Closed Bug 1468792 Opened 6 years ago Closed 6 years ago

Assertion failure: isAtom(), at js/src/vm/StringType.h:500 or Assertion failure: JSString::isFlat(), at vm/StringType.h:913

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla62
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox62 --- verified

People

(Reporter: decoder, Assigned: jonco)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 87b46cd1c941 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-eager):

loadFile(`
  gczeal(2,9);
  evaluate(\`
    reportCompare(expect, actual, summary);
  \`);
`);
function loadFile(lfVarx) {
    try {
        evaluate(lfVarx);
    } catch (lfVare) {}
}
eval("(function(){({6953421313:0})})")();
function f() {
    x[6953421313] = "a";
}
f();


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000a2d358 in JSString::asAtom (this=0x7ffff58abba0) at js/src/vm/StringType.h:500
#0  0x0000000000a2d358 in JSString::asAtom (this=0x7ffff58abba0) at js/src/vm/StringType.h:500
#1  INTERNED_STRING_TO_JSID (cx=<optimized out>, str=0x7ffff58abba0) at js/src/jsapi.cpp:5849
#2  0x0000000000a35563 in js::detail::IdMatchesAtom (id=id@entry=..., atom=atom@entry=0x7ffff58abba0) at js/src/jsfriendapi.cpp:1391
#3  0x000000000073622a in NON_INTEGER_ATOM_TO_JSID (atom=0x7ffff58abba0) at js/src/jsfriendapi.h:2688
#4  0x0000000000757211 in js::NameToId (name=0x7ffff5fa2f68) at js/src/vm/StringType.h:1424
#5  js::jit::IonBuilder::setPropTryUnboxed (this=this@entry=0x7ffff5fa21c0, emitted=emitted@entry=0x7fffffffbd7e, obj=0x7ffff5fa2ec0, name=name@entry=0x7ffff58abba0, value=0x7ffff5fa2f68, barrier=barrier@entry=false) at js/src/jit/IonBuilder.cpp:11887
#6  0x00000000007a1dc7 in js::jit::IonBuilder::jsop_setprop (this=this@entry=0x7ffff5fa21c0, name=0x7ffff58abba0) at js/src/jit/IonBuilder.cpp:11496
#7  0x000000000079a272 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff5fa21c0, op=op@entry=JSOP_SETPROP) at js/src/jit/IonBuilder.cpp:2228
#8  0x000000000079b758 in js::jit::IonBuilder::visitBlock (this=this@entry=0x7ffff5fa21c0, cfgblock=cfgblock@entry=0x7ffff5574600, mblock=<optimized out>) at js/src/jit/IonBuilder.cpp:1563
#9  0x000000000079c12d in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff5fa21c0) at js/src/jit/IonBuilder.cpp:1480
#10 0x000000000079cef2 in js::jit::IonBuilder::build (this=this@entry=0x7ffff5fa21c0) at js/src/jit/IonBuilder.cpp:863
#11 0x00000000007aa458 in js::jit::IonCompile (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=osrPc@entry=0x0, recompile=<optimized out>, optimizationLevel=<optimized out>) at js/src/jit/Ion.cpp:2116
#12 0x00000000007aae66 in js::jit::Compile (cx=cx@entry=0x7ffff5f17000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2399
#13 0x00000000007aaf8c in js::jit::CanEnterIon (cx=cx@entry=0x7ffff5f17000, state=...) at js/src/jit/Ion.cpp:2483
#14 0x00000000007d6259 in js::jit::MaybeEnterJit (cx=cx@entry=0x7ffff5f17000, state=...) at js/src/jit/Jit.cpp:140
#15 0x00000000005aeac4 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:406
#16 0x00000000005af2a7 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:493
#17 0x00000000005af55d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:520
#18 0x00000000005af6aa in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:526
#19 0x00000000006982f3 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffffcb38, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcaf8, res=...) at js/src/jit/BaselineIC.cpp:2372
#20 0x00003f2dbd6ab5ac in ?? ()
[...]
#30 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff58abba0	140737312897952
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffbca0	140737488338080
rsp	0x7fffffffbc90	140737488338064
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x7fffffffbd7e	140737488338302
r13	0x7ffff5fa2ec0	140737320201920
r14	0x7ffff5fa2f68	140737320202088
r15	0x7ffff5fa2568	140737320199528
rip	0xa2d358 <INTERNED_STRING_TO_JSID(JSContext*, JSString*)+168>
=> 0xa2d358 <INTERNED_STRING_TO_JSID(JSContext*, JSString*)+168>:	movl   $0x0,0x0
   0xa2d363 <INTERNED_STRING_TO_JSID(JSContext*, JSString*)+179>:	ud2


Marking this s-s because the test involves GC and both assertions can indicate security problems.
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6d741e95201a
user:        Jon Coppeard
date:        Mon Jun 04 15:25:45 2018 +0100
summary:     Bug 1466171 - Allow collection of atoms while the main thread is parsing r=sfink

This iteration took 318.680 seconds to run.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
A very similar testcase crashes with 0x4b4b4b4b so this is likely use-after-free, marking sec-high.

Needinfo from Jon based on comment 1.
Flags: needinfo?(jcoppeard)
This is almost certainly my fault.  I'll investigate next week when I have access to a machine I can run rr on.
We need to purge the dtoa cache at the same time as we purge the atom cache as this can also give out pointers to atoms.  Purging the dtoa cache forces atoms to be re-added/looked up and hence added to the atom cache.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8985941 - Flags: review?(sphink)
Blocks: 1466171
Comment on attachment 8985941 [details] [diff] [review]
bug1468792-atom-cache

Review of attachment 8985941 [details] [diff] [review]:
-----------------------------------------------------------------

Subtle. I can't offhand think of an easy way to catch this sort of thing in the type system.
Attachment #8985941 - Flags: review?(sphink) → review+
https://hg.mozilla.org/mozilla-central/rev/7aaaed1a9ef1
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security-release
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.