Closed
Bug 1880870
Opened 1 year ago
Closed 1 year ago
Assertion failure: false (EraseCallback(nurseryCollectionCallbacks.ref(), callback, data)), at gc/GC.cpp:1557
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
RESOLVED
FIXED
125 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox123 | --- | wontfix |
| firefox124 | --- | wontfix |
| firefox125 | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(1 file)
var x = [];
function f() {
Object.entries(x);
Object.defineProperty(x, "", { enumerable: true, get: f });
}
oomTest(f);
(gdb) bt
#0 js::gc::GCRuntime::removeNurseryCollectionCallback (this=<optimized out>, callback=0x555557ccf870 <js::AutoSelectGCHeap::NurseryCollectionCallback(JSContext*, JS::GCNurseryProgress, JS::GCReason, void*)>, data=0x7fffffff16c0) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:1556
#1 0x00005555573681f5 in TryEnumerableOwnPropertiesNative<(EnumerableOwnPropertiesKind)2> (cx=0x7ffff662d100, obj=..., rval=..., optimized=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/builtin/Object.cpp:1895
#2 EnumerableOwnProperties<(EnumerableOwnPropertiesKind)2> (cx=0x7ffff662d100, args=...) at /home/yksubu/trees/mozilla-central/js/src/builtin/Object.cpp:2019
#3 obj_entries (cx=0x7ffff662d100, argc=<optimized out>, vp=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/builtin/Object.cpp:2183
#4 0x00002c968b6e46e3 in ?? ()
#5 0x00007ffff669857d in ?? ()
#6 0x00007fffffff1a30 in ?? ()
#7 0x0000000000000000 in ?? ()
(gdb)
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/5c1bdf739b56
user: Jon Coppeard
date: Sat Dec 02 08:47:13 2023 +0000
summary: Bug 1867453 - Fix quadratic behaviour enumerating own properties r=sfink
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 5c6884a349b6.
Setting s-s to be safe. Jon, is bug 1867453 a likely regressor?
Flags: sec-bounty?
Flags: needinfo?(jcoppeard)
|
||
Updated•1 year ago
|
Group: core-security → javascript-core-security
|
Assignee | |
Comment 1•1 year ago
|
||
Not security-sensitive. The assertion that fails is checking that we remove a nursery collection callback, and this happens because we failed to add it due to OOM. This would not cause a problem in release builds.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Updated•1 year ago
|
Group: javascript-core-security
|
|
Assignee | |
Comment 2•1 year ago
|
||
|
||
Comment 3•1 year ago
|
||
Set release status flags based on info from the regressing bug 1867453
status-firefox123:
--- → affected
status-firefox124:
--- → affected
status-firefox-esr115:
--- → unaffected
|
||
Updated•1 year ago
|
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5309478aa9cb
Don't attempt to remove AutoSelectGCHeap's callback if we failed to add it r=sfink
|
||
Comment 5•1 year ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
Flags: sec-bounty? → sec-bounty-
|
Reporter | |
Updated•11 months ago
|
Blocks: gkw-js-fuzzing
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•