Closed Bug 1899339 Opened 8 months ago Closed 8 months ago

Assertion failure: color == MarkColor::Black, at /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:256

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox127 --- wontfix
firefox128 --- wontfix
firefox129 --- fixed

People

(Reporter: tsmith, Assigned: jonco)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, pernosco, testcase)

Attachments

(4 files)

testcase.html
743 bytes, text/html
Details
prefs.js
11.99 KB, application/x-javascript
Details
Bug 1899339 - Part 1: Ignore cross zone edges that are already sufficiently marked r?sfink
48 bytes, text/x-phabricator-request
Details | Review
Bug 1899339 - Part 2: Tighten up assertions when setting proxy private r?sfink
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20240523-5f3215269002 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --repeat 10

This requires javascript.options.mem.gc_zeal.mode=25.

Assertion failure: color == MarkColor::Black, at /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:256

#0 0x7fcbed2468be in ShouldMarkCrossCompartment /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:256:5
#1 0x7fcbed2468be in ShouldTraceCrossCompartment(JSTracer*, JSObject*, js::gc::Cell*, char const*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:322:10
#2 0x7fcbed246057 in ShouldTraceCrossCompartment /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:329:10
#3 0x7fcbed246057 in void js::TraceManuallyBarrieredCrossCompartmentEdge<JS::Value>(JSTracer*, JSObject*, JS::Value*, char const*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:503:7
#4 0x7fcbece4cfc1 in TraceCrossCompartmentEdge<JS::Value> /builds/worker/checkouts/gecko/js/src/gc/Tracer.h:333:3
#5 0x7fcbece4cfc1 in traceEdgeToTarget /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:866:3
#6 0x7fcbece4cfc1 in js::ProxyObject::trace(JSTracer*, JSObject*) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:905:3
#7 0x7fcbed27e6ca in doTrace /builds/worker/workspace/obj-build/dist/include/js/Class.h:660:5
#8 0x7fcbed27e6ca in CallTraceHook(JSTracer*, JSObject*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1219:12
#9 0x7fcbed27cef3 in bool js::GCMarker::processMarkStackTop<0u>(js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1602:3
#10 0x7fcbed27c451 in bool js::GCMarker::markOneColor<0u, (js::gc::MarkColor)1>(js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1329:10
#11 0x7fcbed256f14 in bool js::GCMarker::doMarking<0u>(js::SliceBudget&, js::gc::ShouldReportMarkTime) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1297:10
#12 0x7fcbed2569e7 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&, js::gc::ShouldReportMarkTime) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1277:10
#13 0x7fcbed20cb0a in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::gc::GCRuntime::ParallelMarking, js::gc::ShouldReportMarkTime) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3186:19
#14 0x7fcbed2d4e6b in js::gc::GCRuntime::markDuringSweeping(JS::GCContext*, js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:1723:10
#15 0x7fcbed2d83a6 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2349:9
#16 0x7fcbed2109c3 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3883:11
#17 0x7fcbed213c50 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4397:3
#18 0x7fcbed215393 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4588:9
#19 0x7fcbe6f6b8ad in GarbageCollectImpl(JS::GCReason, nsJSContext::IsShrinking, js::SliceBudget const&) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1059:5
#20 0x7fcbe6f6bb00 in nsJSContext::RunIncrementalGCSlice(JS::GCReason, nsJSContext::IsShrinking, js::SliceBudget&) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1096:3
#21 0x7fcbe6b6a3f3 in mozilla::CCGCScheduler::GCRunnerFiredDoGC(mozilla::TimeStamp, mozilla::GCRunnerStep const&) /builds/worker/checkouts/gecko/dom/base/CCGCScheduler.cpp:469:3
#22 0x7fcbe6b697a4 in mozilla::CCGCScheduler::GCRunnerFired(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/CCGCScheduler.cpp:428:10
#23 0x7fcbe501c41e in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
#24 0x7fcbe501c41e in mozilla::IdleTaskRunner::Run() /builds/worker/checkouts/gecko/xpcom/threads/IdleTaskRunner.cpp:124:14
#25 0x7fcbe501cfee in mozilla::IdleTaskRunnerTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/IdleTaskRunner.cpp:45:15
#26 0x7fcbe502bc76 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
#27 0x7fcbe502a59e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:772:15
#28 0x7fcbe502a8b5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
#29 0x7fcbe503a5b6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
#30 0x7fcbe503a5b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#31 0x7fcbe504f60d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#32 0x7fcbe505668f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#33 0x7fcbe5d3d3a5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#34 0x7fcbe5c53cf1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#35 0x7fcbe5c53cf1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#36 0x7fcbea67c5f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#37 0x7fcbea73e068 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#38 0x7fcbec5d579b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#39 0x7fcbe5d3e286 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#40 0x7fcbe5c53cf1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#41 0x7fcbe5c53cf1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#42 0x7fcbec5d4fbb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#43 0x5635d92b9b6f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#44 0x5635d92b9b6f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
#45 0x7fcbfa029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#46 0x7fcbfa029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#47 0x5635d928ee78 in _start (/home/user/workspace/browsers/m-c-20240528001238-fuzzing-debug/firefox-bin+0x59e78) (BuildId: 0d8db5cf0347cfd5e7aeb1fb2fe0e41dd1baea18)#53 0x5608158582b8 in _start (/home/user/workspace/browsers/m-c-20240521094553-fuzzing-debug/firefox-bin+0x592b8) (BuildId: c34e84618b0a05c8d3250122dedceb04b23993ff)
Attached file prefs.js

prefs.js file for bugmon

A Pernosco session is available here: https://pernos.co/debug/RrPXMfyUuPpiKKKVgYlPeg/index.html

Keywords: pernosco

Jon, you might be interested in this bug given that there is a Pernosco recording of it.
However, I have no clue of the security rating of this bug, so feel free to adjust it.

Blocks: GC.stability
Severity: -- → S3
Flags: needinfo?(jcoppeard)
Priority: -- → P1

Unable to reproduce bug 1899339 using build mozilla-central 20240523041055-5f3215269002. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: sec-high
Keywords: sec-high
Whiteboard: sec-high

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:willyelm, could you consider increasing the severity of this security bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(wmedina)

This looks like another over-eager assertion. The target cell is is on the gray marking stack but is already marked black, probably because of a barrier. The correct thing to do is ignore it.

Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Severity: S3 → S2
Flags: needinfo?(wmedina)

Not security sensitive as it's an over-eager assertion.

Group: javascript-core-security

This assertion was complaining about trying to mark the source of a cross-zone
edge to a nursery thing gray when in fact the source was already marked black.

The patch checks whether the target is already sufficently marked and bails out
early in that case. This can happen due to a barrier marking a thing black when
it's already on the gray marking stack.

Something else I noticed while investigating this was the conditional assertion
about not creating black to gray edges here.

The contract is that we never pass gray GC things into the JS engine so this
assertion can be tightened up. I tested with this change and didn't see any
failures.

Keywords: sec-high
Pushed by acseh@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/ca6497797688 Part 1: Ignore cross zone edges that are already sufficiently marked r=sfink https://hg.mozilla.org/mozilla-central/rev/536a7230483b Part 2: Tighten up assertions when setting proxy private r=sfink https://hg.mozilla.org/mozilla-central/rev/72b41b724d94 apply code formatting via Lando

https://hg.mozilla.org/mozilla-central/rev/ca6497797688
https://hg.mozilla.org/mozilla-central/rev/536a7230483b
https://hg.mozilla.org/mozilla-central/rev/72b41b724d94

Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox129: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch

The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox128 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jcoppeard)

This can ride the trains.

status-firefox128: affectedwontfix
Flags: needinfo?(jcoppeard)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: