Closed Bug 1884746 Opened 7 months ago Closed 7 months ago

Assertion failure: !zone->uniqueIds().has(tgt), at gc/StableCellHasher-inl.h:140

Categories

(Core :: JavaScript: GC, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
125 Branch
Tracking Status
firefox-esr115 --- wontfix
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

Attached file debug stack
var x = newGlobal().Int8Array;
for (let i = 0; i < 2; i++) {
  function f() {}
  oomTest(function() {
    new x().__proto__ = f;
  });
}
140	  MOZ_ASSERT(!zone->uniqueIds().has(tgt));
(gdb) bt
#0  js::gc::TransferUniqueId (tgt=0x21fe74f86040, src=0xf0a8e501ca0) at /home/yksubu/trees/mozilla-central/js/src/gc/StableCellHasher-inl.h:140
#1  0x0000555557d3932a in js::Nursery::sweep (this=this@entry=0x7ffff66317f0) at /home/yksubu/trees/mozilla-central/js/src/gc/Nursery.cpp:1689
#2  0x0000555557d361a2 in js::Nursery::doCollection (this=this@entry=0x7ffff66317f0, session=..., options=options@entry=JS::GCOptions::Shutdown, reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/Nursery.cpp:1421
#3  0x0000555557d3563f in js::Nursery::collect (this=0x7ffff66317f0, options=JS::GCOptions::Shutdown, reason=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/Nursery.cpp:1175
#4  0x0000555557caf3ad in js::gc::GCRuntime::collectNursery (this=this@entry=0x7ffff662f798, options=JS::GCOptions::Shutdown, reason=reason@entry=JS::GCReason::DESTROY_RUNTIME, phase=phase@entry=js::gcstats::PhaseKind::EVICT_NURSERY_FOR_MAJOR_GC) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:4735
#5  0x0000555557cae2e7 in js::gc::GCRuntime::collectNurseryFromMajorGC (this=0x7ffff662f798, reason=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:3881
#6  js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff662f798, budget=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME, budgetWasIncreased=false) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:3719
#7  0x0000555557cb194e in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff662f798, nonincrementalByAPI=true, budgetArg=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:4307
#8  0x0000555557cb3254 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff662f798, nonincrementalByAPI=true, budget=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:4498
#9  0x0000555557c7fcba in js::gc::GCRuntime::gc (this=0x7ffff662f798, options=JS::GCOptions::Shutdown, reason=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:4575
#10 0x00005555576a11d0 in JSRuntime::destroyRuntime (this=0x7ffff662f000) at /home/yksubu/trees/mozilla-central/js/src/vm/Runtime.cpp:258
/snip
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a8b602d1067a
user:        Jon Coppeard
date:        Wed May 10 08:27:02 2023 +0000
summary:     Bug 1832044 - Part 5: Move some parts of allocation out of line r=sfink

Run with --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 343e945a502e.

I do have at least one another testcase for this assertion failure that does not involve oomTest but which cannot be reproduced.

Setting s-s to be safe. Jon, is bug 1832044 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(jcoppeard)
Group: core-security → javascript-core-security

Set release status flags based on info from the regressing bug 1832044

We can have duplicates of the same cell in the Nursery::cellsWithUid_ vector,
e.g. if we repeatedly try to add a unique ID but fail half way through due to
OOM. That could lead to triggering this assertion than the target of an ID
trasfer doesn't already have an ID. However when this happens the source of the
transfer has already had the ID removed.

This case is handled by HashMap::rekeyAs, called from rekeyIfMoved in the
following line, as it first looks up the source cell in the map and does
nothing if it's not present.

The fix is to relax the assertion.

Assignee: nobody → jcoppeard
Status: NEW → ASSIGNED
Group: javascript-core-security
Severity: -- → S3
Priority: -- → P2
Flags: needinfo?(jcoppeard)
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8f17584e0cfb Relax assertion when transferring unique IDs after nursery collection r=jandem
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: