Closed
Bug 1463421
Opened 6 years ago
Closed 6 years ago
Assertion failure: !JS::CurrentThreadIsHeapCollecting(), at mozilla-central/js/src/gc/Marking.cpp:3650
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
DUPLICATE
of bug 1456512
Tracking | Status | |
---|---|---|
firefox62 | --- | affected |
People
(Reporter: Alex_Gaynor, Unassigned)
Details
(Keywords: oss-fuzz)
Attachments
(1 file)
165 bytes,
text/plain
|
Details |
Found by Google's OSS-Fuzz, therefore has a 90 day disclosure deadline. Marking as s-s because GC asserts scare me :-) [Environment] ASAN_OPTIONS = redzone=64:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1 /mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe --ion-extra-checks /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-11.js /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-11.js:8:9 TypeError: ({}) is not a function Stack: __f_252@/mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-11.js:8:9 @/mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-11.js:7:13 Assertion failure: !JS::CurrentThreadIsHeapCollecting(), at mozilla-central/js/src/gc/Marking.cpp:3650 AddressSanitizer:DEADLYSIGNAL ================================================================= ==23980==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000002d11c09 bp 0x7fff4a64c570 sp 0x7fff4a64c550 T0) ==23980==The signal is caused by a WRITE memory access. ==23980==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x2d11c08 in std::__1::__atomic_base<unsigned long, false>::load(std::__1::memory_order) const /usr/local/include/c++/v1/atomic:926:17 #1 0x2d11c08 in mozilla::detail::IntrinsicMemoryOps<unsigned long, (mozilla::MemoryOrdering)2>::load(std::__1::atomic<unsigned long> const&) mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/Atomics.h:196 #2 0x2d11c08 in mozilla::detail::AtomicBaseIncDec<unsigned long, (mozilla::MemoryOrdering)2>::operator unsigned long() const mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/Atomics.h:369 #3 0x2d11c08 in js::ProtectedData<js::CheckUnprotected, js::gcstats::Statistics>::ref() mozilla-central/js/src/threading/ProtectedData.h:102 #4 0x2d11c08 in js::gc::GCRuntime::stats() mozilla-central/js/src/gc/GCRuntime.h:668 #5 0x2d11c08 in JS::UnmarkGrayGCThingRecursively(JS::GCCellPtr) mozilla-central/js/src/gc/Marking.cpp:3654 #6 0x76fcc2 in js::gc::TenuredCell::readBarrier(js::gc::TenuredCell*) mozilla-central/js/src/gc/Cell.h:397:13 #7 0x22f52f8 in js::InternalBarrierMethods<js::UnownedBaseShape*>::readBarrier(js::UnownedBaseShape*) mozilla-central/js/src/gc/Barrier.h:269:37 #8 0x22f52f8 in js::ReadBarrieredBase<js::UnownedBaseShape*>::read() const mozilla-central/js/src/gc/Barrier.h:593 #9 0x22f52f8 in js::ReadBarriered<js::UnownedBaseShape*>::get() const mozilla-central/js/src/gc/Barrier.h:649 #10 0x22f52f8 in js::ReadBarriered<js::UnownedBaseShape*>::operator js::UnownedBaseShape* const&() const mozilla-central/js/src/gc/Barrier.h:661 #11 0x22f52f8 in JS::WeakCache<JS::GCHashSet<js::ReadBarriered<js::UnownedBaseShape*>, js::StackBaseShape, js::SystemAllocPolicy> >::entryNeedsSweep(js::ReadBarriered<js::UnownedBaseShape*> const&) mozilla-central/js/src/build_DBG.OBJ/dist/include/js/GCHashTable.h:641 #12 0x22f904b in JS::WeakCache<JS::GCHashSet<js::ReadBarriered<js::UnownedBaseShape*>, js::StackBaseShape, js::SystemAllocPolicy> >::Range::settle() mozilla-central/js/src/build_DBG.OBJ/dist/include/js/GCHashTable.h:671:32 #13 0x226655f in JS::WeakCache<JS::GCHashSet<js::ReadBarriered<js::UnownedBaseShape*>, js::StackBaseShape, js::SystemAllocPolicy> >::Range::popFront() mozilla-central/js/src/build_DBG.OBJ/dist/include/js/GCHashTable.h:664:13 #14 0x226655f in JS::Zone::checkBaseShapeTableAfterMovingGC() mozilla-central/js/src/vm/Shape.cpp:1519 #15 0x2c09137 in js::gc::CheckHashTablesAfterMovingGC(JSRuntime*) mozilla-central/js/src/gc/GC.cpp:8466:15 #16 0x2d2237d in js::Nursery::doCollection(JS::gcreason::Reason, js::gc::TenureCountCache&) mozilla-central/js/src/gc/Nursery.cpp:948:9 #17 0x2d1d8d7 in js::Nursery::collect(JS::gcreason::Reason) mozilla-central/js/src/gc/Nursery.cpp:738:9 #18 0x2c17406 in js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind) mozilla-central/js/src/gc/GC.cpp:7827:15 #19 0x2c159b5 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) mozilla-central/js/src/gc/GC.cpp:7430:5 #20 0x2c1a6e5 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) mozilla-central/js/src/gc/GC.cpp:7621:25 #21 0x2b8fca1 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) mozilla-central/js/src/gc/GC.cpp:7691:5 #22 0x21f45bc in JSRuntime::destroyRuntime() mozilla-central/js/src/vm/Runtime.cpp:313:12 #23 0x1fba8dc in js::DestroyContext(JSContext*) mozilla-central/js/src/vm/JSContext.cpp:201:20 #24 0x587da6 in main mozilla-central/js/src/shell/js.cpp:9350:5 #25 0x7f9cf40a682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js+0x2d11c08) ==23980==ABORTING
Updated•6 years ago
|
Group: core-security → javascript-core-security
Comment 1•6 years ago
|
||
Jon, do you know who could take a look at this? (Note that there's a disclosure deadline here.)
Flags: needinfo?(jcoppeard)
Updated•6 years ago
|
Attachment #8979540 -
Attachment mime type: application/x-javascript → text/plain
Comment 2•6 years ago
|
||
The test case seems to involve gray marking a weak map, so maybe this is more up Steve's alley: var __v_1173 = new WeakMap(); grayRoot().map = __v_1173; __v_1173 = null; gczeal(13, 7); if (!isNaN()) { } (function __f_252() { ( { })() })();
Flags: needinfo?(jcoppeard) → needinfo?(sphink)
Comment 3•6 years ago
|
||
Fixed in bug 1456512. I think this argues for a backport.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(sphink)
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•