Closed
Bug 1822962
Opened 1 year ago
Closed 1 year ago
Gecko Assertion failure: gcMarker->tracingZone == zone || zone->isAtomsZone()
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
113 Branch
| Tracking | Status | |
|---|---|---|
| firefox113 | --- | fixed |
People
(Reporter: phambao1340, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
Run following javascript code, gecko faile at gc
const o1 = {
"newCompartment": true,
};
newGlobal(o1).help(/(a+|b+|c+)*c/);
gc();
/*
Assertion failure: gcMarker->tracingZone == zone || zone->isAtomsZone(), at /home/s/gecko-dev/js/src/gc/Marking.cpp:216
#01: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2496337]
#02: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x24aafd1]
#03: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1dd8ffb]
#04: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x24c339a]
#05: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x24b16db]
#06: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x24c4e75]
#07: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x24af966]
#08: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x249b29d]
#09: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2455868]
#10: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x24599a0]
#11: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x245cad8]
#12: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x245dd43]
#13: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x24325a8]
#14: JS::NonIncrementalGC(JSContext*, JS::GCOptions, JS::GCReason)[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2487c3c]
#15: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2017e63]
#16: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x19599f4]
#17: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1958dbe]
#18: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x194c4ba]
#19: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x193f435]
#20: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x195cb82]
#21: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x195d231]
#22: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b0af46]
#23: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b0b220]
#24: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1875550]
#25: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x18749f5]
#26: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x183653f]
#27: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1830027]
#28: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
#29: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
#30: ???[/home/s/gecko-dev/obj-fuzzbuild/dist/bin/js +0x17fca89]
#31: ??? (???:???)
Backtrace
pwndbg> bt
#0 CheckMarkedThing<js::jit::JitCode> (gcMarker=gcMarker@entry=0x7ffff663e5c0, thing=thing@entry=0xadf67598038) at /home/s/gecko-dev/js/src/gc/Marking.cpp:215
#1 0x00005555579fefd1 in js::gc::MarkingTracerT<4u>::onEdge<js::jit::JitCode> (this=0x7ffff663e5c0, thingp=<optimized out>, name=<optimized out>) at /home/s/gecko-dev/js/src/gc/Marking.cpp:918
#2 0x000055555732cffb in js::gc::TraceEdgeInternal (trc=0x7ffff663e5c0, thingp=0xadf675810a0, JitCode=0x7ffff7c2f723 <_IO_2_1_stderr_+131> "") at /home/s/gecko-dev/js/src/gc/Tracer.h:106
#3 js::TraceEdge<js::jit::JitCode*> (trc=0x7ffff663e5c0, thingp=0xadf675810a0, name=0x7ffff7c2f723 <_IO_2_1_stderr_+131> "") at /home/s/gecko-dev/js/src/gc/Tracer.h:144
#4 js::TraceNullableEdge<js::jit::JitCode*> (trc=0x7ffff663e5c0, thingp=0xadf675810a0, name=<optimized out>) at /home/s/gecko-dev/js/src/gc/Tracer.h:183
#5 js::RegExpShared::traceChildren (this=0xadf67581098, trc=0x7ffff663e5c0) at /home/s/gecko-dev/js/src/vm/RegExpObject.cpp:555
#6 0x0000555557a1739a in js::GCMarker::traceChildren<4u, js::RegExpShared> (this=0x7ffff663e5c0, this@entry=0xadf675490a8, thing=0xadf67581098, thing@entry=0x3) at /home/s/gecko-dev/js/src/gc/Marking.cpp:1126
#7 0x0000555557a24389 in js::GCMarker::traverse<4u> (this=0x7ffff7c30a60 <_IO_stdfile_2_lock>, thing=0x0) at /home/s/gecko-dev/js/src/gc/Marking.cpp:1090
#8 0x0000555557a056db in JS::ApplyGCThingTyped<js::GCMarker::markAndTraverseEdge<4u, JSObject*, JS::GCCellPtr>(JSObject*, JS::GCCellPtr const&)::{lambda(auto:1)#1}>(JS::GCCellPtr, js::GCMarker::markAndTraverseEdge<4u, JSObject*, JS::GCCellPtr>(JSObject*, JS::GCCellPtr const&)::{lambda(auto:1)#1}&&) (thing=..., f=...) at /home/s/gecko-dev/obj-fuzzbuild/dist/include/js/HeapAPI.h:484
#9 js::GCMarker::markAndTraverseEdge<4u, JSObject*, JS::GCCellPtr> (this=0x7ffff663e5c0, source=0xadf67549078, thing=...) at /home/s/gecko-dev/js/src/gc/Marking.cpp:1205
#10 js::GCMarker::processMarkStackTop<4u> (this=this@entry=0x7ffff663e5c0, budget=...) at /home/s/gecko-dev/js/src/gc/Marking.cpp:1519
#11 0x0000555557a18e75 in js::GCMarker::markOneColor<4u, (js::gc::MarkColor)2> (this=this@entry=0x7ffff663e5c0, budget=...) at /home/s/gecko-dev/js/src/gc/Marking.cpp:1316
#12 0x0000555557a03966 in js::GCMarker::doMarking<4u> (this=this@entry=0x7ffff663e5c0, budget=..., reportTime=js::gc::ReportMarkTime) at /home/s/gecko-dev/js/src/gc/Marking.cpp:1280
#13 0x00005555579ef29d in js::GCMarker::markUntilBudgetExhausted (this=0x7ffff663e5c0, budget=..., reportTime=js::gc::ReportMarkTime) at /home/s/gecko-dev/js/src/gc/Marking.cpp:1270
#14 0x00005555579a9868 in js::gc::GCRuntime::markUntilBudgetExhausted (this=this@entry=0x7ffff6623728, sliceBudget=..., allowParallelMarking=<optimized out>, reportTime=js::gc::ReportMarkTime) at /home/s/gecko-dev/js/src/gc/GC.cpp:3021
#15 0x00005555579ad9a0 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff6623728, budget=..., reason=reason@entry=JS::GCReason::API, budgetWasIncreased=false) at /home/s/gecko-dev/js/src/gc/GC.cpp:3648
#16 0x00005555579b0ad8 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff6623728, nonincrementalByAPI=true, budgetArg=..., reason=reason@entry=JS::GCReason::API) at /home/s/gecko-dev/js/src/gc/GC.cpp:4212
#17 0x00005555579b1d43 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff6623728, nonincrementalByAPI=<optimized out>, budget=..., reason=reason@entry=JS::GCReason::API) at /home/s/gecko-dev/js/src/gc/GC.cpp:4400
#18 0x00005555579865a8 in js::gc::GCRuntime::gc (this=0x7ffff6623728, options=JS::GCOptions::Normal, reason=JS::GCReason::API) at /home/s/gecko-dev/js/src/gc/GC.cpp:4477
#19 0x00005555579dbc3c in JS::NonIncrementalGC (cx=cx@entry=0x7ffff6630100, options=options@entry=JS::GCOptions::Normal, reason=reason@entry=JS::GCReason::API) at /home/s/gecko-dev/js/src/gc/GCAPI.cpp:297
#20 0x000055555756be63 in GC (cx=cx@entry=0x7ffff6630100, argc=<optimized out>, vp=<optimized out>) at /home/s/gecko-dev/js/src/builtin/TestingFunctions.cpp:706
#21 0x0000555556ead9f4 in CallJSNative (cx=cx@entry=0x7ffff6630100, native=native@entry=0x55555756bb50 <GC(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:459
#22 0x0000555556eacdbe in js::InternalCallOrConstruct (cx=0x7ffff6630100, cx@entry=0x5555588f4ae0 <Interpret(JSContext*, js::RunState&)::addresses>, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call, reason@entry=4294967286) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:553
#23 0x0000555556eaeb26 in InternalCall (cx=0x7ffff7c30a60 <_IO_stdfile_2_lock>, args=..., reason=1497838384) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:620
#24 0x0000555556ea04ba in js::CallFromStack (cx=0x7ffff7c30a60 <_IO_stdfile_2_lock>, cx@entry=0xffff800000000000, args=..., reason=<optimized out>) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:625
#25 Interpret (cx=0x7ffff7c30a60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6630100, state=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:3368
#26 0x0000555556e93435 in js::RunScript (cx=cx@entry=0x7ffff6630100, state=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:431
#27 0x0000555556eb0b82 in js::ExecuteKernel (cx=cx@entry=0x7ffff6630100, script=script@entry=..., envChainArg=envChainArg@entry=..., evalInFrame=evalInFrame@entry=..., result=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:818
#28 0x0000555556eb1231 in js::Execute (cx=cx@entry=0x7ffff6630100, script=script@entry=..., envChain=..., rval=rval@entry=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:850
#29 0x000055555705ef46 in ExecuteScript (cx=cx@entry=0x7ffff6630100, envChain=..., script=..., rval=rval@entry=...) at /home/s/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:472
#30 0x000055555705f220 in JS_ExecuteScript (cx=cx@entry=0x7ffff6630100, scriptArg=scriptArg@entry=...) at /home/s/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:496
#31 0x0000555556dc9550 in RunFile (cx=0x7ffff6630100, filename=0x7fffffffe343 "mark.js", file=<optimized out>, compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=<optimized out>) at /home/s/gecko-dev/js/src/shell/js.cpp:1098
#32 0x0000555556dc89f5 in Process (cx=cx@entry=0x7ffff6630100, filename=0x0, forceTTY=false, kind=kind@entry=FileScript) at /home/s/gecko-dev/js/src/shell/js.cpp:1697
#33 0x0000555556d8a53f in ProcessArgs (cx=0x7ffff6630100, op=0x7fffffffdd18) at /home/s/gecko-dev/js/src/shell/js.cpp:10584
#34 Shell (cx=0x7ffff6630100, op=op@entry=0x7fffffffdd18) at /home/s/gecko-dev/js/src/shell/js.cpp:10808
#35 0x0000555556d84027 in main (argc=argc@entry=8, argv=argv@entry=0x7fffffffdfa8) at /home/s/gecko-dev/js/src/shell/js.cpp:11240
#36 0x00007ffff7a3ed90 in __libc_start_call_main (main=main@entry=0x555556d83810 <main(int, char**)>, argc=argc@entry=8, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58
#37 0x00007ffff7a3ee40 in __libc_start_main_impl (main=0x555556d83810 <main(int, char**)>, argc=8, argv=0x7fffffffdfa8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392
#38 0x0000555556d50a89 in _start ()
*/
Flags: sec-bounty?
|
||
Updated•1 year ago
|
Group: firefox-core-security → javascript-core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
|
||
Comment 1•1 year ago
|
||
It looks like "help" is a special shell-only function, so maybe there's a bug with that.
|
Assignee | |
Comment 3•1 year ago
|
||
Thanks for the report. This is a compartment issue in PrintEnumeratedHelp.
Assignee: nobody → jdemooij
Group: javascript-core-security
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Assignee | |
Comment 4•1 year ago
|
||
This ensures the RegExpObject, RegExpShared and JitCode things are all in the same zone.
|
||
Updated•1 year ago
|
|
||
Comment 5•1 year ago
|
||
Although jsshell is an excellent testing tool, our bug bounty unfortunately only covers bugs that will affect users of the released versions of Firefox. I believe the --fuzzing-safe parameter disables many of these "not in firefox" features, though it would be best to confirm that with members of the fuzzing team.
["will affect" includes pre-release features that are expected to be released if they are "on by default" in nightly or beta builds]
Flags: sec-bounty? → sec-bounty-
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7781c4dc4977 Enter the RegExpObject's compartment in PrintEnumeratedHelp. r=iain
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox113:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•