Closed Bug 1872555 Opened 1 years ago Closed 1 year ago

Assertion failure: !mArena || arena == mArena, at memory/build/mozjemalloc.cpp:4615

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 --- fixed
firefox124 --- fixed

People

(Reporter: gkw, Assigned: anba)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(3 files)

stack
5.53 KB, text/plain
Details
Bug 1872555: Transfer can only realloc when the jemalloc arena is known. r=sfink!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1872555: Transfer can only realloc when the jemalloc arena is known. r=sfink!
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Attached file stack 
serialize().arraybuffer.transfer(97);

Assertion failure: !mArena || arena == mArena, at /home/skygentoo/trees/mozilla-central/memory/build/mozjemalloc.cpp:4615
#01: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1b52bf2]
#02: moz_arena_realloc[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1b4be05]
#03: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1d52615]
#04: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1d4a896]
#05: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1d4a550]
#06: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1d4aa38]
#07: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1c56175]
#08: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1c2deab]
#09: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1c3f8e7]
#10: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1c2d41f]
#11: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1c309fc]
#12: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1c30f10]
#13: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1db7c42]
#14: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1db7e87]
#15: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1b15447]
#16: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1b1461a]
#17: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1acb595]
#18: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1ac5319]
#19: ???[/lib64/libc.so.6 +0x239ca]
#20: __libc_start_main[/lib64/libc.so.6 +0x23a85]
#21: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-be0bfc7f9065/js-dbg-64-linux-x86_64-be0bfc7f9065 +0x1ab8249]
#22: ??? (???:???)
Segmentation fault

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b5909f5010c7
user:        Matthew Gaudet
date:        Mon Dec 11 17:41:30 2023 +0000
summary:     Bug 1865103 - Enable ArrayBuffer.prototype.transfer by default r=anba

If I run with --enable-arraybuffer-transfer and go back prior to this changeset, I get this:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/41d2512a836c
user:        André Bargull
date:        Fri Jul 07 13:07:56 2023 +0000
summary:     Bug 1841113 - Part 4: Steal or realloc malloced buffers. r=spidermonkey-reviewers,jandem

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --with-ccache --enable-nspr-build --enable-ctypes --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev be0bfc7f9065.

Andre/Matthew, is bug 1841113 a likely regressor? Setting s-s just in case.

Flags: sec-bounty?
Flags: needinfo?(mgaudet)
Flags: needinfo?(andrebargull)

Set release status flags based on info from the regressing bug 1841113

status-firefox121: --- → affected
status-firefox122: --- → affected
status-firefox-esr115: --- → unaffected
Group: core-security → javascript-core-security

ArrayBufferObject::copyAndDetachRealloc() calls ReallocateArrayBufferContents
to realloc the source buffer into ArrayBufferContentsArena. This is only valid
when the source buffer was also created in ArrayBufferContentsArena.

To track if the ArrayBuffer contents were allocated in ArrayBufferContentsArena,
split BufferKind::MALLOCED into MALLOCED_ARRAYBUFFER_CONTENTS_ARENA and
MALLOCED_UNKNOWN_ARENA.

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED

(In reply to Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) from comment #0)

Andre/Matthew, is bug 1841113 a likely regressor? Setting s-s just in case.

Yes, this is a regression from bug 1841113. Thankfully it hits a release assertion, so this bug isn't exploitable, because we safely crash.

Flags: needinfo?(andrebargull)
Group: javascript-core-security
status-firefox121: affectedwontfix
Flags: needinfo?(mgaudet)
Severity: -- → S3
Priority: -- → P3
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/f9d434215fb9 Transfer can only realloc when the jemalloc arena is known. r=sfink

https://hg.mozilla.org/mozilla-central/rev/f9d434215fb9

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox124: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

The patch landed in nightly and beta is affected.
:anba, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(andrebargull)
Flags: sec-bounty? → sec-bounty-

ArrayBufferObject::copyAndDetachRealloc() calls ReallocateArrayBufferContents
to realloc the source buffer into ArrayBufferContentsArena. This is only valid
when the source buffer was also created in ArrayBufferContentsArena.

To track if the ArrayBuffer contents were allocated in ArrayBufferContentsArena,
split BufferKind::MALLOCED into MALLOCED_ARRAYBUFFER_CONTENTS_ARENA and
MALLOCED_UNKNOWN_ARENA.

Original Revision: https://phabricator.services.mozilla.com/D197492

Attachment #9378455 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • Is Android affected?: yes
  • Steps to reproduce for manual QE testing: None
  • String changes made/needed: No
  • Explanation of risk level: Low risk because it only seperates internal tagging where the ArrayBuffer malloc-memory was allocated from.
  • Needs manual QE test: no
  • User impact if declined: Crashes browser through a release assertion
  • Code covered by automated testing: yes
  • Risk associated with taking this patch: Low risk
  • Fix verified in Nightly: yes
Flags: needinfo?(andrebargull)
Attachment #9378455 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: