Closed Bug 1699364 Opened 4 years ago Closed 4 years ago

Assertion failure: linearStr->JSString::isLinear(), at gc/Marking.cpp:1329

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox86 --- unaffected
firefox87 --- unaffected
firefox88 + verified

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(5 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker][sec-survey])

Crash Data

Attachments

(2 files)

Testcase
75 bytes, text/plain
Details
Bug 1699364 - Re-add special case pre-barrier for rope flattening r?sfink
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210317-4d4bc56f77a1 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

gczeal(4);
function a() {
    "".padStart(10000).startsWith();
    a();
}
a();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055ad1a2ed39b in js::GCMarker::eagerlyMarkChildren(JSLinearString*) ()
#1  0x000055ad1a2bfe9b in js::GCMarker::traceBarrieredCell(JS::GCCellPtr) ()
#2  0x000055ad1a2abf10 in js::GCMarker::traceBarrieredCells(js::SliceBudget&) ()
#3  0x000055ad1a2a6aa7 in js::gc::BarrierTracer::performBarrier(JS::GCCellPtr) ()
#4  0x000055ad19e22756 in JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)0, unsigned char>(JSContext*) ()
#5  0x000055ad19dfbd1f in JSRope::flatten(JSContext*) ()
#6  0x000055ad19c05308 in js::str_startsWith(JSContext*, unsigned int, JS::Value*) ()
#7  0x00002737d65ff3cf in ?? ()
#8  0x00002737d6604b21 in ?? ()
#9  0x00007ffd0be7b370 in ?? ()
#10 0x0000000000000000 in ?? ()
rax	0x55ad185d01ec	94201926451692
rbx	0x90dc3430b38	9954715175736
rcx	0x55ad1ae484f8	94201968887032
rdx	0x1	1
rsi	0x0	0
rdi	0x7fb50fe704b0	140415632606384
rbp	0x7ffd0be7b0c0	140724803186880
rsp	0x7ffd0be7b0b0	140724803186864
r8	0x0	0
r9	0x71	113
r10	0x55ad183d7ed9	94201924386521
r11	0x7fb50fd074c0	140415631127744
r12	0x0	0
r13	0x90dc3430a18	9954715175448
r14	0x7fb50ed49400	140415614620672
r15	0x0	0
rip	0x55ad1a2ed39b <js::GCMarker::eagerlyMarkChildren(JSLinearString*)+491>
=> 0x55ad1a2ed39b <_ZN2js8GCMarker19eagerlyMarkChildrenEP14JSLinearString+491>:	movl   $0x531,0x0
   0x55ad1a2ed3a6 <_ZN2js8GCMarker19eagerlyMarkChildrenEP14JSLinearString+502>:	callq  0x55ad198d3cb4 <abort>

S-s since this is a GC-assert with potential security impact.

Attached file Testcase
Flags: needinfo?(jcoppeard)

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210318041543-973d2593ee6b.
The bug appears to have been introduced in the following build range:

Start: 0294b90300aa270b2ef257229a7dcacc68408ae5 (20210317083132)
End: fabb8df993fb044dbf52c3c74f6d679cd42c7f73 (20210317090338)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0294b90300aa270b2ef257229a7dcacc68408ae5&tochange=fabb8df993fb044dbf52c3c74f6d679cd42c7f73

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]
Assignee: nobody → jcoppeard
Severity: -- → S4
Flags: needinfo?(jcoppeard)
Priority: -- → P1
See Also: → 1699334

I'll assume this is bad.

Keywords: csectype-uaf, sec-high

It turns out that patch for bug 1698543 was too optimistic and we need the special case barrier for rope flattening for another reason: during flattening rope nodes are transformed before their ancestors. Interior rope nodes are transformed to dependent strings with the base being the root node, and the root transformed into a linear string. Since the root is changed last the GC graph is not safe to traverse until flattening has finished.

This makes the test case pass. I added this test case and the one for the previous bug. I don't think we need to hide these since this change has only been on nightly so far.

If there are futher issues with this then I'm going to back out the barrier changes and think about an alteranative approach.

Crash Signature: [@ js::GCMarker::eagerlyMarkChildren(JSLinearString*)]

I'm going to land this even though soft freeze started today as it seems to be causing problems.

https://hg.mozilla.org/mozilla-central/rev/f9ac96a788b0

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox88: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210319095339-092ee6b0c9f2.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox88: fixedverified
Keywords: bugmon
Regressions: 1699736
Regressed by: 1699736
No longer regressed by: 1699736
Has Regression Range: --- → yes

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(jcoppeard)
Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker][sec-survey]
Group: core-security-release
Flags: needinfo?(jcoppeard)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: