Closed Bug 1894547 Opened 1 year ago Closed 1 year ago

Assertion failure: zone->isGCMarking(), at /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:774

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox125 --- unaffected
firefox126 --- unaffected
firefox127 --- fixed

People

(Reporter: tsmith, Assigned: jonco)

References

(Blocks 2 open bugs, Regression,
URL
)

Details

(4 keywords)

Attachments

(1 file)

Bug 1894547 - Check a symbol's zone before marking it r?sfink
48 bytes, text/x-phabricator-request
Details | Review

Found with m-c 20240430-b7a1a8a3af7f (--enable-debug --enable-fuzzing)

This was found by visiting a live website with a debug build.

STR:

  • Launch browser and visit site

This issue was triggered by visiting http://kmart.com.au/. I can reliably reproduce this issue. I can also reproduce under rr but I hit a bug in rr and the trace is rejected by Pernosco.

Assertion failure: zone->isGCMarking(), at /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:774

#0 0x7feb1daae163 in void js::GCMarker::markImplicitEdges<JS::Symbol>(JS::Symbol*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:774:3
#1 0x7feb1dae962f in traverse<4U> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1024:5
#2 0x7feb1dae962f in markAndTraverse<4U, JS::Symbol> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:977:5
#3 0x7feb1dae962f in void js::GCMarker::markAndTraverseEdge<4u, JSObject, JS::Symbol>(JSObject*, JS::Symbol*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1147:3
#4 0x7feb1dabd784 in bool js::GCMarker::processMarkStackTop<4u>(js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1559:7
#5 0x7feb1dadf841 in bool js::GCMarker::markOneColor<4u, (js::gc::MarkColor)2>(js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1311:10
#6 0x7feb1dabb2b3 in bool js::GCMarker::doMarking<4u>(js::SliceBudget&, js::gc::ShouldReportMarkTime) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1268:29
#7 0x7feb1dabb191 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&, js::gc::ShouldReportMarkTime) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1256:12
#8 0x7feb1db27f38 in js::gc::IncrementalProgress js::gc::GCRuntime::markWeakReferences<js::gc::SweepGroupZonesIter>(js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:533:19
#9 0x7feb1db2d3a0 in markWeakReferencesInCurrentGroup /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:556:10
#10 0x7feb1db2d3a0 in js::gc::GCRuntime::endMarkingSweepGroup(JS::GCContext*, js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:1155:7
#11 0x7feb1db62ef0 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2179:23
#12 0x7feb1db59dde in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2214:19
#13 0x7feb1db35601 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2362:53
#14 0x7feb1da75763 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3820:11
#15 0x7feb1da78b60 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4334:3
#16 0x7feb1da7a293 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4525:9
#17 0x7feb1779f3ad in GarbageCollectImpl(JS::GCReason, nsJSContext::IsShrinking, js::SliceBudget const&) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1059:5
#18 0x7feb1779f600 in nsJSContext::RunIncrementalGCSlice(JS::GCReason, nsJSContext::IsShrinking, js::SliceBudget&) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1096:3
#19 0x7feb1739fe23 in mozilla::CCGCScheduler::GCRunnerFiredDoGC(mozilla::TimeStamp, mozilla::GCRunnerStep const&) /builds/worker/checkouts/gecko/dom/base/CCGCScheduler.cpp:469:3
#20 0x7feb1739f1d4 in mozilla::CCGCScheduler::GCRunnerFired(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/CCGCScheduler.cpp:428:10
#21 0x7feb15800781 in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
#22 0x7feb15800781 in mozilla::IdleTaskRunner::Run() /builds/worker/checkouts/gecko/xpcom/threads/IdleTaskRunner.cpp:124:14
#23 0x7feb1580134e in mozilla::IdleTaskRunnerTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/IdleTaskRunner.cpp:45:15
#24 0x7feb1580ffd6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
#25 0x7feb1580e91e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:772:15
#26 0x7feb1580ec35 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
#27 0x7feb1581e906 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
#28 0x7feb1581e906 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#29 0x7feb15833c32 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#30 0x7feb1583ad7d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#31 0x7feb165415a5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#32 0x7feb16457411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#33 0x7feb16457411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#34 0x7feb1af25e98 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#35 0x7feb1afe89f8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#36 0x7feb1ce3870b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#37 0x7feb16542486 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#38 0x7feb16457411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#39 0x7feb16457411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#40 0x7feb1ce37f32 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#41 0x56011ac56606 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#42 0x56011ac56606 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#43 0x7feb2a6cad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#44 0x7feb2a6cae3f in __libc_start_main csu/../csu/libc-start.c:392:3
#45 0x56011ac2c338 in _start (/home/worker/build/firefox-bin+0x59338) (BuildId: 5140e8d62c09545a44c9a801cad3f8f944ffca4d)

If we're hitting it consistently on this site this might be fixable, and also exploitable unless this assertion isn't as bad as it sounds.

Keywords: sec-high

This could be a dupe of bug 1894442.

Severity: -- → S2
Priority: -- → P1

This is asserting because we are marking a Symbol that's used as a weakmap key during weak marking while not collecting the atoms zone. All symbols are allocated in the atoms zone and usually we just go ahead and mark atoms we find via tracing even if we're not actually collecting the atoms zone, presumably because it's cheaper than checking every string pointer. Previously this had no effect because atoms don't entrain any other GC things but symbols can do via weakmap entries. So we now need to check the zone state when marking symbols.

Keywords: regression
Regressed by: 1890670
Assignee: nobody → jcoppeard

Set release status flags based on info from the regressing bug 1890670

status-firefox125: --- → unaffected
status-firefox126: --- → unaffected
status-firefox-esr115: --- → unaffected
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/64ef6a7a9ede Check a symbol's zone before marking it r=sfink
Backout by acseh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d7fdeffc49d3 Backed out changeset 64ef6a7a9ede for causing assertion failures on Marking.cpp CLOSED TREE

Backed out for assertion failures in Marking.cpp:

Push with failures
Failure log

Assertion failure: zone->isGCMarking(), at /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:774

Flags: needinfo?(jcoppeard)
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6f1718be6118 Check a symbol's zone before marking it r=sfink
Duplicate of this bug: 1894593

https://hg.mozilla.org/mozilla-central/rev/6f1718be6118

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox127: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
Regressions: 1895842
Flags: needinfo?(jcoppeard)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Duplicate of this bug: 1895336
Regressions: 1898473
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: