Closed Bug 1723601 Opened 3 years ago Closed 3 years ago

Assertion failure: u.scripted.s.script_, at vm/JSFunction.h:448

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox90 --- unaffected
firefox91 --- unaffected
firefox92 --- fixed

People

(Reporter: gkw, Assigned: tcampbell)

References

(Regression)

Details

(Keywords: regression, testcase)

Attachments

(1 file)

Bug 1723601 - Fix OOM during self-hosting delazification. r?arai!
48 bytes, text/x-phabricator-request
Details | Review 
(function (y) {
  function e() {
    y;
  }
})(this);
x = {
  z: function () {
    [].push;
  }
};
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
for (let i = 0; i < 10; ++i) {
  (function () {})();
}
oomTest((function () {
  return {
    f: (function () {}),
    g: (function () {}).bind(),
  };
}), {
  keepFailing: true
})

Assertion failure: u.scripted.s.script_, at /home/yksnegowt/trees/mozilla-central/js/src/vm/JSFunction.h:448

Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
0x0000555556e7a00b in NewFunctionClone (cx=<optimized out>, cx@entry=0x7ffff6a19000, fun=fun@entry=..., newKind=js::GenericObject, allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., proto@entry=...) at /home/yksnegowt/shell-cache/js-dbg-64-linux-x86_64-c59236b26192/objdir-js/dist/include/js/RootingAPI.h:1183
1183	    MOZ_ASSERT(GCPolicy<T>::isValid(ptr));
(gdb) bt
#0  0x0000555556e7a00b in NewFunctionClone (cx=<optimized out>, cx@entry=0x7ffff6a19000, fun=fun@entry=..., newKind=js::GenericObject, allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., proto@entry=...) at /home/yksnegowt/shell-cache/js-dbg-64-linux-x86_64-c59236b26192/objdir-js/dist/include/js/RootingAPI.h:1183
#1  0x0000555556e797eb in js::CloneFunctionReuseScript (cx=0x7ffff6a19000, cx@entry=0xffff800000000000, fun=..., fun@entry=..., enclosingEnv=..., enclosingEnv@entry=..., allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., proto@entry=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/JSFunction.cpp:2074
#2  0x0000555556b88e48 in js::CloneFunctionObject (cx=<optimized out>, cx@entry=0x7ffff6a19000, fun=..., fun@entry=..., enclosingEnv=..., proto=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/JSFunction-inl.h:42
#3  0x0000555556b7fe79 in js::Lambda (cx=0x7ffff6a19000, fun=fun@entry=..., parent=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:4555
#4  0x0000555556b73a06 in Interpret (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6a19000, state=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:3685
#5  0x0000555556b67911 in js::RunScript (cx=0x7ffff6a19000, state=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:371
#6  0x0000555556b7ab4b in js::InternalCallOrConstruct (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6a19000, args=..., construct=<optimized out>, construct@entry=js::NO_CONSTRUCT, reason=<optimized out>, reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:519
#7  0x0000555556b7b73b in InternalCall (cx=0x7ffff6a19000, args=..., reason=reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:547
#8  0x0000555556b7b960 in js::Call (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=..., reason=js::CallReason::Getter, reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:564
#9  0x0000555557661992 in js::jit::InvokeFunction (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, obj=..., obj@entry=..., constructing=false, ignoresReturnValue=false, argc=<optimized out>, argc@entry=0, argv=<optimized out>, argv@entry=0x7fffffffa8d0, rval=...) at /home/yksnegowt/trees/mozilla-central/js/src/jit/VMFunctions.cpp:761
#10 0x0000555557662150 in js::jit::InvokeFromInterpreterStub (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, frame=<optimized out>) at /home/yksnegowt/trees/mozilla-central/js/src/jit/VMFunctions.cpp:785
#11 0x000018d623949e7f in ?? ()
#12 0x00007ffff6a19018 in ?? ()
#13 0x00007fffffffa8a8 in ?? ()
#14 0x000038eb56f01870 in ?? ()
#15 0x00000000000000fc in ?? ()
#16 0x000018d623947815 in ?? ()
#17 0x0000000000002044 in ?? ()
#18 0x00002b4ea4046040 in ?? ()
#19 0x0000000000000000 in ?? ()
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/25bc16451830
user:        Ted Campbell
date:        Thu Jul 29 01:53:34 2021 +0000
summary:     Bug 1688794 - Delazify self-hosted functions directly from the stencil. r=jandem,arai

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev c59236b26192.

Not sure if this is s-s, I'd leave it to Ted/Jan/Arai.

Flags: sec-bounty?
Flags: needinfo?(tcampbell)
Group: core-security → javascript-core-security

Thanks, Gary. Looks like when I combined two steps of the stencil code, it was not actually equivalent as I had thought. In effect I reversed Phase 4 and 5

What is happening is that we have a function with inner functions that we are delazifying as a cluster. There is then an OOM while allocating the script data for the inner function. This oom-failure does not roll-back the outer function, leaving things in an incomplete state. This looks to be reliably a null-deref, but I'll confirm tomorrow whether there are security concerns.

The naive fix is to ensure inner functions happen before outer functions. Will investigate further.

Assignee: nobody → tcampbell

Set release status flags based on info from the regressing bug 1688794

status-firefox90: --- → unaffected
status-firefox91: --- → unaffected
status-firefox-esr78: --- → unaffected

When I run with --no-blinterp to disable all JITs, the test case reduces to:

oomTest(() => Object.bind())

The FunctionFlags are always correct here and they are what most things rely on. The result is a reliable (near) null-ptr deref when trying to access that BaseScript later. Therefore opening this bug up. Various cleanups over the years to make this sort of thing more robust seem to be helping to keep these crashes from being scary which is nice to see.

Group: javascript-core-security
Flags: needinfo?(tcampbell)

The CompilationStencil::delazifySelfHostedFunction code erroneously delazified
the outer script before its full set of inner functions. This can result in a
nullptr deref under some conditions. Instead, instantaiate inner functions first
which is also consistent with the normal Stencil instantiation flow.

Severity: -- → S3
Priority: -- → P1
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/edef3a5b61d0
Fix OOM during self-hosting delazification. r=arai
Priority: P1 → P2

I rebased after the other backouts and try looks to be passing so the failures seem to have been other patches / infra.

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d1c37768bb3a
Fix OOM during self-hosting delazification. r=arai

https://hg.mozilla.org/mozilla-central/rev/d1c37768bb3a

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox92: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch
status-firefox-esr91: --- → unaffected
Flags: needinfo?(tcampbell)
Flags: sec-bounty? → sec-bounty-
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: