Closed Bug 1502012 Opened 7 years ago Closed 7 years ago

Assertion failure: inited == !getPrototype(key).isUndefined(), at js/src/vm/GlobalObject.h:226

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1219128
Tracking Flags:
Tracking Status
firefox64 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

The following testcase crashes on mozilla-central revision 3cc04ee79005 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): x = evalcx("lazy"); oomTest(function() { x.of(new(delete y)); }); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000555555e35988 in js::GlobalObject::classIsInitialized (key=<optimized out>, this=<optimized out>) at js/src/vm/GlobalObject.h:226 #0 0x0000555555e35988 in js::GlobalObject::classIsInitialized (key=<optimized out>, this=<optimized out>) at js/src/vm/GlobalObject.h:226 #1 js::GlobalObject::functionObjectClassesInitialized (this=0x7ffff4dba060) at js/src/vm/GlobalObject.h:232 #2 js::GlobalObject::getOrCreateObjectPrototype (global=..., cx=0x7ffff5f18000) at js/src/vm/GlobalObject.h:312 #3 JS_ResolveStandardClass (cx=0x7ffff5f18000, obj=..., id=..., resolved=<optimized out>) at js/src/jsapi.cpp:1050 #4 0x00005555557fd535 in sandbox_resolve (cx=0x7ffff5f18000, obj=..., id=..., resolvedp=0x7fffffffb9ef) at js/src/shell/js.cpp:3730 #5 0x0000555556015dcc in js::CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject-inl.h:835 #6 js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=<optimized out>, obj=..., id=..., propp=..., donep=0x7fffffffbb0f) at js/src/vm/NativeObject-inl.h:912 #7 0x00005555560174e6 in NativeGetPropertyInline<(js::AllowGC)1> (cx=<optimized out>, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2580 #8 0x0000555556017bc0 in js::NativeGetProperty (cx=<optimized out>, obj=..., obj@entry=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2630 #9 0x0000555555e9d1e8 in js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=<optimized out>) at js/src/vm/ObjectOperations-inl.h:122 #10 js::ForwardingProxyHandler::get (this=<optimized out>, cx=<optimized out>, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/Wrapper.cpp:155 #11 0x0000555555e91b90 in js::CrossCompartmentWrapper::get (this=0x5555577c6790 <js::CrossCompartmentWrapper::singleton>, cx=<optimized out>, wrapper=..., receiver=..., id=..., vp=...) at js/src/proxy/CrossCompartmentWrapper.cpp:235 #12 0x0000555555ea8d69 in js::Proxy::getInternal (cx=0x7ffff5f18000, proxy=proxy@entry=..., receiver=receiver@entry=..., id=id@entry=..., vp=vp@entry=...) at js/src/proxy/Proxy.cpp:384 #13 0x0000555555e9eb12 in js::Proxy::get (cx=<optimized out>, proxy=..., receiver_=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:394 #14 0x00005555559688fd in js::GetProperty (cx=0x7ffff5f18000, obj=..., receiver=..., id=..., vp=...) at js/src/vm/ObjectOperations-inl.h:119 #15 0x000055555594bc69 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=<optimized out>) at js/src/vm/ObjectOperations-inl.h:130 #16 js::GetProperty (cx=<optimized out>, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4940 #17 0x00005555559524de in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x7ffff5f18000) at js/src/vm/Interpreter.cpp:223 #18 Interpret (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:3158 #19 0x000055555595ecd6 in js::RunScript (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:447 #20 0x000055555595f2ef in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:587 #21 0x000055555595f84d in InternalCall (cx=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:614 #22 0x000055555595f9d0 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:633 #23 0x0000555555e6a03f in JS_CallFunction (cx=<optimized out>, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2930 #24 0x0000555555c7f94b in RunIterativeFailureTest (cx=<optimized out>, cx@entry=0x7ffff5f18000, params=..., simulator=...) at js/src/builtin/TestingFunctions.cpp:1929 #25 0x0000555555c8025a in OOMTest (cx=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2109 #26 0x000055555596beb5 in CallJSNative (cx=0x7ffff5f18000, native=0x555555c80190 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:468 #27 0x000055555595f227 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:560 #28 0x000055555595f84d in InternalCall (cx=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:614 #29 0x0000555555951eec in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:620 #30 Interpret (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:3462 #31 0x000055555595ecd6 in js::RunScript (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:447 #32 0x00005555559614ed in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:813 #33 0x00005555559618e9 in js::Execute (cx=<optimized out>, cx@entry=0x7ffff5f18000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:846 #34 0x0000555555ef1393 in ExecuteScript (cx=0x7ffff5f18000, scope=scope@entry=..., script=..., rval=rval@entry=0x0) at js/src/vm/CompilationAndEvaluation.cpp:394 #35 0x0000555555ef4790 in JS_ExecuteScript (cx=<optimized out>, scriptArg=...) at js/src/vm/CompilationAndEvaluation.cpp:429 #36 0x00005555557de08e in RunFile (compileOnly=false, file=<optimized out>, filename=0x7fffffffe015 "test.js", cx=0x7ffff5f18000) at js/src/shell/js.cpp:923 #37 Process (cx=0x7ffff5f18000, filename=0x7fffffffe015 "test.js", forceTTY=<optimized out>, kind=<optimized out>) at js/src/shell/js.cpp:1400 #38 0x00005555557debd2 in ProcessArgs (cx=<optimized out>, op=0x7fffffffda20) at js/src/shell/js.cpp:10015 #39 0x00005555557eb98f in Shell (envp=<optimized out>, op=0x7fffffffda20, cx=<optimized out>) at js/src/shell/js.cpp:10457 #40 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10965 rax 0x0 0 rbx 0x7ffff5f18000 140737319632896 rcx 0x7ffff6c1c2dd 140737333281501 rdx 0x0 0 rsi 0x7ffff6eeb770 140737336227696 rdi 0x7ffff6eea540 140737336223040 rbp 0x7fffffffb940 140737488337216 rsp 0x7fffffffb8f0 140737488337136 r8 0x7ffff6eeb770 140737336227696 r9 0x7ffff7fe6cc0 140737354034368 r10 0x58 88 r11 0x7ffff6b927a0 140737332717472 r12 0x7fffffffbb40 140737488337728 r13 0xfff9800000000000 -1829587348619264 r14 0x7ffff4dba060 140737301422176 r15 0xfff9800000000000 -1829587348619264 rip 0x555555e35988 <JS_ResolveStandardClass(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool*)+728> => 0x555555e35988 <JS_ResolveStandardClass(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool*)+728>: movl $0x0,0x0 0x555555e35993 <JS_ResolveStandardClass(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool*)+739>: ud2 Similar to bug 1219128 but doesn't use getBacktrace. I'm marking this s-s because I don't know if this can be provoked in the browser. If it can, then it seems possible to me that this leaves the respective GlobalObject in some half-initialized state which can be dangerous.
Keywords: sec-high
Can we run auto-bisect on this?
autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce user: Jon Coppeard date: Tue Oct 13 13:37:07 2015 +0100 summary: Bug 1212469 - Make oomTest() into a shell function r=nbp Jon, is bug 1212469 a likely regressor?
Blocks: 1212469
Flags: needinfo?(jcoppeard)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) No, that just added the oomTest() function. What happens here is that fail due to OOM while creating a constructor: (skipped hash table add() and internal methods) 9: js::EmptyShape::getInitialShape at Shape.cpp:2269 10: js::EmptyShape::getInitialShape at Shape.cpp:2289 11: js::Shape::replaceLastProperty at Shape.cpp:286 12: js::Shape::setObjectFlags at Shape.cpp:1505 13: JSObject::setFlags at Shape.cpp:1460 14: JSObject::setDelegate at JSObject.h:185 15: js::ObjectGroup::defaultNewGroup at ObjectGroup.cpp:567 16: js::NewObjectWithGivenTaggedProto at JSObject.cpp:870 17: js::NewObjectWithClassProtoCommon at JSObject.cpp:903 18: js::NewObjectWithClassProto at JSObject-inl.h:546 19: js::NewObjectWithClassProto<JSFunction> at JSObject-inl.h:570 20: js::NewFunctionWithProto at JSFunction.cpp:2306 21: CreateFunctionPrototype at JSFunction.cpp:896 22: js::GlobalObject::resolveConstructor at GlobalObject.cpp:213 23: js::GlobalObject::ensureConstructor at GlobalObject.h:164 24: CreateObjectConstructor at Object.cpp:2175 25: js::GlobalObject::resolveConstructor at GlobalObject.cpp:231 26: js::GlobalObject::ensureConstructor at GlobalObject.h:164 27: js::GlobalObject::getOrCreateObjectPrototype at GlobalObject.h:315 28: JS_ResolveStandardClass at jsapi.cpp:1050 Then we hit an assertion next time round because the constructor is not present, but the prototype is. There's a comment in GlobalObject::resolveConstructor that says it's OK for the prototype to be present without the constructor: https://searchfox.org/mozilla-central/source/js/src/vm/GlobalObject.cpp#221 But that would seem to be at odds with this assertion. I'm forwarding this to Waldo I don't understand what the correct behaviour is here.
Flags: needinfo?(jcoppeard) → needinfo?(jwalden+bmo)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Basically this requires redoing how function/object classes get initialized, so they're initialized as a coherent whole. We *used* to have this fixed, then bholley went and rejiggered stuff to be "systematic" and in the process broke this. It is moderately straightforward to fix this in theory; in practice it is somewhat trickier. Given the relative unlikelihood of hitting this failure mode in the real world, it is not likely at any particular time to ever be a priority. This problem exists and has been known for some time, and this bug is almost certainly a dup.
Flags: needinfo?(jwalden+bmo)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE

Removing employee no longer with company from CC list of private bugs.

Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.