Closed Bug 1666880 Opened 5 years ago Closed 5 years ago

Assertion failure: !marker->tracingZone, at gc/Marking.cpp:504 with TypedObject and BigInt

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- wontfix
firefox83 --- verified

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
180 bytes, text/plain
Details
Bug 1666880 - Make VisitTraceList update expected compartment information r?sfink
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200923-7927a1705247 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

var T84 = TypedObject;
ValueStruct = new T84.StructType({
    g89: T84.Any
});
var v82 = new ValueStruct;
a20 = BigInt(-1);
var c18 = v82.g89 = a20;
gczeal(2);
if (line == null) {}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  AutoSetTracingSource::AutoSetTracingSource<JS::BigInt> (this=this@entry=0x7fffffffa968, trc=<optimized out>, trc@entry=0x7ffff602a3d0, thing=thing@entry=0x2cc891c9f030) at js/src/gc/Marking.cpp:504
#1  0x0000555557661725 in js::GCMarker::markAndTraceChildren<JS::BigInt> (this=0x7ffff602a3d0, thing=0x2cc891c9f030) at js/src/gc/Marking.cpp:1020
#2  js::GCMarker::traverse<JS::BigInt*> (this=0x7ffff602a3d0, thing=0x2cc891c9f030) at js/src/gc/Marking.cpp:1035
#3  js::GCMarker::traverseEdge<JSObject*, JS::BigInt> (this=0x7ffff602a3d0, source=0x2cc891ca1040, target=0x2cc891c9f030) at js/src/gc/Marking.cpp:1142
[...]
#8  js::GCMarker::traverseEdge<JSObject*, JS::Value> (this=<optimized out>, source=<optimized out>, thing=...) at js/src/gc/Marking.cpp:1147
#9  js::gc::VisitTraceList(JSTracer*, JSObject*, unsigned int const*, unsigned char*)::$_7::operator()<JS::Value*> (thingp=0x7ffff7105770 <_IO_stdfile_2_lock>, this=<optimized out>) at js/src/gc/Marking.cpp:1667
#10 VisitTraceListWithFunctor<js::gc::VisitTraceList(JSTracer*, JSObject*, unsigned int const*, unsigned char*)::$_7>(js::gc::VisitTraceList(JSTracer*, JSObject*, unsigned int const*, unsigned char*)::$_7 const&, unsigned int const*, unsigned char*) (f=..., traceList=<optimized out>, memory=0x2cc891ca1050 "0\360ɑȬ\374\377------\376\377") at js/src/gc/Marking.cpp:1650
#11 js::gc::VisitTraceList (trc=<optimized out>, trc@entry=0x7ffff602a3d0, obj=obj@entry=0x2cc891ca1040, traceList=<optimized out>, memory=memory@entry=0x2cc891ca1050 "0\360ɑȬ\374\377------\376\377") at js/src/gc/Marking.cpp:1666
#12 0x000055555726dc28 in js::InlineTypedObject::obj_trace (trc=0x7ffff602a3d0, object=0x2cc891ca1040) at js/src/builtin/TypedObject.cpp:2214
#13 0x0000555557632c41 in JSClass::doTrace (this=0x55555845eca0 <js::InlineOpaqueTypedObject::class_>, trc=0x7ffff602a3d0, obj=0x2cc891ca1040) at dist/include/js/Class.h:789
#14 CallTraceHook (trc=trc@entry=0x7ffff602a3d0, obj=obj@entry=0x2cc891ca1040) at js/src/gc/Marking.cpp:1627
#15 0x000055555762a281 in js::GCMarker::processMarkStackTop (this=<optimized out>, this@entry=0x7ffff602a3d0, budget=...) at js/src/gc/Marking.cpp:2092
#16 0x000055555762a7d5 in js::GCMarker::markUntilBudgetExhausted (this=0x7ffff602a3d0, budget=..., reportTime=js::GCMarker::ReportMarkTime) at js/src/gc/Marking.cpp:1846
#17 0x00005555575ce575 in js::gc::GCRuntime::markUntilBudgetExhausted (this=<optimized out>, this@entry=0x7ffff6029740, sliceBudget=..., reportTime=js::GCMarker::ReportMarkTime) at js/src/gc/GC.cpp:5652
#18 0x00005555575db7ea in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff6029740, budget=..., gckind=..., reason=<optimized out>, reason@entry=JS::GCReason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:6784
#19 0x00005555575de40a in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff6029740, nonincrementalByAPI=true, budget=..., gckind=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7238
#20 0x00005555575dff79 in js::gc::GCRuntime::collect (this=0x7ffff6029740, nonincrementalByAPI=false, budget=..., gckindArg=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7473
#21 0x00005555575e56c2 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff6029740) at js/src/gc/GC.cpp:8064
#22 0x0000555557593ce3 in js::gc::GCRuntime::gcIfNeededAtAllocation (this=0x7ffff6029740, cx=0x7ffff6027000, cx@entry=0x13) at js/src/gc/Allocator.cpp:445
#23 js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7ffff6029740, cx=cx@entry=0x7ffff6027000, kind=kind@entry=js::gc::AllocKind::SHAPE) at js/src/gc/Allocator.cpp:407
#24 0x00005555575965c2 in js::Allocate<js::Shape, (js::AllowGC)1> (cx=cx@entry=0x7ffff6027000) at js/src/gc/Allocator.cpp:332
#25 0x0000555557105ce0 in js::Shape::new_ (cx=0x7ffff6027000, other=..., nfixed=<optimized out>) at js/src/vm/Shape-inl.h:112
#26 js::PropertyTree::inlinedGetChild (this=this@entry=0x7ffff6072e40, cx=<optimized out>, cx@entry=0x7ffff6027000, parent=<optimized out>, childSpec=childSpec@entry=...) at js/src/vm/Shape.cpp:1878
#27 0x000055555710444c in js::NativeObject::getChildDataProperty (cx=cx@entry=0x7ffff6027000, obj=obj@entry=..., parent=parent@entry=..., child=child@entry=...) at js/src/vm/Shape.cpp:435
#28 0x0000555557103df2 in js::NativeObject::addDataPropertyInternal (cx=0x7ffff6027000, obj=..., id=..., slot=3, attrs=<optimized out>, table=0x0, entry=0x0, keep=...) at js/src/vm/Shape.cpp:728
#29 0x000055555706a886 in js::NativeObject::addDataProperty (cx=cx@entry=0x7ffff6027000, obj=obj@entry=..., id=id@entry=..., slot=1481706760, slot@entry=3, attrs=4145043312, attrs@entry=0) at js/src/vm/Shape-inl.h:436
#30 0x000055555706a5ca in js::NativeObject::addDataProperty (cx=0x7ffff6027000, obj=..., name=..., slot=3, attrs=0) at js/src/vm/NativeObject.cpp:1288
#31 0x0000555556efaf5a in js::ErrorObject::assignInitialShape (cx=cx@entry=0x7ffff6027000, obj=obj@entry=...) at js/src/vm/ErrorObject.cpp:421
#32 0x0000555556efb979 in js::EmptyShape::ensureInitialCustomShape<js::ErrorObject> (cx=cx@entry=0x7ffff6027000, obj=...) at js/src/vm/Shape-inl.h:241
#33 0x0000555556efb193 in js::ErrorObject::init (cx=cx@entry=0x7ffff6027000, obj=..., type=type@entry=JSEXN_REFERENCEERR, errorReport=..., fileName=fileName@entry=..., stack=..., sourceId=2, lineNumber=9, columnNumber=5, message=...) at js/src/vm/ErrorObject.cpp:445
#34 0x0000555556efbef2 in js::ErrorObject::create (cx=0x7ffff6027000, errorType=JSEXN_REFERENCEERR, stack=..., fileName=..., sourceId=<optimized out>, lineNumber=9, columnNumber=5, report=..., message=..., protoArg=...) at js/src/vm/ErrorObject.cpp:519
#35 0x0000555556e0b551 in js::ErrorToException (cx=cx@entry=0x7ffff6027000, reportp=reportp@entry=0x7fffffffb580, callback=<optimized out>, callback@entry=0x555556ef9950 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0) at js/src/jsexn.cpp:341
#36 0x0000555556effb4f in ReportError (cx=0x7ffff6027000, reportp=0x7fffffffb580, callback=0x555556ef9950 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0) at js/src/vm/ErrorReporting.cpp:164
#37 js::ReportErrorNumberVA (cx=cx@entry=0x7ffff6027000, isWarning=isWarning@entry=js::IsWarning::No, callback=callback@entry=0x555556ef9950 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=1, argumentsType=<optimized out>, argumentsType@entry=js::ArgumentsAreUTF8, ap=0x7fffffffb6e0) at js/src/vm/ErrorReporting.cpp:477
#38 0x0000555556ddbd6f in JS_ReportErrorNumberUTF8VA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=0x7fffffffb6e0) at js/src/jsapi.cpp:4752
#39 JS_ReportErrorNumberUTF8 (cx=cx@entry=0x7ffff6027000, errorCallback=0x555556ef9950 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=1) at js/src/jsapi.cpp:4742
#40 0x0000555556fdf2a5 in js::ReportIsNotDefined (cx=0x7ffff6027000, id=...) at js/src/vm/JSContext.cpp:518
#41 js::ReportIsNotDefined (cx=cx@entry=0x7ffff6027000, name=...) at js/src/vm/JSContext.cpp:525
#42 0x0000555556cd6a9e in js::FetchName<(js::GetNameMode)0> (cx=cx@entry=0x7ffff6027000, receiver=receiver@entry=..., holder=..., holder@entry=..., name=..., name@entry=..., prop=..., prop@entry=..., vp=...) at js/src/vm/Interpreter-inl.h:145
#43 0x0000555556d09102 in js::GetEnvironmentName<(js::GetNameMode)0> (cx=cx@entry=0x7ffff6027000, envChain=..., envChain@entry=..., name=name@entry=..., vp=..., vp@entry=...) at js/src/vm/Interpreter-inl.h:220
#44 0x0000555556ce292d in GetNameOperation (cx=0x7ffff6027000, fp=0x7ffff60a1028, pc=0x7ffff598934e "\273\r", vp=...) at js/src/vm/Interpreter.cpp:247
#45 Interpret (cx=cx@entry=0x7ffff6027000, state=...) at js/src/vm/Interpreter.cpp:3475
#46 0x0000555556cd849e in js::RunScript (cx=cx@entry=0x7ffff6027000, state=...) at js/src/vm/Interpreter.cpp:469
[...]
#55 0x0000555556b61369 in main (argc=5, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11644
rax	0x555555887e2f	93824995589679
rbx	0x7ffff602a500	140737320756480
rcx	0x555558510d08	93825042287880
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffa950	140737488333136
rsp	0x7fffffffa930	140737488333104
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99e00	140737353719296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff6072000	140737321050112
r13	0x2cc891c9f030	49239951011888
r14	0x7fffffffa968	140737488333160
r15	0x2cc891c9f030	49239951011888
rip	0x55555766b92a <AutoSetTracingSource::AutoSetTracingSource<JS::BigInt>(JSTracer*, JS::BigInt*)+298>
=> 0x55555766b92a <AutoSetTracingSource::AutoSetTracingSource<JS::BigInt>(JSTracer*, JS::BigInt*)+298>:	movl   $0x1f8,0x0
   0x55555766b935 <AutoSetTracingSource::AutoSetTracingSource<JS::BigInt>(JSTracer*, JS::BigInt*)+309>:	callq  0x555556befa82 <abort()>

Not sure if this is a dup to one of the other TypedObject bugs but filing to be sure.

Attached file Testcase

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200923212316-efc5aeff23bd.
The bug appears to have been introduced in the following build range:

Start: 054f617aae4806943b8b4d7a535e3dee152bcbf4 (20200831161327)
End: 888af600c1740fb1192bdb7892dc3a210d49587a (20200831161537)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=054f617aae4806943b8b4d7a535e3dee152bcbf4&tochange=888af600c1740fb1192bdb7892dc3a210d49587a

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

This assertion means we didn't update our compartment checking information correctly, but it doesn't indicate that anything actually went wrong. This is not security sensitive.

Assignee: nobody → jcoppeard
Group: javascript-core-security
Severity: -- → N/A
Priority: -- → P1

Rather than calling GCMarker::traverseEdge directly, call do DoMarking because
this also handles checking/clearing the expected compartment information in
debug builds, the lack of which is causing this assertion failure.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2473b27ab004 Make VisitTraceList update expected compartment information r=sfink

https://hg.mozilla.org/mozilla-central/rev/2473b27ab004

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200926211645-cb8232ebe212.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox83: fixedverified
Keywords: bugmon
status-firefox82: --- → wontfix
status-firefox-esr78: --- → unaffected
Flags: in-testsuite+
Regressed by: 1661718
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: