Closed
Bug 1643913
Opened 5 years ago
Closed 5 years ago
Assertion failure: marker.isDrained(), at js/src/gc/GC.cpp:4866 with Weak References
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla79
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox76 | --- | unaffected |
| firefox77 | --- | unaffected |
| firefox78 | --- | unaffected |
| firefox79 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [bugmon:update,bisected][sec-survey])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200605-dadc7312128e (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager --enable-weak-refs --no-ti):
try {
gczeal(10, 27);
function ccwToObject() {
return evalcx('({})', newGlobal({newCompartment: true}));
}
function newRegistry() {
return new FinalizationRegistry(value => {});
}
for (let w of [false, true]) {
for (let x of [false, true]) {
for (let y of [false, true]) {
for (let z of [false, true]) {
let registry = w ? ccwToRegistry(w) : newRegistry();
let target = x ? ccwToObject() : {};
let heldValue = y ? ccwToObject() : {};
let token = z ? ccwToObject() : {};
registry.register(target, heldValue, token);
}
}
}
}
} catch(exc) {}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x000055555627be3d in js::gc::GCRuntime::markGrayReferencesInCurrentGroup(JSFreeOp*, js::SliceBudget&) ()
#1 0x00005555562c22a1 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) ()
#2 0x00005555562b1277 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) ()
#3 0x000055555628498c in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) ()
#4 0x0000555556289b39 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) ()
#5 0x000055555628ca0a in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#6 0x000055555628e600 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#7 0x0000555556293df8 in js::gc::GCRuntime::runDebugGC() ()
#8 0x0000555556241763 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#9 0x0000555556243d72 in js::Shape* js::Allocate<js::Shape, (js::AllowGC)1>(JSContext*) ()
#10 0x0000555555d85721 in js::PropertyTree::inlinedGetChild(JSContext*, js::Shape*, JS::Handle<js::StackShape>) ()
#11 0x0000555555d83db9 in js::NativeObject::getChildDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::MutableHandle<js::StackShape>) ()
#12 0x0000555555d8378a in js::NativeObject::addDataPropertyInternal(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, unsigned int, unsigned int, js::ShapeTable*, js::ShapeTable::Entry*, js::AutoKeepShapeCaches const&) ()
#13 0x0000555555cd597b in js::NativeObject::addDataProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, unsigned int, unsigned int) ()
#14 0x0000555555cd8c8c in bool AddOrChangeProperty<(IsAddOrChange)0>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>) ()
#15 0x0000555555cd7b34 in js::NativeDefineProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) ()
#16 0x0000555555c72626 in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int, JS::ObjectOpResult&) ()
#17 0x0000555555c728c4 in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int) ()
#18 0x0000555555c73087 in js::DefineFunctions(JSContext*, JS::Handle<JSObject*>, JSFunctionSpec const*, js::DefineAsIntrinsic) ()
#19 0x0000555555a3dacb in JS_DefineFunctions(JSContext*, JS::Handle<JSObject*>, JSFunctionSpec const*) ()
#20 0x0000555555b6833d in js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey, js::GlobalObject::IfClassIsDisabled) ()
#21 0x0000555555a0776d in CreateObjectConstructor(JSContext*, JSProtoKey) ()
#22 0x0000555555b6813b in js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey, js::GlobalObject::IfClassIsDisabled) ()
#23 0x00005555559a2cc8 in js::GlobalObject::getOrCreateObjectPrototype(JSContext*, JS::Handle<js::GlobalObject*>) ()
#24 0x0000555555bdd591 in CreateReflectObject(JSContext*, JSProtoKey) ()
#25 0x0000555555b6813b in js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey, js::GlobalObject::IfClassIsDisabled) ()
#26 0x0000555555a29fa0 in JS_ResolveStandardClass(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) ()
#27 0x0000555555cd5e42 in bool js::LookupOwnPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyResult, (js::AllowGC)1>::MutableHandleType, bool*) ()
#28 0x0000555555cdc166 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#29 0x0000555555811e98 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#30 0x0000555555811cf5 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#31 0x0000555555baf8d4 in JS_InitReflectParse(JSContext*, JS::Handle<JSObject*>) ()
#32 0x00005555557cd48a in NewGlobalObject(JSContext*, JS::RealmOptions&, JSPrincipals*, ShellGlobalKind) ()
#33 0x00005555557e2e22 in NewGlobal(JSContext*, unsigned int, JS::Value*) ()
#34 0x0000266716822d5f in ?? ()
#35 0x0000000000000000 in ?? ()
rax 0x55555708b6d6 93825020770006
rbx 0x7ffff601b060 140737320693856
rcx 0x555558365980 93825040537984
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffa730 140737488332592
rsp 0x7fffffffa6d0 140737488332496
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9bd40 140737353727296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff601b090 140737320693904
r13 0x7ffff6027000 140737320742912
r14 0x7ffff6029718 140737320752920
r15 0x7fffffffaa40 140737488333376
rip 0x55555627be3d <js::gc::GCRuntime::markGrayReferencesInCurrentGroup(JSFreeOp*, js::SliceBudget&)+1085>
=> 0x55555627be3d <_ZN2js2gc9GCRuntime32markGrayReferencesInCurrentGroupEP8JSFreeOpRNS_11SliceBudgetE+1085>: movl $0x1302,0x0
0x55555627be48 <_ZN2js2gc9GCRuntime32markGrayReferencesInCurrentGroupEP8JSFreeOpRNS_11SliceBudgetE+1096>: callq 0x55555583f75e <abort>
Marking s-s because this is a GC assert and weak references are enabled on Nightly.
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Updated•5 years ago
|
Severity: critical → --
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → jcoppeard
|
|
Assignee | |
Comment 2•5 years ago
|
||
Sweeping finalization records can push marking working in zones that are still marking, so we may need to drain the mark stack again after this happens.
|
|
Assignee | |
Updated•5 years ago
|
Severity: -- → S4
Priority: -- → P1
|
|
Assignee | |
Comment 3•5 years ago
|
||
Marking this sec-moderate as weak refs are nightly-only and off by default.
Keywords: sec-moderate
This should still be marked sec-high, even though it is disabled. Especially given that you are trying to ship it soon.
status-firefox76:
--- → unaffected
status-firefox77:
--- → unaffected
status-firefox78:
--- → unaffected
status-firefox-esr68:
--- → unaffected
|
||
Comment 5•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/df92453142f2fcb0b4d805d6a3c2b3ea2e4f9572
https://hg.mozilla.org/mozilla-central/rev/df92453142f2
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
|
||
Comment 6•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200608213811-63dc5e9b1b02.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
|
||
Updated•5 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected]
|
|
||
Comment 7•5 years ago
|
||
Bugmon Analysis:
The bug appears to have been fixed in the following build range:
> Start: e35471f49dcdcfb0528fa4f207783bffc7455d12 (20200608180541)
> End: df92453142f2fcb0b4d805d6a3c2b3ea2e4f9572 (20200608180643)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e35471f49dcdcfb0528fa4f207783bffc7455d12&tochange=df92453142f2fcb0b4d805d6a3c2b3ea2e4f9572
|
||
Updated•5 years ago
|
|
||
Comment 8•5 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Flags: needinfo?(jcoppeard)
Whiteboard: [bugmon:update,bisected] → [bugmon:update,bisected][sec-survey]
|
||
Updated•5 years ago
|
Has Regression Range: --- → yes
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•