Closed Bug 1456460 Opened 7 years ago Closed 7 years ago

Assertion failure: !JS::CurrentThreadIsHeapMinorCollecting(), at mozilla-central/js/src/vm/TypeInference.cpp:4191

Categories

(Core :: JavaScript: GC, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1455599
Tracking Status
firefox61 --- affected

People

(Reporter: Alex_Gaynor, Unassigned)

Details

(Keywords: oss-fuzz)

Attachments

(1 file)

This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer. I am refiling it in our issue tracker. Please note that they apply a 90-day disclose timeline to all bugs. (I think this may be a dupe of bug 1455599, but I can't see it :-) /mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe --ion-aa=flow-sensitive /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-40.js [Environment] ASAN_OPTIONS = redzone=1024:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1 Assertion failure: !JS::CurrentThreadIsHeapMinorCollecting(), at mozilla-central/js/src/vm/TypeInference.cpp:4191 AddressSanitizer:DEADLYSIGNAL ================================================================= ==3352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000023cf0fb bp 0x7fffdaef6580 sp 0x7fffdaef6320 T0) ==3352==The signal is caused by a WRITE memory access. ==3352==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x23cf0fa in AssertGCStateForSweep(JS::Zone*) mozilla-central/js/src/vm/TypeInference.cpp:4187:5 #1 0x23cf0fa in js::ObjectGroup::sweep(js::AutoClearTypeInferenceStateOnOOM*) mozilla-central/js/src/vm/TypeInference.cpp:4332 #2 0x74d84b in js::ObjectGroup::maybeSweep(js::AutoClearTypeInferenceStateOnOOM*) mozilla-central/js/src/vm/ObjectGroup-inl.h:27:9 #3 0x74d84b in js::ObjectGroup::flags() mozilla-central/js/src/vm/ObjectGroup-inl.h:33 #4 0x74d84b in js::ObjectGroup::unknownProperties() mozilla-central/js/src/vm/ObjectGroup-inl.h:68 #5 0x2d0ccc6 in js::ObjectGroup::canPreTenure() mozilla-central/js/src/vm/ObjectGroup-inl.h:82:13 #6 0x2d0ccc6 in js::Nursery::collect(JS::gcreason::Reason) mozilla-central/js/src/gc/Nursery.cpp:758 #7 0x2c07cca in js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind) mozilla-central/js/src/gc/GC.cpp:7826:15 #8 0x2b808d0 in js::gc::GCRuntime::gcIfRequested() mozilla-central/js/src/gc/GC.cpp:7871:9 #9 0x21e65be in InvokeInterruptCallback(JSContext*) mozilla-central/js/src/vm/Runtime.cpp:433:23 #10 0x21e65be in JSContext::handleInterrupt() mozilla-central/js/src/vm/Runtime.cpp:525 #6 0x1a61813eca15 (<unknown module>) #7 0x1a61813e3ab6 (<unknown module>) #11 0xd508ae in EnterBaseline(JSContext*, js::jit::EnterJitData&) mozilla-central/js/src/jit/BaselineJIT.cpp:149:9 #12 0xd508ae in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) mozilla-central/js/src/jit/BaselineJIT.cpp:226 #13 0x9ce346 in Interpret(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:2037:28 #14 0x9a5af0 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:417:12 #15 0x9e3f03 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:700:15 #16 0xa91171 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/builtin/Eval.cpp:322:12 #17 0xa9364e in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) mozilla-central/js/src/builtin/Eval.cpp:433:12 #18 0xd1f98e in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:2364:14 #15 0x1a61813fa59b (<unknown module>) #16 0x6210002e8417 (<unknown module>) #17 0x1a618141ead0 (<unknown module>) #18 0x6210002d556f (<unknown module>) #19 0x1a61813e3ab6 (<unknown module>) #19 0xd508ae in EnterBaseline(JSContext*, js::jit::EnterJitData&) mozilla-central/js/src/jit/BaselineJIT.cpp:149:9 #20 0xd508ae in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) mozilla-central/js/src/jit/BaselineJIT.cpp:226 #21 0x9ce346 in Interpret(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:2037:28 #22 0x9a5af0 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:417:12 #23 0x9e3f03 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:700:15 #24 0x9e4dab in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:732:12 #25 0x1a97e91 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) mozilla-central/js/src/jsapi.cpp:4688:12 #26 0x1a982cf in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) mozilla-central/js/src/jsapi.cpp:4721:12 #27 0x5f0cfd in RunFile(JSContext*, char const*, _IO_FILE*, bool) mozilla-central/js/src/shell/js.cpp:836:14 #28 0x5f0cfd in Process(JSContext*, char const*, bool, FileKind) mozilla-central/js/src/shell/js.cpp:1280 #29 0x581c52 in ProcessArgs(JSContext*, js::cli::OptionParser*) mozilla-central/js/src/shell/js.cpp:8364:14 #30 0x581c52 in Shell(JSContext*, js::cli::OptionParser*, char**) mozilla-central/js/src/shell/js.cpp:8764 #31 0x581c52 in main mozilla-central/js/src/shell/js.cpp:9234 #32 0x7f86fb91f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js+0x23cf0fa) ==3352==ABORTING
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: