Closed Bug 1607687 Opened 5 years ago Closed 5 years ago

Crash [@ JS::BigInt::hash() const] with uninitialized memory

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- unaffected
firefox73 --- unaffected
firefox74 + fixed

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect][post-critsmash-triage])

Crash Data

Attachments

(1 file)

Bug 1607687: Don't store nursery BigInts in Maps. r=sfink!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200107-e728bf01a2b6 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

i88 = 1n;
var N58 = 1 << 16;
var m21 = new Map;
for (var set = 0; i88 < N58; i88++)
  m21.set(i88, i88)

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555abf5f9 in JS::BigInt::hash() const ()
#0  0x0000555555abf5f9 in JS::BigInt::hash() const ()
#1  0x00005555559cde0c in js::detail::OrderedHashTable<js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::Entry, js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::MapOps, js::ZoneAllocPolicy>::rehash(unsigned int) ()
#2  0x00005555559cda25 in bool js::detail::OrderedHashTable<js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::Entry, js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::MapOps, js::ZoneAllocPolicy>::put<js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::Entry>(js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::Entry&&) ()
#3  0x0000555555984834 in js::MapObject::set_impl(JSContext*, JS::CallArgs const&) ()
#4  0x00005555559815f8 in js::MapObject::set(JSContext*, unsigned int, JS::Value*) ()
#5  0x000026528511cb06 in ?? ()
#6  0x00007ffff5856800 in ?? ()
#7  0x00007fffffffb708 in ?? ()
#8  0x0000000000000001 in ?? ()
#9  0x0000000000000000 in ?? ()
rax	0xa889151a9e8	11581669878248
rbx	0xfffe2f2f2f2f2f28	-511070251831512
rcx	0xfffe2f2f2f2f2f2f	-511070251831505
rdx	0xfffc800000000000	-985162418487296
rsi	0x7ffff588a548	140737312761160
rdi	0xfffe2f2f2f2f2f28	-511070251831512
rbp	0x7fffffffb520	140737488336160
rsp	0x7fffffffb510	140737488336144
r8	0x8	8
r9	0x8	8
r10	0x7ffff403fc80	140737287289984
r11	0xffffffffffffff	72057594037927935
r12	0x7ffff3f39fb8	140737286217656
r13	0x48048	294984
r14	0x1fb3	8115
r15	0x12	18
rip	0x555555abf5f9 <JS::BigInt::hash() const+9>
=> 0x555555abf5f9 <_ZNK2JS6BigInt4hashEv+9>:	mov    (%rdi),%rsi
   0x555555abf5fc <_ZNK2JS6BigInt4hashEv+12>:	mov    %rsi,%rax

Marking s-s due to 0x2f crash pattern.

Maybe from the BigInt/nursery changes.

Flags: needinfo?(andrebargull)
Priority: -- → P1
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)

Can you please confirm what bug caused this regression?

Flags: needinfo?(andrebargull)

It's caused by bug 1530372.

Flags: needinfo?(andrebargull)
Regressed by: 1530372
Has Regression Range: --- → yes
Keywords: sec-high

Landed: https://hg.mozilla.org/integration/autoland/rev/3921856d2f138957e39cf57de7ff58925f988462

Backed out for assertion failures on MapObject.cpp:

https://hg.mozilla.org/integration/autoland/rev/0b8b8483d1cf874379f87f8128cd355a509f7013

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&resultStatus=testfailed%2Cbusted%2Cexception%2Cusercancel%2Csuperseded%2Cretry&revision=3921856d2f138957e39cf57de7ff58925f988462
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=284359022&repo=autoland
[task 2020-01-10T10:33:41.293Z] 10:33:41 INFO - REFTEST INFO | Running with e10s: True
[task 2020-01-10T10:33:41.293Z] 10:33:41 INFO - REFTEST INFO | Application command: /Users/cltbld/tasks/task_1578652303/build/application/Firefox NightlyDebug.app/Contents/MacOS/firefox -marionette -foreground -profile /var/folders/2y/x71wv12x60329x9vm15jcyvr000017/T/tmpuG_kRO.mozrunner
[task 2020-01-10T10:33:41.360Z] 10:33:41 INFO - [1658, Unnamed thread 1043412e0] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file /builds/worker/workspace/build/src/xpcom/base/nsTraceRefcnt.cpp, line 198
[task 2020-01-10T10:33:41.360Z] 10:33:41 INFO - ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /var/folders/2y/x71wv12x60329x9vm15jcyvr000017/T/tmpuG_kRO.mozrunner/runreftest_leaks.log
[task 2020-01-10T10:33:41.360Z] 10:33:41 INFO - [1658, Unnamed thread 1043412e0] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file /builds/worker/workspace/build/src/xpcom/base/nsTraceRefcnt.cpp, line 198
[task 2020-01-10T10:33:41.840Z] 10:33:41 INFO - [1658, Main Thread] WARNING: Workers don't support the 'mem.mem.' preference!: file /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp, line 537
[task 2020-01-10T10:33:42.418Z] 10:33:42 INFO - 1578652422409 addons.webextension.doh-rollout@mozilla.org WARN Loading extension 'doh-rollout@mozilla.org': Reading manifest: Invalid extension permission: networkStatus
[task 2020-01-10T10:33:42.440Z] 10:33:42 INFO - Assertion failure: !IsInsideNursery(keyValue.toGCThing()), at /builds/worker/workspace/build/src/js/src/builtin/MapObject.cpp:535
[task 2020-01-10T10:36:41.329Z] 10:36:41 ERROR - TEST-UNEXPECTED-FAIL | None | application terminated with exit code 1

Flags: needinfo?(andrebargull)

Two small additional changes were necessary:

  1. The array needs to be rooted, because key.setValue can now GC.
  2. WriteBarrierPost needs to use key.value() instead of keyVal to avoid triggering the new safety assertion added in D59109: WriteBarrierPost currently only performs an action when key.value() is an object and for objects key.value() is always equal to keyVal, so it didn't matter which value was used when calling WriteBarrierPost. But the new assertion checks that the input isn't in the nursery (and a non-object gc-thing, like strings or bigints) and only key.value() is guaranteed to be a tenured value.
Flags: needinfo?(andrebargull)

https://hg.mozilla.org/integration/autoland/rev/0214bced1c548949db241521f8246ddca37f164e
https://hg.mozilla.org/mozilla-central/rev/0214bced1c54

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox74: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
Flags: qe-verify-
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: