Open Bug 1923827 Opened 11 months ago Updated 10 months ago

Assertion failure: toSpace.mallocedBufferBytes >= nbytes, at js/src/gc/Nursery.h:238

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

People

(Reporter: sm-bugs, Unassigned, NeedInfo)

References

(Blocks 2 open bugs)

Details

(Keywords: reporter-external)

Steps to reproduce:

Version: 9f49f28c3b7f53b1a1f47350ed38437d113d1aa6
Arguments:

js --fuzzing-safe <test-case>

Test case:

a = newString                                                                                                                                                                                                                                                  
a.nursery = false                                                                                                                                                                                                                                              
b = {                                                                                                                                                                                                                                                          
  "capacity": 4000                                                                                                                                                                                                                                             
}                                                                                                                                                                                                                                                              
ensureLinearString(newRope(newRope(newString("abcdefghijklmnopqrstuvwxyz", b), "0"),"0", a))

Actual results:

Assertion failure: toSpace.mallocedBufferBytes >= nbytes, at js/src/gc/Nursery.h:238

#0 0x55de86d93e90 in js::Nursery::removeMallocedBuffer(void*, unsigned long) js/src/gc/Nursery.h:238:5
#1 0x55de87077ac4 in UpdateNurseryBuffersOnTransfer(js::Nursery&, JSExtensibleString*, JSString*, void*, unsigned long) js/src/vm/StringType.cpp:966:13
#2 0x55de8707be80 in JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)0, unsigned char>(JSRope*) js/src/vm/StringType.cpp:1113:10
#3 0x55de870303ec in JSRope::flatten(JSContext*) js/src/vm/StringType.cpp:996:25
#4 0x55de87217f7c in JSString::ensureLinear(JSContext*) js/src/vm/StringType.h:2174:46
#5 0x55de87217f7c in EnsureLinearString(JSContext*, unsigned int, JS::Value*) js/src/builtin/TestingFunctions.cpp:3989:48
#6 0x55de869fed8e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:527:13
#7 0x55de869fdfef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:623:12
#8 0x55de86a161e4 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:695:10
#9 0x55de86a161e4 in js::Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3520:16
#10 0x55de869fce20 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:497:13
#11 0x55de86a021d1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:888:13
#12 0x55de86a029dc in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:921:10
#13 0x55de86c52dc9 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) js/src/vm/CompilationAndEvaluation.cpp:495:10
#14 0x55de86c53047 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:519:10
#15 0x55de8696668e in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) js/src/shell/js.cpp:1316:10
#16 0x55de869659f5 in Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp
#17 0x55de869207de in ProcessArgs(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:11453:10
#18 0x55de869207de in Shell(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:11705:12
#19 0x55de86917a5d in main js/src/shell/js.cpp:12262:12
#20 0x7fa036d28d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#21 0x7fa036d28e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#22 0x55de868e0ed8 in _start (reproducebuild/dist/bin/js+0x1c3ced8) (BuildId: ae8f5592e3da63f6b78171c09ed53600)
Blocks: 1903968
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 130 → Trunk
Group: core-security → javascript-core-security

This might be from StringBuffer changes.

Flags: needinfo?(jdemooij)

(In reply to Jan de Mooij [:jandem] from comment #1)

This might be from StringBuffer changes.

It's not. If I change AllocCharsForFlatten to always malloc it still fails.

What happens is that the newString testing function calls registerMallocedBuffer with length 26, but when we later call removeMallocedBuffer we use the full capacity (4000) so we fail the assertion.

I'm not sure what's the best way to fix this. Steve, WDYT?

var extensible = newString("abcdefghijklmnopqrstuvwxyz", {capacity:4000});
var rope1 = newRope(extensible, "0");
var rope2 = newRope(rope1, "0", {nursery: false});
ensureLinearString(rope2);
Flags: needinfo?(jdemooij) → needinfo?(sphink)

Is this a Firefox security problem, or a bug in a testing function?

Flags: needinfo?(jdemooij)

A bug in a testing function, and also not a security sensitive one I think.

Group: javascript-core-security
Flags: needinfo?(jdemooij)
Blocks: sm-testing
Severity: -- → S4
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.