Closed Bug 1556155 Opened 6 years ago Closed 6 years ago

Hit MOZ_CRASH(Association for 0x17bf9fd8c100 ObjectSlots has different size: expected 0x10 but got 0x8) at js/src/gc/Zone.cpp:593

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

Bug 1556155 - Fix memory accounting when shrinking an object's slots fails r=jandem?
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 462fc9264901 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

a = [];
minorgc();
Object.defineProperty(a, 12, {}).push(1);
toString = (function() { return a.reverse(); });
oomTest(Date.prototype.toJSON);
oomTest(Date.prototype.toJSON);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  MOZ_Crash (aReason=<optimized out>, aLine=<optimized out>, aFilename=<optimized out>) at dist/include/mozilla/Assertions.h:313
#1  js::gc::MemoryTracker::untrackMemory (this=0x7ffff5f72858, cell=0x17bf9fd8c100, nbytes=8, use=<optimized out>) at js/src/gc/Zone.cpp:590
#2  0x0000555555b95531 in js::NativeObject::growSlots (this=this@entry=0x17bf9fd8c100, cx=cx@entry=0x7ffff5f19000, oldCount=oldCount@entry=1, newCount=newCount@entry=2) at js/src/vm/NativeObject.cpp:372
#3  0x0000555555b89b27 in js::NativeObject::updateSlotsForSpan (newSpan=2, oldSpan=1, cx=0x7ffff5f19000, this=0x17bf9fd8c100) at js/src/vm/NativeObject-inl.h:546
#4  js::NativeObject::setLastProperty (this=0x17bf9fd8c100, cx=0x7ffff5f19000, shape=0x17bf9fdac858) at js/src/vm/NativeObject-inl.h:584
#5  0x0000555555cf53c5 in js::NativeObject::getChildDataProperty (cx=0x7ffff5f19000, obj=obj@entry=..., parent=parent@entry=..., child=child@entry=...) at js/src/vm/Shape.cpp:411
#6  0x0000555555cd5061 in js::NativeObject::addDataPropertyInternal (cx=<optimized out>, cx@entry=0x7ffff5f19000, obj=obj@entry=..., id=..., id@entry=..., slot=slot@entry=16777215, attrs=attrs@entry=1, table=<optimized out>, entry=<optimized out>, keep=...) at js/src/vm/Shape.cpp:691
#7  0x0000555555bd0cd0 in js::NativeObject::addDataProperty (cx=cx@entry=0x7ffff5f19000, obj=..., obj@entry=..., id=id@entry=..., slot=slot@entry=16777215, attrs=attrs@entry=1) at js/src/vm/Shape-inl.h:402
#8  0x0000555555bc2682 in AddOrChangeProperty<(IsAddOrChange)0> (cx=0x7ffff5f19000, obj=..., id=..., desc=...) at js/src/vm/NativeObject.cpp:1459
#9  0x0000555555bf6d10 in DefineNonexistentProperty (result=..., v=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.cpp:2081
#10 SetNonexistentProperty<(js::QualifiedBool)1> (result=..., receiver=..., v=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.cpp:2839
#11 js::NativeSetProperty<(js::QualifiedBool)1> (cx=<optimized out>, cx@entry=0x7ffff5f19000, obj=..., id=id@entry=..., v=..., v@entry=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.cpp:2970
#12 0x0000555555960845 in js::SetProperty (result=..., receiver=..., v=..., id=..., obj=..., cx=0x7ffff5f19000) at js/src/vm/ObjectOperations-inl.h:284
#13 js::SetProperty (cx=<optimized out>, obj=..., id=..., v=...) at js/src/vm/ObjectOperations-inl.h:291
#14 0x000055555593ea92 in SetArrayElement (cx=<optimized out>, obj=obj@entry=..., index=13, v=v@entry=...) at js/src/builtin/Array.cpp:516
#15 0x0000555555956542 in js::array_reverse (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Array.cpp:1714
#16 0x00002205a06a7abf in ?? ()
#17 0x0000000000000000 in ?? ()
rax	0x555557d37000	93825034055680
rbx	0x555557d37020	93825034055712
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffac30	140737488333872
rsp	0x7fffffffab80	140737488333696
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x17bf9fd8c100	26111787974912
r13	0x7fffffffabb0	140737488333744
r14	0x7ffff5f72898	140737320003736
r15	0xffffffffffffff	72057594037927935
rip	0x5555560b82d2 <js::gc::MemoryTracker::untrackMemory(js::gc::Cell*, unsigned long, js::MemoryUse)+786>
=> 0x5555560b82d2 <js::gc::MemoryTracker::untrackMemory(js::gc::Cell*, unsigned long, js::MemoryUse)+786>:	movl   $0x0,0x0
   0x5555560b82dd <js::gc::MemoryTracker::untrackMemory(js::gc::Cell*, unsigned long, js::MemoryUse)+797>:	ud2

Marking s-s for now because I don't know how dangerous this assert is and the test involves GC.

Thanks. Not s-s, this is just a memory tracking assert.

Assignee: nobody → jcoppeard
Component: JavaScript Engine → JavaScript: GC
Priority: -- → P1
Group: javascript-core-security
Type: task → defect

We ignore failures shrinking an object's slots buffer but we still update the shape so we have no way to tell that the buffer is still at the old size. This updates the memory tracking to with the smaller size even on failure so it matches the slot count.

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3f7461516587 Fix memory accounting when shrinking an object's slots fails r=jandem

https://hg.mozilla.org/mozilla-central/rev/3f7461516587

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox69: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: