Closed Bug 1871952 Opened 1 year ago Closed 1 year ago

AddressSanitizer: SEGV on unknown address 0x000000000000 [@ js::BaseScript::enclosingScope] or Assertion failure: lazyScript->isReadyForDelazification(), at frontend/CompilationStencil.h:753

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 --- fixed

People

(Reporter: gkw, Assigned: arai)

References

(Blocks 1 open bug)

Details

(Keywords: regression, testcase)

Crash Data

Attachments

(3 files)

ASan stack
16.00 KB, text/plain
Details
Bug 1871952 - Part 1: Fix EvalReturningScope to create CompileOptions in the target global. r=#spidermonkey-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1871952 - Part 2: Assert the CompileOption consistency during stencil instantiation. r=#spidermonkey-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached file ASan stack 
evalReturningScope('\
  x=[,,];\
  Object.defineProperty(x,"0",{get:function(){\
    Object.defineProperty(x,"1",{get:function(){}})\
  }});\
  x.map(function(){})\
', newGlobal({
    discardSource: true
  })
);

Assertion failure: lazyScript->isReadyForDelazification(), at /home/skygentoo/trees/mozilla-central/js/src/frontend/CompilationStencil.h:753
#01: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x25a1d7f]
#02: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x255f761]
#03: JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>)[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1f22b0a]
#04: JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>)[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1bdf456]
#05: JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>)[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1f22985]
#06: JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>)[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1bdf456]
#07: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cd332f]
#08: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cd46fe]
#09: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cd5b14]
#10: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1fd4b3b]
#11: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1fd54f5]
#12: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1d09b87]
#13: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cf4211]
#14: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1ce2033]
#15: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cd2adf]
#16: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cd60bc]
#17: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1d37522]
#18: js::ExecuteInFrameScriptEnvironment(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JSObject*>)[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1d36f56]
#19: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x227ca80]
#20: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cfb835]
#21: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cd356b]
#22: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1ce4fa7]
#23: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cd2adf]
#24: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cd60bc]
#25: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1cd65d0]
#26: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1e5d302]
#27: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1e5d547]
#28: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1bbab07]
#29: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1bb9cda]
#30: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1b70c55]
#31: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1b6a9d9]
#32: ???[/lib64/libc.so.6 +0x239ca]
#33: __libc_start_main[/lib64/libc.so.6 +0x23a85]
#34: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-fdd85a789550/js-dbg-64-linux-x86_64-fdd85a789550 +0x1b5d909]
#35: ??? (???:???)

Regression range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=20b482455364fc14118bd32de96ae52cc81c7f3a&tochange=abda04d0bfe3304e216ac64e2848e9867d9f494b

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --with-ccache --enable-nspr-build --enable-ctypes --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev fdd85a789550.

I can come up with a better bisection range in a day or two. Marking available release versions as affected as it seems to go back to 2021.

Flags: sec-bounty?

I'm going to guess, instead, that this may be related to Arai-san's bug 1718529, bug 1662152, or some of Arai's other bugs in the regression range - it's too far back to get something more granular.

Flags: needinfo?(arai.unmht)

Thank you for reporting.

This is a bug in the testing function evalReturningScope, which doesn't properly handle the global parameter.
The compile option is created in the current realm, instead of the passed global's realm, which results in the inconsistency between the discardSource option between the compile option and the target global.

https://searchfox.org/mozilla-central/rev/08899071a2c8a573ac47ac632869bb92269b3ec3/js/src/builtin/TestingFunctions.cpp#6864,6876-6877,6881,6888,6918,6922

static bool EvalReturningScope(JSContext* cx, unsigned argc, Value* vp) {
...
  if (args.hasDefined(1)) {
    global = ToObject(cx, args[1]);
...
  }
...
  JS::CompileOptions options(cx);
...
  {
...
    AutoRealm ar(cx, global);

The other testing function evaluate handles the passed global properly, and the compile option is created in the passed global's realm.

https://searchfox.org/mozilla-central/rev/08899071a2c8a573ac47ac632869bb92269b3ec3/js/src/shell/js.cpp#2493,2496-2499,2501,2506,2519-2520

RootedObject global(cx, JS::CurrentGlobalOrNull(cx));
...
// Check "global" property before everything to use the given global's
// option as the default value.
Maybe<CompileOptions> maybeOptions;
if (opts) {
...
  if (!JS_GetProperty(cx, opts, "global", &v)) {
...
      global = js::CheckedUnwrapDynamic(&v.toObject(), cx,
...
    JSAutoRealm ar(cx, global);
    maybeOptions.emplace(cx);

EvalReturningScope should do the same thing.

So far, the bug itself doesn't affect the browser, but I'll check if there's better way to assert the consistency in earlier step other than the delazification,
and also I'll check if there's any other possibility of the inconsistency (if any, it could be caught by the earlier assertion)

Group: core-security → javascript-core-security

Opening up per comment 2.

Group: javascript-core-security
Flags: sec-bounty?
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)
Severity: -- → S3
Priority: -- → P2
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/f15e3901e1aa Part 1: Fix EvalReturningScope to create CompileOptions in the target global. r=spidermonkey-reviewers,jandem https://hg.mozilla.org/integration/autoland/rev/5f7986e4be59 Part 2: Assert the CompileOption consistency during stencil instantiation. r=spidermonkey-reviewers,jandem

https://hg.mozilla.org/mozilla-central/rev/f15e3901e1aa
https://hg.mozilla.org/mozilla-central/rev/5f7986e4be59

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox123: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch

The patch landed in nightly and beta is affected.
:arai, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox122 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(arai.unmht)

This is a bug in test-only function. and unless people uses beta/release as fuzzing target, uplift isn't necessary.

Flags: needinfo?(arai.unmht)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: