1916388 - Assertion failure: (asBits_ & js::gc::CellAlignMask) == 0 (GC pointer is not aligned. Is this memory corruption?), at /builds/worker/workspace/obj-build/dist/include/js/Value.h:757

Status: VERIFIED FIXED

(Core :: JavaScript: GC, defect, P2)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20240902-e8cf043939ae (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

evalInWorker(` 
  const nurseryCount = 25000;
  const tenuredCount = 300000;
  function allocateObjects(count, longLived) {
    let array = new Array(nurseryCount);
    for (let i = 0; i < count; i++) {
      let x = {x: i};
      if (longLived) {
        array[i % nurseryCount] = x;
      } else {
        array[0] = x;
      }
    }
  }
  fullcompartmentchecks(true);
  allocateObjects(tenuredCount, true);
  bailAfter(100);
  allocateObjects(tenuredCount);
`)

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556e755bd in JS::Value::toObject() const ()
#1  0x00005555579959d1 in _ZN2js15MapGCThingTypedIZ18TraceTaggedPtrEdgeIN2JS5ValueEEbP8JSTracerPT_PKcEUlS6_E_EEDaRKS3_OS6_ ()
#2  0x0000555557977f35 in js::gc::TraceEdgeInternal(JSTracer*, JS::Value*, char const*) ()
#3  0x00005555572b79bc in JSObject::traceChildren(JSTracer*) ()
#4  0x0000555557a01cbb in JS::TraceChildren(JSTracer*, JS::GCCellPtr) ()
#5  0x0000555557942159 in js::gc::GCRuntime::checkForCompartmentMismatches() ()
#6  0x0000555557947288 in js::gc::GCRuntime::endPreparePhase(JS::GCReason) ()
#7  0x000055555794e279 in js::gc::GCRuntime::incrementalSlice(JS::SliceBudget&, JS::GCReason, bool) ()
#8  0x00005555579519bd in js::gc::GCRuntime::gcCycle(bool, JS::SliceBudget const&, JS::GCReason) ()
#9  0x0000555557953374 in js::gc::GCRuntime::collect(bool, JS::SliceBudget const&, JS::GCReason) ()
#10 0x00005555579543c4 in js::gc::GCRuntime::startGC(JS::GCOptions, JS::GCReason, JS::SliceBudget const&) ()
#11 0x000055555793cca6 in js::gc::GCRuntime::gcIfRequestedImpl(bool) ()
#12 0x00005555573d7c9a in JSContext::handleInterrupt() ()
#13 0x000025a7f940fef2 in ?? ()
[...]
#17 0x0000000000000000 in ?? ()
rax	0x5555557fd563	93824995022179
rbx	0x7ffff46653b0	140737293734832
rcx	0x555558890b90	93825045957520
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7ffff4665350	140737293734736
rsp	0x7ffff4665350	140737293734736
r8	0x7ffff7105770	140737338431344
r9	0x7ffff4667700	140737293743872
r10	0x0	0
r11	0x0	0
r12	0x7ffff46653e0	140737293734880
r13	0x1	1
r14	0xfffe4b4b4b4b4b4b	-480163195565237
r15	0x331911db1de8	56182766771688
rip	0x555556e755bd <JS::Value::toObject() const+285>
=> 0x555556e755bd <_ZNK2JS5Value8toObjectEv+285>:	movl   $0x2f5,0x0
   0x555556e755c8 <_ZNK2JS5Value8toObjectEv+296>:	callq  0x555556f17520 <abort>

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Nicolas B. Pierron [:nbp]]

My guess would be that this looks like a JIT issue due to bailAfter call remaining in the minimized test case.

Iain, I will let you have a look as I suppose this might be a recent change, otherwise feel free to bounce it back toward me.

Comment 4

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240903210242-7fa1ed101e24.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 2baa05b3de23279a816786063ed054d0fb5ed66c (20240607042001)
End: e8cf043939ae46485e1f683456c399b124b688cd (20240902214955)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Comment 5

[Jan de Mooij [:jandem]]

Iain is on leave. Also jonco and I discussed this yesterday and he'd take a look.

If this is a JIT issue feel free to forward it to me.

Comment 6

[Jon Coppeard (:jonco)]

The JIT allocates an object in the tenured heap but doesn't initialize its slots. Then we bail out, then we GC. The GC checks the heap and finds the object in a partially initialized state and crashes.

I'm not particularly familiar with this code, but this line in ShouldInitFixedSlots implies it should return true if bailout is possible, but CodeGenerator::emitDebugForceBailing can cause bailout regardless.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:willyelm, could you consider increasing the severity of this security bug?

For more information, please visit BugBot documentation.

Comment 8

[Jan de Mooij [:jandem]]

This is a problem with the bailAfter testing function.

Comment 9

[Jan de Mooij [:jandem]]

Attachment: Bug 1916388 - Always initialize all fixed slots if bailAfter testing function is used. r?jonco!

Not adding the test case because it's a bit slow, hard to reduce, and likely
brittle too.

Comment 10

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5234f6e45630
Always initialize all fixed slots if bailAfter testing function is used. r=jonco

Comment 11

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/5234f6e45630

Comment 12

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240906093607-9df162c80958.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.