Closed Bug 1878098 Opened 1 year ago Closed 1 year ago

Assertion failure: self.get(), at builtin/TestingFunctions.cpp:5274

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 --- fixed

People

(Reporter: gkw, Assigned: sfink)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

debug stack
3.92 KB, text/plain
Details
Bug 1878098 - Properly oom check test serialization log allocation
48 bytes, text/x-phabricator-request
Details | Review
Attached file debug stack 
x = [];
x.keepFailing = [];
oomTest(function () {
  y = { z: [] };
  makeSerializable().log;
}, x);

(gdb) bt
#0  CustomSerializableObject::ActivityLog::getThreadLog ()
    at /home/gen32gx500/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:5274
#1  0x000055555778fcc1 in CustomSerializableObject::getLog_impl (
    cx=cx@entry=0x7ffff662e100, args=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:5362
#2  0x000055555778f938 in JS::CallNonGenericMethod<&CustomSerializableObject::is, &CustomSerializableObject::getLog_impl> (cx=0x7ffff662e100, args=...)
    at /home/gen32gx500/shell-cache/js-dbg-64-linux-x86_64-366005a91eda/objdir-js/dist/include/js/CallNonGenericMethod.h:103
#3  CustomSerializableObject::getLog (cx=cx@entry=0x7ffff662e100, 
    argc=<optimized out>, vp=<optimized out>)
    at /home/gen32gx500/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:5355
#4  0x00005555571c5125 in CallJSNative (cx=cx@entry=0x7ffff662e100, 
    native=native@entry=0x55555778f850 <CustomSerializableObject::getLog(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Getter, args=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:480
#5  0x000055555719c19b in js::InternalCallOrConstruct (cx=0x7ffff662e100, args=..., 
    construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Getter)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:574
#6  0x000055555719d10d in InternalCall (cx=0x7ffff7e37700 <_IO_stdfile_2_lock>, 
    cx@entry=0x7ffff662e100, args=..., reason=1488306768, 
    reason@entry=js::CallReason::Getter)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:641
#7  0x000055555719d32e in js::Call (cx=cx@entry=0x7ffff662e100, 
    fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=rval@entry=..., 
    reason=reason@entry=js::CallReason::Getter)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:673
#8  0x000055555719e744 in js::CallGetter (cx=cx@entry=0x7ffff662e100, 
    thisv=thisv@entry=..., getter=getter@entry=..., rval=rval@entry=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:795
#9  0x00005555574bbbcb in CallGetter (cx=<optimized out>, obj=..., receiver=..., 
    id=..., prop=..., vp=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/NativeObject.cpp:2150
#10 GetExistingProperty<(js::AllowGC)1> (cx=cx@entry=0x7ffff662e100, 
    receiver=receiver@entry=..., obj=obj@entry=..., id=id@entry=..., prop=..., 
    vp=vp@entry=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/NativeObject.cpp:2178
#11 0x00005555574bc599 in NativeGetPropertyInline<(js::AllowGC)1> (
    cx=0x7ffff662e100, obj=..., receiver=..., id=..., nameLookup=NotNameLookup, 
    vp=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/NativeObject.cpp:2326
#12 0x00005555570ae8db in js::GetProperty (cx=0x7ffff662e100, obj=..., 
    receiver=..., name=<optimized out>, vp=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/ObjectOperations-inl.h:124
#13 0x00005555571c01e8 in js::GetProperty (cx=cx@entry=0x7ffff662e100, 
    v=v@entry=..., name=name@entry=..., vp=vp@entry=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:4519
#14 0x0000555557d76b34 in js::jit::DoGetPropFallback (cx=0x7ffff662e100, 
    frame=0x7fffffffc048, stub=0x7ffff6448a10, val=..., res=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/jit/BaselineIC.cpp:1283
/snip

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --disable-bootstrap --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 366005a91eda.

Setting s-s to be safe.

Flags: sec-bounty?
Group: core-security → javascript-core-security
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0e22cec33a2f
user:        Steve Fink
date:        Wed May 10 16:51:48 2023 +0000
summary:     Bug 1818576 - Test infrastructure for custom serializable objects r=spidermonkey-reviewers,mgaudet

Steve, is bug 1818576 a likely regressor?

Flags: needinfo?(sphink)
Keywords: regression
Regressed by: 1818576

Set release status flags based on info from the regressing bug 1818576

status-firefox122: --- → affected
status-firefox123: --- → affected
status-firefox-esr115: --- → affected

Not s-s, crash in testing code itself. Likely needs to simply be marked as AutoEnterOOMUnsafeRegion

Group: javascript-core-security
Severity: -- → S4
Priority: -- → P3

Set release status flags based on info from the regressing bug 1818576

status-firefox125: --- → affected
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Flags: needinfo?(sphink)
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/978a40eb07a2 Properly oom check test serialization log allocation r=spidermonkey-reviewers,mgaudet
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/771144ea376d Properly oom check test serialization log allocation r=spidermonkey-reviewers,mgaudet
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d07920bed34c Properly oom check test serialization log allocation r=spidermonkey-reviewers,mgaudet

https://hg.mozilla.org/mozilla-central/rev/d07920bed34c

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox125: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
status-firefox124: affectedwontfix
status-firefox-esr115: affectedwontfix
Flags: needinfo?(sphink) → in-testsuite+
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: