Closed Bug 1463421 Opened 6 years ago Closed 6 years ago

Assertion failure: !JS::CurrentThreadIsHeapCollecting(), at mozilla-central/js/src/gc/Marking.cpp:3650

Categories

(Core :: JavaScript: GC, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1456512
Tracking Status
firefox62 --- affected

People

(Reporter: Alex_Gaynor, Unassigned)

Details

(Keywords: oss-fuzz)

Attachments

(1 file)

Found by Google's OSS-Fuzz, therefore has a 90 day disclosure deadline.

Marking as s-s because GC asserts scare me :-)

[Environment] ASAN_OPTIONS = redzone=64:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1

/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe --ion-extra-checks /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-11.js

/mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-11.js:8:9 TypeError: ({}) is not a function
	Stack:
	__f_252@/mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-11.js:8:9
	@/mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-11.js:7:13
	Assertion failure: !JS::CurrentThreadIsHeapCollecting(), at mozilla-central/js/src/gc/Marking.cpp:3650
	AddressSanitizer:DEADLYSIGNAL
	=================================================================
	==23980==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000002d11c09 bp 0x7fff4a64c570 sp 0x7fff4a64c550 T0)
	==23980==The signal is caused by a WRITE memory access.
	==23980==Hint: address points to the zero page.
	SCARINESS: 10 (null-deref)
	#0 0x2d11c08 in std::__1::__atomic_base<unsigned long, false>::load(std::__1::memory_order) const /usr/local/include/c++/v1/atomic:926:17
	#1 0x2d11c08 in mozilla::detail::IntrinsicMemoryOps<unsigned long, (mozilla::MemoryOrdering)2>::load(std::__1::atomic<unsigned long> const&) mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/Atomics.h:196
	#2 0x2d11c08 in mozilla::detail::AtomicBaseIncDec<unsigned long, (mozilla::MemoryOrdering)2>::operator unsigned long() const mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/Atomics.h:369
	#3 0x2d11c08 in js::ProtectedData<js::CheckUnprotected, js::gcstats::Statistics>::ref() mozilla-central/js/src/threading/ProtectedData.h:102
	#4 0x2d11c08 in js::gc::GCRuntime::stats() mozilla-central/js/src/gc/GCRuntime.h:668
	#5 0x2d11c08 in JS::UnmarkGrayGCThingRecursively(JS::GCCellPtr) mozilla-central/js/src/gc/Marking.cpp:3654
	#6 0x76fcc2 in js::gc::TenuredCell::readBarrier(js::gc::TenuredCell*) mozilla-central/js/src/gc/Cell.h:397:13
	#7 0x22f52f8 in js::InternalBarrierMethods<js::UnownedBaseShape*>::readBarrier(js::UnownedBaseShape*) mozilla-central/js/src/gc/Barrier.h:269:37
	#8 0x22f52f8 in js::ReadBarrieredBase<js::UnownedBaseShape*>::read() const mozilla-central/js/src/gc/Barrier.h:593
	#9 0x22f52f8 in js::ReadBarriered<js::UnownedBaseShape*>::get() const mozilla-central/js/src/gc/Barrier.h:649
	#10 0x22f52f8 in js::ReadBarriered<js::UnownedBaseShape*>::operator js::UnownedBaseShape* const&() const mozilla-central/js/src/gc/Barrier.h:661
	#11 0x22f52f8 in JS::WeakCache<JS::GCHashSet<js::ReadBarriered<js::UnownedBaseShape*>, js::StackBaseShape, js::SystemAllocPolicy> >::entryNeedsSweep(js::ReadBarriered<js::UnownedBaseShape*> const&) mozilla-central/js/src/build_DBG.OBJ/dist/include/js/GCHashTable.h:641
	#12 0x22f904b in JS::WeakCache<JS::GCHashSet<js::ReadBarriered<js::UnownedBaseShape*>, js::StackBaseShape, js::SystemAllocPolicy> >::Range::settle() mozilla-central/js/src/build_DBG.OBJ/dist/include/js/GCHashTable.h:671:32
	#13 0x226655f in JS::WeakCache<JS::GCHashSet<js::ReadBarriered<js::UnownedBaseShape*>, js::StackBaseShape, js::SystemAllocPolicy> >::Range::popFront() mozilla-central/js/src/build_DBG.OBJ/dist/include/js/GCHashTable.h:664:13
	#14 0x226655f in JS::Zone::checkBaseShapeTableAfterMovingGC() mozilla-central/js/src/vm/Shape.cpp:1519
	#15 0x2c09137 in js::gc::CheckHashTablesAfterMovingGC(JSRuntime*) mozilla-central/js/src/gc/GC.cpp:8466:15
	#16 0x2d2237d in js::Nursery::doCollection(JS::gcreason::Reason, js::gc::TenureCountCache&) mozilla-central/js/src/gc/Nursery.cpp:948:9
	#17 0x2d1d8d7 in js::Nursery::collect(JS::gcreason::Reason) mozilla-central/js/src/gc/Nursery.cpp:738:9
	#18 0x2c17406 in js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind) mozilla-central/js/src/gc/GC.cpp:7827:15
	#19 0x2c159b5 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) mozilla-central/js/src/gc/GC.cpp:7430:5
	#20 0x2c1a6e5 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) mozilla-central/js/src/gc/GC.cpp:7621:25
	#21 0x2b8fca1 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) mozilla-central/js/src/gc/GC.cpp:7691:5
	#22 0x21f45bc in JSRuntime::destroyRuntime() mozilla-central/js/src/vm/Runtime.cpp:313:12
	#23 0x1fba8dc in js::DestroyContext(JSContext*) mozilla-central/js/src/vm/JSContext.cpp:201:20
	#24 0x587da6 in main mozilla-central/js/src/shell/js.cpp:9350:5
	#25 0x7f9cf40a682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
	
	AddressSanitizer can not provide additional info.
	SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js+0x2d11c08)
	==23980==ABORTING
Group: core-security → javascript-core-security
Jon, do you know who could take a look at this? (Note that there's a disclosure deadline here.)
Flags: needinfo?(jcoppeard)
Attachment #8979540 - Attachment mime type: application/x-javascript → text/plain
The test case seems to involve gray marking a weak map, so maybe this is more up Steve's alley:

var __v_1173 = new WeakMap();
  grayRoot().map = __v_1173;
  __v_1173 = null;
  gczeal(13, 7);
if (!isNaN()) {
}
  (function __f_252() {
      ( {
      })()
  })();
Flags: needinfo?(jcoppeard) → needinfo?(sphink)
Fixed in bug 1456512. I think this argues for a backport.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(sphink)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: