Assertion failure: heap == gc::TenuredHeap, at mozilla-central/js/src/vm/JSObject.cpp:4288

RESOLVED FIXED

Status

()

defect
RESOLVED FIXED
4 months ago
3 months ago

People

(Reporter: Alex_Gaynor, Unassigned)

Tracking

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox67 affected)

Details

Attachments

(1 attachment)

Reporter

Description

4 months ago

This was found by OSS-Fuzz, and has a 90 day disclosure deadline.

Regression range is: https://github.com/mozilla/gecko-dev/compare/5916c8397a2e5e6f34e7a261037a90ee7c36ec2e...85ad02d41aeb675b0d0218529c248e14707df918

[Environment] ASAN_OPTIONS = redzone=16:print_suppressions=0:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1
[Command line] /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe --spectre-mitigations=off /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/fuzz-16.js
+----------------------------------------Release Build Stacktrace----------------------------------------+
Assertion failure: heap == gc::TenuredHeap, at mozilla-central/js/src/vm/JSObject.cpp:4288
AddressSanitizer:DEADLYSIGNAL
=================================================================
==21691==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5629fe3f4707 bp 0x7fffa272b230 sp 0x7fffa272b220 T0)
==21691==The signal is caused by a WRITE memory access.
==21691==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x5629fe3f4706 in js::ObjectGroup::unknownPropertiesDontCheckGeneration() mozilla-central/js/src/vm/ObjectGroup.h:419:5
    #1 0x5629fe3f4706 in js::ObjectGroup::shouldPreTenureDontCheckGeneration() mozilla-central/js/src/vm/ObjectGroup-inl.h:63
    #2 0x5629fe3f4706 in JSObject::debugCheckNewObject(js::ObjectGroup*, js::Shape*, js::gc::AllocKind, js::gc::InitialHeap) mozilla-central/js/src/vm/JSObject.cpp:4287
    #3 0x5629fdf5e531 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) mozilla-central/js/src/vm/NativeObject-inl.h:482:3
    #4 0x5629fe22b56e in js::VarEnvironmentObject::create(JSContext*, JS::Handle<js::Shape*>, JS::Handle<JSObject*>, js::gc::InitialHeap) mozilla-central/js/src/vm/EnvironmentObject.cpp:253:3
    #5 0x5629fe22c42c in js::VarEnvironmentObject::create(JSContext*, JS::Handle<js::Scope*>, js::AbstractFramePtr) mozilla-central/js/src/vm/EnvironmentObject.cpp:288:31
    #6 0x5629fe26206a in js::PushVarEnvironmentObject(JSContext*, JS::Handle<js::Scope*>, js::AbstractFramePtr) mozilla-central/js/src/vm/EnvironmentObject.cpp:3704:31
    #7 0x5629ff524524 in js::jit::BaselineFrame::pushVarEnvironment(JSContext*, JS::Handle<js::Scope*>) mozilla-central/js/src/jit/BaselineFrame.cpp:104:10
    #6 0x3b32fad9fca8  (<unknown module>)
    #7 0x3b32fad95ac3  (<unknown module>)
    #8 0x5629ffd7662d in EnterJit(JSContext*, js::RunState&, unsigned char*) mozilla-central/js/src/jit/Jit.cpp:103:5
    #9 0x5629ffd7662d in js::jit::MaybeEnterJit(JSContext*, js::RunState&) mozilla-central/js/src/jit/Jit.cpp:168
    #10 0x5629fdc2d19f in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:405:32
    #11 0x5629fdc6a4e5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:779:13
    #12 0x5629fdd5aada in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/builtin/Eval.cpp:326:10
    #13 0x5629fdd5d611 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) mozilla-central/js/src/builtin/Eval.cpp:440:10
    #14 0x5629ff56a6ac in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:3868:10
    #14 0x3b32fadad7b2  (<unknown module>)
    #15 0x6210000209af  (<unknown module>)
    #16 0x3b32fadbd4b4  (<unknown module>)
    #17 0x621000019a5f  (<unknown module>)
    #18 0x3b32fad95ac3  (<unknown module>)
    #15 0x5629ff862d6f in EnterBaseline(JSContext*, js::jit::EnterJitData&) mozilla-central/js/src/jit/BaselineJIT.cpp:111:5
    #16 0x5629ff862d6f in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) mozilla-central/js/src/jit/BaselineJIT.cpp:189
    #17 0x5629fdc54078 in Interpret(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:1980:24
    #18 0x5629fdc2d277 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:420:10
    #19 0x5629fdc6a4e5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:779:13
    #20 0x5629fdc6b17b in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:812:10
    #21 0x5629fdff6dec in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:438:10
    #22 0x5629fdff722f in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:471:10
    #23 0x5629fdaea71a in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) mozilla-central/js/src/shell/js.cpp:881:10
    #24 0x5629fdae8001 in Process(JSContext*, char const*, bool, FileKind) mozilla-central/js/src/shell/js.cpp:1421:14
    #25 0x5629fda6a57f in ProcessArgs(JSContext*, js::cli::OptionParser*) mozilla-central/js/src/shell/js.cpp:9827:10
    #26 0x5629fda6a57f in Shell(JSContext*, js::cli::OptionParser*, char**) mozilla-central/js/src/shell/js.cpp:10374
    #27 0x5629fda5ac10 in main mozilla-central/js/src/shell/js.cpp:10958:12
    #28 0x7fd998cc882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js+0x12b2706)
==21691==ABORTING

Similar crashes were found in our own fuzzing today, likely a recent regression. I haven't filed yet, still reducing testcases.

Likely from bug 1532376 and harmless, it just means we should pre-tenure an object but we didn't.

Reporter

Comment 3

4 months ago

Removed s-s.

Group: javascript-core-security

Bug 1532376 has been backed out. NI jonco to make sure relanding addresses this bug.

Blocks: 1532376
Status: NEW → RESOLVED
Closed: 4 months ago
Flags: needinfo?(jcoppeard)
Resolution: --- → FIXED
Flags: needinfo?(jcoppeard)
You need to log in before you can comment on or make changes to this bug.