypeInferenceStateOnOOM*) mozilla-central/js/src/vm/TypeInference.cpp:4332
#2 0x74d84b in js::ObjectGroup::maybeSweep(js::AutoClearTypeInferenceStateOnOOM*) mozilla-central/js/src/vm/ObjectGroup-inl.h:27:9
#3 0x74d84b in js::ObjectGroup::flags() mozilla-central/js/src/vm/ObjectGroup-inl.h:33
#4 0x74d84b in js::ObjectGroup::unknownProperties() mozilla-central/js/src/vm/ObjectGroup-inl.h:68
#5 0x2d0ccc6 in js::ObjectGroup::canPreTenure() mozilla-central/js/src/vm/ObjectGroup-inl.h:82:13
#6 0x2d0ccc6 in js::Nursery::collect(JS::gcreason::Reason) mozilla-central/js/src/gc/Nursery.cpp:758
#7 0x2c07cca in js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind) mozilla-central/js/src/gc/GC.cpp:7826:15
#8 0x2b808d0 in js::gc::GCRuntime::gcIfRequested() mozilla-central/js/src/gc/GC.cpp:7871:9
#9 0x21e65be in InvokeInterruptCallback(JSContext*) mozilla-central/js/src/vm/Runtime.cpp:433:23
#10 0x21e65be in JSContext::handleInterrupt() mozilla-central/js/src/vm/Runtime.cpp:525
#6 0x1a61813eca15 (<unknown module>)
#7 0x1a61813e3ab6 (<unknown module>)
#11 0xd508ae in EnterBaseline(JSContext*, js::jit::EnterJitData&) mozilla-central/js/src/jit/BaselineJIT.cpp:149:9
#12 0xd508ae in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) mozilla-central/js/src/jit/BaselineJIT.cpp:226
#13 0x9ce346 in Interpret(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:2037:28
#14 0x9a5af0 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:417:12
#15 0x9e3f03 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:700:15
#16 0xa91171 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/builtin/Eval.cpp:322:12
#17 0xa9364e in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) mozilla-central/js/src/builtin/Eval.cpp:433:12
#18 0xd1f98e in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:2364:14
#15 0x1a61813fa59b (<unknown module>)
#16 0x6210002e8417 (<unknown module>)
#17 0x1a618141ead0 (<unknown module>)
#18 0x6210002d556f (<unknown module>)
#19 0x1a61813e3ab6 (<unknown module>)
#19 0xd508ae in EnterBaseline(JSContext*, js::jit::EnterJitData&) mozilla-central/js/src/jit/BaselineJIT.cpp:149:9
#20 0xd508ae in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) mozilla-central/js/src/jit/BaselineJIT.cpp:226
#21 0x9ce346 in Interpret(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:2037:28
#22 0x9a5af0 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:417:12
#23 0x9e3f03 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:700:15
#24 0x9e4dab in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:732:12
#25 0x1a97e91 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) mozilla-central/js/src/jsapi.cpp:4688:12
#26 0x1a982cf in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) mozilla-central/js/src/jsapi.cpp:4721:12
#27 0x5f0cfd in RunFile(JSContext*, char const*, _IO_FILE*, bool) mozilla-central/js/src/shell/js.cpp:836:14
#28 0x5f0cfd in Process(JSContext*, char const*, bool, FileKind) mozilla-central/js/src/shell/js.cpp:1280
#29 0x581c52 in ProcessArgs(JSContext*, js::cli::OptionParser*) mozilla-central/js/src/shell/js.cpp:8364:14
#30 0x581c52 in Shell(JSContext*, js::cli::OptionParser*, char**) mozilla-central/js/src/shell/js.cpp:8764
#31 0x581c52 in main mozilla-central/js/src/shell/js.cpp:9234
#32 0x7f86fb91f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js+0x23cf0fa)
==3352==ABORTING
Reporter | ||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•4 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•