Closed Bug 1547655 Opened 5 years ago Closed 5 years ago

Assertion failure: *stack == reinterpret_cast<Rooted<void*>*>(this), at js/RootingAPI.h:1031

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- verified

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Attachments

(1 file)

Bug 1547655 - Move RootedAtom before LabelEmitter to work around LabelControl issues with Maybe<> and RootedAtom. r?arai!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 3eb7623b5e63 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off --ion-offthread-compile=off test.js):

oomTest(() => {
    meta: {
        with({}) {}
    }
});

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  JS::Rooted<JSAtom*>::~Rooted (this=0xff87dc24, __in_chrg=<optimized out>) at dist/include/js/RootingAPI.h:1031
#1  0x56e93e10 in js::frontend::BytecodeEmitter::emitLabeledStatement (this=0xff87e1b8, labeledStmt=0xf6668208) at js/src/frontend/BytecodeEmitter.cpp:7611
#2  0x56e878ca in js::frontend::BytecodeEmitter::emitTree (this=0xff87e1b8, pn=0xf6668208, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9023
#3  0x56e886d7 in js::frontend::BytecodeEmitter::emitTree (this=<optimized out>, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9406
#4  0x56e93d4a in js::frontend::BytecodeEmitter::emitStatementList (this=0xff87e1b8, stmtList=0xf66680d0) at js/src/frontend/BytecodeEmitter.cpp:6704
#5  0x56e878ea in js::frontend::BytecodeEmitter::emitTree (this=0xff87e1b8, pn=0xf66680d0, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9008
#6  0x56e886d7 in js::frontend::BytecodeEmitter::emitTree (this=<optimized out>, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9406
#7  0x56e96b66 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=0xff87e1b8, body=0xf66680d0, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:4837
#8  0x56e9b18b in js::frontend::BytecodeEmitter::emitLexicalScope (this=0xff87e1b8, lexicalScope=0xf6668230) at js/src/frontend/BytecodeEmitter.cpp:4896
#9  0x56e87af2 in js::frontend::BytecodeEmitter::emitTree (this=0xff87e1b8, pn=0xf6668230, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9231
#10 0x56e886d7 in js::frontend::BytecodeEmitter::emitTree (this=<optimized out>, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9406
#11 0x56e8b67d in js::frontend::BytecodeEmitter::emitFunctionScript (this=0xff87e1b8, funNode=0xf6668010, isTopLevel=js::frontend::BytecodeEmitter::TopLevelFunction::Yes) at js/src/frontend/BytecodeEmitter.cpp:2536
#12 0x56e8e97e in CompileLazyFunctionImpl<char16_t> (cx=<optimized out>, lazy=..., lazy@entry=..., units=units@entry=0xf52d6d90 u"() => {\n    meta: {\n        with({}) {}\n    }\n});", length=47) at js/src/frontend/BytecodeCompiler.cpp:1002
#13 0x56e8edb8 in js::frontend::CompileLazyFunction (cx=<optimized out>, lazy=..., units=0xf52d6d90 u"() => {\n    meta: {\n        with({}) {}\n    }\n});", length=47) at js/src/frontend/BytecodeCompiler.cpp:1013
#14 0x56ac977b in JSFunction::createScriptForLazilyInterpretedFunction (cx=<optimized out>, fun=...) at js/src/vm/JSFunction.cpp:1644
#15 0x5682dd22 in JSFunction::getOrCreateScript (cx=0xf662a800, fun=...) at js/src/vm/JSFunction.h:545
#16 0x568a7119 in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:538
#17 0x568a772f in InternalCall (cx=cx@entry=0xf662a800, args=...) at js/src/vm/Interpreter.cpp:590
#18 0x568a78da in js::Call (cx=0xf662a800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:606
#19 0x56d9e107 in JS_CallFunction (cx=<optimized out>, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2592
#20 0x56bcb638 in RunIterativeFailureTest (cx=<optimized out>, params=..., simulator=...) at js/src/builtin/TestingFunctions.cpp:1928
#21 0x56bcbd7a in OOMTest (cx=0xf662a800, argc=1, vp=0xf52dc060) at js/src/builtin/TestingFunctions.cpp:2109
#22 0x568b44e0 in CallJSNative (cx=0xf662a800, native=0x56bcbcc0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443
[...]
#36 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11391
eax	0x57d44e14	1473531412
ebx	0x57d43ff4	1473527796
ecx	0xf74c5864	-145991580
edx	0x577ff4f4	1468003572
esi	0xff87e1b8	-7872072
edi	0x0	0
ebp	0xff87dbf8	4287093752
esp	0xff87dbf0	4287093744
eip	0x56888274 <JS::Rooted<JSAtom*>::~Rooted()+84>
=> 0x56888274 <JS::Rooted<JSAtom*>::~Rooted()+84>:	movl   $0x0,0x0
   0x5688827e <JS::Rooted<JSAtom*>::~Rooted()+94>:	ud2

Marking s-s because the assertion looks potentially dangerous.

Usually this assertion would indicate that that Rooted<> are not destructed in LIFO order (e.g. by misusing Maybe<Rooted<>>) but I didn't see that here.

This code was changed recently in bug 1537908 so I'll needinfo based on that.

Flags: needinfo?(jdemooij)

Problem is that LabelEmitter has a Maybe<LabelControl> and LabelControl has a RootedAtom.

I think we can now change that RootedAtom to a HandleAtom. I'll try that...

Posted the most minimal fix to work around a pre-existing issue with Maybe<LabelControl>.

Flags: needinfo?(jdemooij)

Pushed this because recent regression.

https://hg.mozilla.org/integration/autoland/rev/af5f74d9a5668542afa6209c77e10fd5148b30ba

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

https://hg.mozilla.org/mozilla-central/rev/af5f74d9a566

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Status: RESOLVED → VERIFIED
status-firefox68: fixedverified
JSBugMon: This bug has been automatically verified fixed.

Talked to :arai and the description sounded like this might have been sec-high due to use-after-free potential. If this rating is not correct, please feel free to fix it.

Keywords: sec-high
Group: core-security-release
Assignee: jdemooij → nobody
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: