Assertion failure: (value & RESERVED_MASK) == 0, at js/src/gc/Cell.h:147
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox112 | --- | unaffected |
| firefox113 | --- | unaffected |
| firefox114 | --- | fixed |
| firefox115 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])
Attachments
(3 files)
|
1.77 KB,
text/plain
|
Details | |
|
15.82 KB,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
|
Details | Review |
The following testcase crashes on mozilla-central revision 20230429-8339bdf8fcc8 (debug build, run with --fuzzing-safe --differential-testing --wasm-compiler=baseline+optimizing --no-asmjs --no-sse4 --ion-full-warmup-threshold=100 --ion-instruction-reordering=on --ion-extra-checks --ion-warmup-threshold=100 --ion-scalar-replacement=off --ion-check-range-analysis --ion-range-analysis=off --ion-osr=off --fast-warmup --blinterp --blinterp-warmup-threshold=1 --more-compartments --ion-offthread-compile=off --gc-zeal=4,230 --baseline-warmup-threshold=100 --no-threads):
See attachment.
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555570eb0b4 in JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)0, unsigned char>(JSRope*) ()
#1 0x00005555570d7cf8 in JSRope::flatten(JSContext*) ()
#2 0x0000555556ca1d85 in ExecuteRegExp(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, js::VectorMatchPairs*) ()
#3 0x0000555556ca07c1 in RegExpMatcherImpl(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, JS::MutableHandle<JS::Value>) ()
#4 0x0000317399ef44c7 in ?? ()
[...]
#14 0x0000000000000000 in ?? ()
rax 0x55555575b496 93824994358422
rbx 0xfffe2f2f2f2f2f2f -511070251831505
rcx 0x5555582e7d38 93825040022840
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffc3c0 140737488339904
rsp 0x7fffffffc340 140737488339776
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9a840 140737353721920
r10 0x2 2
r11 0x0 0
r12 0x7ffff3e4e580 140737285252480
r13 0x7ffff3e26280 140737285087872
r14 0x3cc359ae2118 66809720873240
r15 0x3cc359ae30d0 66809720877264
rip 0x5555570eb0b4 <JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)0, unsigned char>(JSRope*)+2164>
=> 0x5555570eb0b4 <_ZN6JSRope15flattenInternalILNS_12UsingBarrierE0EhEEP14JSLinearStringPS_+2164>: movl $0x93,0x0
0x5555570eb0bf <_ZN6JSRope15flattenInternalILNS_12UsingBarrierE0EhEEP14JSLinearStringPS_+2175>: callq 0x555556c08957 <abort>
This report is rather unreduced, I didn't have more time to reduce further (and it didn't easily auto-reduce).
S-s because this is a GC assert.
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
Iain, would you be the right person to investigate this issue, could it be related to the regexp integration?
|
|
Reporter | |
Comment 4•2 years ago
|
||
This is also a fuzzblocker with this any other GC related asserts all over the place.
|
||
Comment 5•2 years ago
•
|
||
This seems to be a bad interaction between the StringConcat stub and the VerifierPre gczeal mode. It looks like what happens is:
- While running in the C++ interpreter, we trigger a VerifyPreTracer run.
- This temporarily disables the nursery.
- This is an incremental trace, so at some point we return to the interpreter.
- A script tries to enter the baseline interpreter, so we initialize the JitRealm.
- At this point, the nursery is not enabled, so we set the initialStringHeap to
gc::TenuredHeap. - When we generate the StringConcat stub, we allocate a new rope in
initialStringHeap, with a comment saying that we don't need post-barriers if that's the default heap. But in this case, it's the tenured heap, even though the nursery was only temporarily disabled. - We concatenate a nursery string. The new rope is allocated in the tenured space. There's no prebarrier. The nursery string is eventually collected, and everything explodes.
My initial instinct is that the problem is in step 6, and we should generate post-barriers if initialStringHeap is the tenured heap. I also think this is unlikely to be a real security issue, because AFAICT it should only happen with GC zeal enabled. But I'd appreciate a second pair of eyes. Jon, any thoughts?
PS: I didn't spend any time reducing the testcase, but I did reduce the list of shell flags to --differential-testing --ion-osr=off --fast-warmup --blinterp-warmup-threshold=1 --gc-zeal=4,230 --baseline-warmup-threshold=100 --no-threads.
|
Assignee | |
Comment 6•2 years ago
|
||
(In reply to Iain Ireland [:iain] from comment #5)
Thank you for the detailed analysis.
What's supposed to happen in the concat stub is that if initialStringHeap is the tenured heap then the input strings should always be tenured too. We evict the nursery when we disable it, so this works when then nursery is disabled and it works whether the JIT realm is created before or after that happens.
What doesn't work is when the JIT realm is created after the nursery is disabled and it is then re-enabled. This bakes initialStringHeap into the concat staub. When we enable or disable allocation of particular kinds in the nursery we discard all JIT code but that doesn't happen when we enable or disable the nursery as a whole. That would be the safest thing to do here. Disabling the nursery is not something that happens in normal execution so I don't think there should be a problem with this.
This issue can occur by use of AutoDisableGenerationGC, but it's only used by the pre-barrier verifier and once in the shell in a way that doesn't cause this problem.
|
||
Comment 7•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230503140026-7820ebaff373.
The bug appears to have been introduced in the following build range:
Start: 8eabe4c96864d5ecaa73e1e4a1c91aad1b2000a6 (20230427102259)
End: 3bbc0a622f412fd9f601cdb5ee6133985e2499fb (20230427104925)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8eabe4c96864d5ecaa73e1e4a1c91aad1b2000a6&tochange=3bbc0a622f412fd9f601cdb5ee6133985e2499fb
|
||
Comment 8•2 years ago
|
||
Tagging this sec-other for now, but if comment 6 is right then we could unhide this. If it's a security bug then it's probably sec-high.
|
||
Comment 9•2 years ago
|
||
Setting Regressed by field after analyzing regression range found by bugmon in comment #7.
|
|
||
Comment 10•2 years ago
|
||
Set release status flags based on info from the regressing bug 1829896
|
|
Assignee | |
Comment 12•2 years ago
|
||
This makes it so we always discard JIT code when the kinds of GC thing we can
allocate in a zone changes. Previously this happened in two separate places for
pretenuring, and didn't happen when we enabled/disabled the nursery.
(In reply to Christian Holler (:decoder) from comment #0)
(and it didn't easily auto-reduce).
Hah, I'm surprised at this - it was really super straightforward for me for most or even all of them. The shell flags too!
In any case, I'm glad the reduced testcase in bug 1831232 helped Jon!
|
|
||
Comment 14•2 years ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jonco, could you consider increasing the severity?
For more information, please visit BugBot documentation.
|
|
||
Comment 15•2 years ago
|
||
Set release status flags based on info from the regressing bug 1829896
|
||
Comment 16•2 years ago
|
||
Discard JIT code when disabling or enabling the nursery r=jandem
https://hg.mozilla.org/integration/autoland/rev/04005f8322707e3dc71ee5b2115ad42d5a958a8d
https://hg.mozilla.org/mozilla-central/rev/04005f832270
|
|
||
Comment 17•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20230509151822-a5468e749653.
|
||
Updated•2 years ago
|
|
|
||
Comment 18•2 years ago
|
||
The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox114towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 19•2 years ago
|
||
Comment on attachment 9331842 [details]
Bug 1830921 - Discard JIT code when disabling or enabling the nursery r?jandem
Beta/Release Uplift Approval Request
- User impact if declined: Possible crash / security vulnerability, although it's not clear whether this is possible to trigger in a release build.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: Bug 1831072
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a simplification of the existing code that is more obviously correct. This has baked on central for 6 days.
- String changes made/needed:
- Is Android affected?: Yes
|
|
||
Comment 20•2 years ago
|
||
re-rating sec-moderate based on the uncertainty expressed in comment 19
|
||
Comment 21•2 years ago
|
||
Comment on attachment 9331842 [details]
Bug 1830921 - Discard JIT code when disabling or enabling the nursery r?jandem
Approved for 114.0b7.
|
|
||
Comment 22•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
Description
•