Assertion failure: linearStr->JSString::isLinear(), at gc/Marking.cpp:1269
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
People
(Reporter: decoder, Assigned: jonco)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisect,confirmed][fuzzblocker][sec-survey][adv-main90+r])
Attachments
(2 files)
|
22.49 KB,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
The following testcase crashes on mozilla-central revision 20210601-391dbe0ceb29 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --more-compartments --baseline-eager):
See attachment.
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00005555574f64cb in js::GCMarker::eagerlyMarkChildren(JSLinearString*) ()
#0 0x00005555574f64cb in js::GCMarker::eagerlyMarkChildren(JSLinearString*) ()
#1 0x00005555574c8c87 in js::GCMarker::traceBarrieredCell(JS::GCCellPtr) ()
#2 0x00005555574b481c in js::GCMarker::traceBarrieredCells(js::SliceBudget&) ()
#3 0x00005555574af0b8 in js::gc::BarrierTracer::performBarrier(JS::GCCellPtr) ()
#4 0x0000555556fe5a14 in void JSRope::ropeBarrierDuringFlattening<(JSRope::UsingBarrier)1>(JSRope*) ()
#5 0x0000555556fe5166 in JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)1, unsigned char>(JSRope*) ()
#6 0x0000555556fbe9dd in JSRope::flatten(JSContext*) ()
#7 0x0000555556b1cc3e in ExecuteRegExp(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, js::VectorMatchPairs*) ()
#8 0x0000555556b1b6ca in RegExpMatcherImpl(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, JS::MutableHandle<JS::Value>) ()
#9 0x0000555556b1b235 in js::RegExpMatcher(JSContext*, unsigned int, JS::Value*) ()
#10 0x0000555556b8f821 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#11 0x0000555556b8ef56 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#12 0x0000555556b90391 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#13 0x00005555575d4fca in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#14 0x00002046322fe5f3 in ?? ()
#15 0x0000000000000000 in ?? ()
rax 0x5555557794dd 93824994481373
rbx 0x2d4f82375670 49819510330992
rcx 0x555558047b78 93825037269880
rdx 0x0 0
rsi 0x7ffff6abd770 140737331844976
rdi 0x7ffff6abc540 140737331840320
rbp 0x7fffffff9740 140737488328512
rsp 0x7fffffff9730 140737488328496
r8 0x7ffff6abd770 140737331844976
r9 0x7ffff7fe3840 140737354020928
r10 0x0 0
r11 0x0 0
r12 0x2d4f82371988 49819510315400
r13 0x7ffff573c3e0 140737311392736
r14 0x7ffff573c3e0 140737311392736
r15 0x0 0
rip 0x5555574f64cb <js::GCMarker::eagerlyMarkChildren(JSLinearString*)+475>
=> 0x5555574f64cb <_ZN2js8GCMarker19eagerlyMarkChildrenEP14JSLinearString+475>: movl $0x4f5,0x0
0x5555574f64d6 <_ZN2js8GCMarker19eagerlyMarkChildrenEP14JSLinearString+486>: callq 0x555556a86dba <abort>
This is an intermittent GC crash that is pretty frequent and has been bothering us for a while now. We can't say when exactly this started but it changed in volume recently from what I can tell. Marking as fuzzblocker due to volume. The problem is that almost all instances are not reproducible. I managed to isolate the attached testcase that reproduces somewhat intermittently on Linux.
|
Reporter | |
Comment 1•3 years ago
|
||
|
||
Comment 2•3 years ago
|
||
NI jonco because ropeBarrierDuringFlattening was on the stack of multiple (all?) fuzz tests decoder found.
|
|
||
Comment 3•3 years ago
|
||
decoder and I discussed this a bit; it would be very interesting to figure out why this is so intermittent. Maybe there's something we can do to make it fail more reliably?
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 4•3 years ago
|
||
This is unfortunate and makes me wonder if we should abandon buffering cells to
be barriered, since this has caused a few problems now. As a fix for this
particular issue we can just stop marking if detect this situation.
|
||
Comment 5•3 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
mozilla-central 20210601213358-83f4bfe5ea71
mozilla-central 20210601032903-391dbe0ceb29
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Comment 6•3 years ago
|
||
Can you suggest a security rating, and if we need to or should backport this patch?
|
|
Assignee | |
Comment 7•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #6)
I'm not sure exactly what effect this will have but I'd say this is sec-high. This problem is due to bug 1694209 (FF 88) and we should backport the fix.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 8•3 years ago
|
||
Comment on attachment 9224730 [details]
Bug 1714066 - Skip marking linear string bases if we encounter a rope due to flattening r?jandem
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I'm not sure how to exploit this, but you could construct a way to provoke this situation. I'd say difficult.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: Everything back to 88
- If not all supported branches, which bug introduced the flaw?: Bug 1694209
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Same patch should apply.
- How likely is this patch to cause regressions; how much testing does it need?: This is a simple fix that only changes behaviour when this problem comes up. It's unlikely to cause regressions.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Comment 9•3 years ago
|
||
Comment on attachment 9224730 [details]
Bug 1714066 - Skip marking linear string bases if we encounter a rope due to flattening r?jandem
Approved to land and uplift.
|
||
Comment 10•3 years ago
|
||
Skip marking linear string bases if we encounter a rope due to flattening r=jandem
https://hg.mozilla.org/integration/autoland/rev/c408d27b1db724e6be213f34f60038aca5fb7f9a
https://hg.mozilla.org/mozilla-central/rev/c408d27b1db7
|
|
||
Comment 11•3 years ago
|
||
| uplift | ||
|
||
Comment 12•3 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•8 days ago
|
Description
•