Closed Bug 1704451 Opened 3 years ago Closed 3 years ago

Assertion failure: isDouble(), at js/Value.h:863 with createShapeSnapshot

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 --- verified

People

(Reporter: decoder, Assigned: iain)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
121 bytes, text/plain
Details
Bug 1704451: Fix ShapeSnapshotObject::trace r=jandem
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210411-1d03336aafcf (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

enableShellAllocationMetadataBuilder();
gczeal(9,1);
var o86 = {x76: 1, y86: 2};
var snapshot = createShapeSnapshot(o86);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555707abf8 in ShapeSnapshotObject::snapshot() const ()
#1  0x000055555706d529 in ShapeSnapshotObject::trace(JSTracer*, JSObject*) ()
#2  0x000055555745f66a in js::GCMarker::processMarkStackTop(js::SliceBudget&) ()
#3  0x0000555557460115 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#4  0x0000555557406695 in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#5  0x0000555557413bbe in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#6  0x0000555557416a1d in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#7  0x0000555557417d8c in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#8  0x000055555741d608 in js::gc::GCRuntime::runDebugGC() ()
#9  0x00005555573cac36 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#10 0x00005555573caace in JSObject* js::AllocateObject<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, JSClass const*) ()
#11 0x0000555556bf0591 in js::ArrayObject::createArrayInternal(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, js::AutoSetNewObjectMetadata&) ()
#12 0x0000555556bd279c in js::ArrayObject::createArray(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, unsigned int, js::AutoSetNewObjectMetadata&) ()
#13 0x0000555556bd12af in js::ArrayObject* NewArray<0u>(JSContext*, unsigned int, JS::Handle<JSObject*>, js::NewObjectKind) ()
#14 0x000055555706b7fa in ShellAllocationMetadataBuilder::build(JSContext*, JS::Handle<JSObject*>, js::AutoEnterOOMUnsafeRegion&) const ()
#15 0x0000555556f0fd7c in JS::Realm::setNewObjectMetadata(JSContext*, JS::Handle<JSObject*>) ()
#16 0x0000555556b198fb in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>) ()
#17 0x0000555556e7725a in NewObject(JSContext*, JS::Handle<js::TaggedProto>, JSClass const*, js::gc::AllocKind, js::NewObjectKind, js::EnumFlags<js::ObjectFlag>) ()
#18 0x0000555556e76b97 in js::NewObjectWithGivenTaggedProto(JSContext*, JSClass const*, JS::Handle<js::TaggedProto>, js::gc::AllocKind, js::NewObjectKind, js::EnumFlags<js::ObjectFlag>) ()
#19 0x000055555706e950 in ShapeSnapshotObject::create(JSContext*, JS::Handle<JSObject*>) ()
#20 0x0000555557093b44 in CreateShapeSnapshot(JSContext*, unsigned int, JS::Value*) ()
#21 0x0000555556b86c01 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#33 0x00005555569f59cb in main ()
rax	0x555555796705	93824994600709
rbx	0x19ec2967c140	28502097641792
rcx	0x555558000128	93825036976424
rdx	0x0	0
rsi	0x7ffff6abd770	140737331844976
rdi	0x7ffff6abc540	140737331840320
rbp	0x7fffffffad80	140737488334208
rsp	0x7fffffffad70	140737488334192
r8	0x7ffff6abd770	140737331844976
r9	0x7ffff7fe3840	140737354020928
r10	0x0	0
r11	0x0	0
r12	0x7ffff5749478	140737311446136
r13	0x7fffffffb070	140737488334960
r14	0x7ffff5749418	140737311446040
r15	0x19ec2967c128	28502097641768
rip	0x55555707abf8 <ShapeSnapshotObject::snapshot() const+152>
=> 0x55555707abf8 <_ZNK19ShapeSnapshotObject8snapshotEv+152>:	movl   $0x35f,0x0
   0x55555707ac03 <_ZNK19ShapeSnapshotObject8snapshotEv+163>:	callq  0x555556a7ff8f <abort>

Might be a shell-only issue with the new testing function, but marking s-s until triaged.

Attached file Testcase 

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20210411210108-1d03336aafcf.

The bug appears to have been introduced in the following build range:




Start: db07bdd11e66aa113b9ef701d8548364a61e177b (20210410075200)

End: e1ed88d29409462d3d147418dffd02f61e460618 (20210410091813)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=db07bdd11e66aa113b9ef701d8548364a61e177b&tochange=e1ed88d29409462d3d147418dffd02f61e460618




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
I took a quick look at this in case it was the bug I've been trying to find in my NewObject patch. Sadly, it's not: the problem here is just that ShapeSnapshotObject::trace assumes that the reserved slot is initialized, but if we GC while allocating the allocation metadata, then the slot can still be undefined.


This isn't s-s. It can only happen with the new testing function, and if the assertion didn't fail then we'd crash immediately trying to dereference 0xfff9800000000000 (UndefinedValue()), which is not a valid usermode pointer.


Group: javascript-core-security

    
    

    
  


  
Not sure if the change in finalize is strictly necessary, but I included it just in case.


Assignee: nobody → iireland
Status: NEW → ASSIGNED
Severity: -- → S4
Priority: -- → P1

    
    

    
  
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f5eb400e8420
Fix ShapeSnapshotObject::trace r=jandem

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/f5eb400e8420


Status: ASSIGNED → RESOLVED
Closed: 3 years ago

          status-firefox89:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

          status-firefox87:
          --- → unaffected

          status-firefox88:
          --- → unaffected

          status-firefox-esr78:
          --- → unaffected
Flags: in-testsuite+
Regressed by: 1702196

    
  
Has Regression Range: --- → yes

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20210413214314-aa432f04a7da.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox89:
          fixedverified
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: