Closed Bug 1510588 Opened 11 months ago Closed 10 months ago

Crash [@ js::ObjectGroupRealm::checkNewTableAfterMovingGC] or Assertion failure: ptr.found() && &*ptr == &r.front(), at vm/ObjectGroup.cpp:1957

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr60 --- disabled
firefox64 --- disabled
firefox65 --- disabled
firefox66 + fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision ce39a152428a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

See attachment.


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::ObjectGroupRealm::checkNewTableAfterMovingGC (this=this@entry=0x7ffff5f2a8e8, table=0x7ffff5577b80) at js/src/vm/ObjectGroup.cpp:1957
#1  0x0000555555d03548 in js::ObjectGroupRealm::checkTablesAfterMovingGC (this=0x7ffff5f2a8e8) at js/src/vm/ObjectGroup.h:728
#2  JS::Realm::checkObjectGroupTablesAfterMovingGC (this=<optimized out>) at js/src/vm/Realm.h:572
#3  js::gc::CheckHashTablesAfterMovingGC (rt=rt@entry=0x7ffff5f1b000) at js/src/gc/GC.cpp:9017
#4  0x0000555555d359e0 in js::Nursery::doCollection (this=this@entry=0x7ffff5f1d670, reason=reason@entry=JS::gcreason::DEBUG_GC, tenureCounts=...) at js/src/gc/Nursery.cpp:1025
#5  0x0000555555d35cff in js::Nursery::collect (this=this@entry=0x7ffff5f1d670, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/Nursery.cpp:801
#6  0x0000555555ced12c in js::gc::GCRuntime::minorGC (this=this@entry=0x7ffff5f1b4f0, reason=reason@entry=JS::gcreason::DEBUG_GC, phase=phase@entry=js::gcstats::PhaseKind::EVICT_NURSERY_FOR_MAJOR_GC) at js/src/gc/GC.cpp:8328
#7  0x0000555555d104f0 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f1b4f0, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:7862
#8  0x0000555555d10a6d in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1b4f0, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:8095
#9  0x0000555555d11b78 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff5f1b4f0) at js/src/gc/GC.cpp:8717
#10 0x0000555555d11d38 in js::gc::GCRuntime::gcIfNeededAtAllocation (this=0x7ffff5f1b4f0, cx=0x7ffff5f28800) at js/src/gc/Allocator.cpp:336
#11 0x0000555555d22fb9 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=<optimized out>, cx=0x7ffff5f28800, kind=<optimized out>) at js/src/gc/Allocator.cpp:295
#12 0x0000555555d2345d in js::AllocateString<JSString, (js::AllowGC)1> (cx=cx@entry=0x7ffff5f28800, heap=heap@entry=js::gc::DefaultHeap) at js/src/gc/Allocator.cpp:193
#13 0x0000555555ada91e in js::Allocate<JSThinInlineString, (js::AllowGC)1> (heap=js::gc::DefaultHeap, cx=0x7ffff5f28800) at js/src/gc/Allocator.h:47
#14 JSThinInlineString::new_<(js::AllowGC)1> (cx=0x7ffff5f28800) at js/src/vm/StringType-inl.h:329
#15 js::AllocateInlineString<(js::AllowGC)1, unsigned char> (chars=<synthetic pointer>, len=<optimized out>, cx=0x7ffff5f28800) at js/src/vm/StringType-inl.h:34
#16 js::NewInlineString<(js::AllowGC)1, unsigned char> (chars=..., cx=0x7ffff5f28800) at js/src/vm/StringType-inl.h:62
#17 js::NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char> (cx=cx@entry=0x7ffff5f28800, s=0x7ffff5f48078 "test.js", n=7) at js/src/vm/StringType.cpp:1753
#18 0x0000555555adae45 in js::NewStringCopyN<(js::AllowGC)1, unsigned char> (cx=cx@entry=0x7ffff5f28800, s=<optimized out>, n=<optimized out>) at js/src/vm/StringType.cpp:1804
#19 0x0000555555b9168d in js::NewStringCopyN<(js::AllowGC)1> (n=<optimized out>, s=<optimized out>, cx=0x7ffff5f28800) at js/src/vm/StringType.h:1569
#20 js::NewStringCopyZ<(js::AllowGC)1> (s=<optimized out>, cx=0x7ffff5f28800) at js/src/vm/StringType.h:1589
#21 JS_NewStringCopyZ (cx=cx@entry=0x7ffff5f28800, s=<optimized out>) at js/src/jsapi.cpp:4739
#22 0x0000555555bc0abc in js::ErrorToException (cx=cx@entry=0x7ffff5f28800, reportp=reportp@entry=0x7fffffffc510, callback=<optimized out>, callback@entry=0x55555598c120 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0) at js/src/jsexn.cpp:723
#23 0x0000555555996a0f in ReportError (userRef=0x0, callback=0x55555598c120 <js::GetErrorMessage(void*, unsigned int)>, reportp=0x7fffffffc510, cx=0x7ffff5f28800) at js/src/vm/JSContext.cpp:264
#24 js::ReportErrorNumberVA (cx=0x7ffff5f28800, flags=flags@entry=0, callback=0x55555598c120 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=<optimized out>, argumentsType=argumentsType@entry=js::ArgumentsAreUTF8, ap=0x7fffffffc5c0) at js/src/vm/JSContext.cpp:886
#25 0x0000555555b93c5c in JS_ReportErrorNumberUTF8VA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=ap@entry=0x7fffffffc5c0) at js/src/jsapi.cpp:5439
#26 0x0000555555b93cfa in JS_ReportErrorNumberUTF8 (cx=cx@entry=0x7ffff5f28800, errorCallback=errorCallback@entry=0x55555598c120 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=<optimized out>) at js/src/jsapi.cpp:5428
#27 0x0000555555990e6d in js::ReportIsNullOrUndefinedForPropertyAccess (cx=cx@entry=0x7ffff5f28800, v=..., key=key@entry=..., reportScanStack=reportScanStack@entry=true) at js/src/vm/JSContext.cpp:1008
#28 0x00005555559e6f1c in js::ToObjectSlowForPropertyAccess (cx=cx@entry=0x7ffff5f28800, val=..., val@entry=..., key=..., key@entry=..., reportScanStack=reportScanStack@entry=true) at js/src/vm/JSObject.cpp:3530
#29 0x000055555584e41b in js::ToObjectFromStackForPropertyAccess (key=..., vp=..., cx=0x7ffff5f28800) at js/src/vm/JSObject.h:995
#30 js::GetProperty (cx=cx@entry=0x7ffff5f28800, v=v@entry=..., name=name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4987
#31 0x0000555555d7265a in js::jit::ComputeGetPropResult (res=..., val=..., name=..., op=JSOP_CALLPROP, frame=0x7fffffffcac8, cx=0x7ffff5f28800) at js/src/jit/BaselineIC.cpp:2526
#32 js::jit::DoGetPropFallback (cx=0x7ffff5f28800, frame=0x7fffffffcac8, stub_=0x7ffff5f91870, val=..., res=...) at js/src/jit/BaselineIC.cpp:2589
#33 0x0000147483bb9534 in ?? ()
#34 0x0000000000000000 in ?? ()
rax	0x5555574a3360	93825025061728
rbx	0x7fffffffbb10	140737488337680
rcx	0x0	0
rdx	0x1b	27
rsi	0x5555564ffc30	93825008663600
rdi	0x0	0
rbp	0x7fffffffbb20	140737488337696
rsp	0x7fffffffbb10	140737488337680
r8	0x2b	43
r9	0x0	0
r10	0x7ffff5f32d28	140737319742760
r11	0x36bef53c	918484284
r12	0x7fffffffbb28	140737488337704
r13	0x555557438d00	93825024625920
r14	0x7ffff5577b80	140737309539200
r15	0x7ffff551d000	140737309167616
rip	0x555555a0d7e5 <js::ObjectGroupRealm::checkNewTableAfterMovingGC(js::ObjectGroupRealm::NewTable*)+661>
=> 0x555555a0d7e5 <js::ObjectGroupRealm::checkNewTableAfterMovingGC(js::ObjectGroupRealm::NewTable*)+661>:	movl   $0x0,0x0
   0x555555a0d7f0 <js::ObjectGroupRealm::checkNewTableAfterMovingGC(js::ObjectGroupRealm::NewTable*)+672>:	ud2


The crash looks like a forced crash, but there seems to be something wrong when GCing and TypedObjects are involved, so I am going to assume this is s-s and bad things could happen. The test is a little larger because it depends on variable redefinitions done by the code itself and I wasn't able to serialize these out. It reproduces cleanly though.
Attached file Testcase
Can we get JSBugMon to bisect this?
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c0f28a370935
user:        Jon Coppeard
date:        Tue Apr 17 08:44:56 2018 +0200
summary:     Bug 1453028 - Add new zeal modes to test the different parts of incremental sweeping r=sfink

This iteration took 1.397 seconds to run.
Flags: needinfo?(jcoppeard)
Priority: -- → P1
Keywords: sec-high
The problem is that ObjectGroupRealm::NewEntry::hash() always includes lookup.clasp in the hash but match() doesn't check the class if it's null.  This seems wrong and can result in us not finding entries in this table if they are added with null clasp but looked up with this set.

Removing lookup.clasp from the hash calculation fixes this but I guess that is not ideal.

Jan do you know know what's happening here?  Maybe we can ensure we always specify clasp here.
Flags: needinfo?(jcoppeard)
Flags: needinfo?(jdemooij)

This is Nightly specific because TypedObject.

I don't think this is actually s-s.

Assignee: nobody → jdemooij
Group: javascript-core-security
Status: NEW → ASSIGNED
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f7223955d340
Fix a bug in ObjectGroup::defaultNewGroup with TypedObject and Reflect.construct. r=bhackett
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.