2012589 - Assertion failure: !inUnsafeRegion ([AutoAssertNoGC] possible GC in GC-unsafe region), at firefox/js/src/vm/JSContext.h:608

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P2)

Description

[Alessio Ghidini]

Attachment: repro.js

Steps to reproduce:

Build a debug JS shell, i used git commit 58f365ba0eb5761a182f1925e4654cc75212b8ac, and run the attached sample with ./js --fuzzing-safe x.js

Marking as security relevant due to possible(?) UAF

const g = newGlobal({newCompartment: true});
g.enableShellAllocationMetadataBuilder();
const dbg = new Debugger();
dbg.memory.trackingAllocationSites = true;
dbg.addDebuggee(g);

Actual results:

$ obj-fuzzbuild-release/dist/bin/js repro.js 
[COV] no shared memory bitmap available, skipping
[COV] edge counters initialized. Shared memory: (null) with 416557 edges
[123765] Assertion failure: !inUnsafeRegion ([AutoAssertNoGC] possible GC in GC-unsafe region), at /home/user/firefox/js/src/vm/JSContext.h:608
#01: ???[obj-fuzzbuild-release/dist/bin/js +0x1c30b55]
#02: ???[obj-fuzzbuild-release/dist/bin/js +0x1dc16ae]
#03: ???[obj-fuzzbuild-release/dist/bin/js +0x21df5c1]
#04: ???[obj-fuzzbuild-release/dist/bin/js +0x21e33f6]
#05: JS_NewStringCopyUTF8Z(JSContext*, JS::ConstUTF8CharsZ)[obj-fuzzbuild-release/dist/bin/js +0x25287d3]
#06: ???[obj-fuzzbuild-release/dist/bin/js +0x256eb1b]
#07: ???[obj-fuzzbuild-release/dist/bin/js +0x1e45642]
#08: JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...)[obj-fuzzbuild-release/dist/bin/js +0x250f666]
#09: ???[obj-fuzzbuild-release/dist/bin/js +0x260c37a]
#10: ???[obj-fuzzbuild-release/dist/bin/js +0x2614884]
#11: ???[obj-fuzzbuild-release/dist/bin/js +0x2613f39]
#12: ???[obj-fuzzbuild-release/dist/bin/js +0x2623bac]
#13: ???[obj-fuzzbuild-release/dist/bin/js +0x1bf2cef]
#14: ???[obj-fuzzbuild-release/dist/bin/js +0x1bf22b3]
#15: ???[obj-fuzzbuild-release/dist/bin/js +0x1c07cf2]
#16: ???[obj-fuzzbuild-release/dist/bin/js +0x1bf1813]
#17: ???[obj-fuzzbuild-release/dist/bin/js +0x1bf587a]
#18: ???[obj-fuzzbuild-release/dist/bin/js +0x1bf607d]
#19: ???[obj-fuzzbuild-release/dist/bin/js +0x1dcc0ca]
#20: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[obj-fuzzbuild-release/dist/bin/js +0x1dcc320]
#21: ???[obj-fuzzbuild-release/dist/bin/js +0x1b7e53e]
#22: ???[obj-fuzzbuild-release/dist/bin/js +0x1b7da7b]
#23: ???[obj-fuzzbuild-release/dist/bin/js +0x1b17e64]
#24: ???[obj-fuzzbuild-release/dist/bin/js +0x1b0f1d8]
#25: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x2a1ca]
#26: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x2a28b]
#27: ???[obj-fuzzbuild-release/dist/bin/js +0x1ad55b9]
#28: ??? (???:???)
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==123765==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x6278fba6cb6d bp 0x7ffe96d5a1a0 sp 0x7ffe96d5a130 T123765)
==123765==The signal is caused by a WRITE memory access.
==123765==Hint: address points to the zero page.
    #0 0x6278fba6cb6d in MOZ_CrashSequence(void*, long) /home/user/firefox/obj-fuzzbuild-release/dist/include/mozilla/Assertions.h:237:3
    #1 0x6278fba6cb6d in JSContext::verifyIsSafeToGC() /home/user/firefox/js/src/vm/JSContext.h:607:5
    #2 0x6278fba6cb6d in js::gc::PreAllocGCChecks(JSContext*) /home/user/firefox/js/src/gc/Allocator-inl.h:146:9
    #3 0x6278fba6cb6d in void* js::gc::CellAllocator::AllocNurseryOrTenuredCell<(JS::TraceKind)2, (js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::Heap, js::gc::AllocSite*) /home/user/firefox/js/src/gc/Allocator-inl.h:194:5
    #4 0x6278fbbfd6ad in JSLinearString* js::gc::CellAllocator::NewString<JSLinearString, (js::AllowGC)1, JS::MutableHandle<JSString::OwnedChars<unsigned char>>&>(JSContext*, js::gc::Heap, JS::MutableHandle<JSString::OwnedChars<unsigned char>>&) /home/user/firefox/js/src/gc/Allocator-inl.h:71:15
    #5 0x6278fbbfd6ad in JSLinearString* js::gc::CellAllocator::NewCell<JSLinearString, (js::AllowGC)1, js::gc::Heap&, JS::MutableHandle<JSString::OwnedChars<unsigned char>>&>(JSContext*, js::gc::Heap&, JS::MutableHandle<JSString::OwnedChars<unsigned char>>&) /home/user/firefox/js/src/gc/Allocator-inl.h:55:12
    #6 0x6278fbbfd6ad in JSLinearString* JSContext::newCell<JSLinearString, (js::AllowGC)1, js::gc::Heap&, JS::MutableHandle<JSString::OwnedChars<unsigned char>>&>(js::gc::Heap&, JS::MutableHandle<JSString::OwnedChars<unsigned char>>&) /home/user/firefox/js/src/vm/JSContext-inl.h:368:10
    #7 0x6278fbbfd6ad in JSLinearString* JSLinearString::newValidLength<(js::AllowGC)1, unsigned char>(JSContext*, JS::MutableHandle<JSString::OwnedChars<unsigned char>>, js::gc::Heap) /home/user/firefox/js/src/vm/StringType-inl.h:542:29
    #8 0x6278fc01b5c0 in JSLinearString* js::NewStringCopyNDontDeflateNonStaticValidLength<(js::AllowGC)1, unsigned char>(JSContext*, unsigned char const*, unsigned long, js::gc::Heap) /home/user/firefox/js/src/vm/StringType.cpp:2158:10
    #9 0x6278fc01f3f5 in JSLinearString* js::NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char>(JSContext*, unsigned char const*, unsigned long, js::gc::Heap) /home/user/firefox/js/src/vm/StringType.cpp:2184:10
    #10 0x6278fc01f3f5 in JSLinearString* js::NewStringCopyN<(js::AllowGC)1, unsigned char>(JSContext*, unsigned char const*, unsigned long, js::gc::Heap) /home/user/firefox/js/src/vm/StringType.cpp:2223:10
    #11 0x6278fc01f3f5 in js::NewStringCopyUTF8N(JSContext*, JS::UTF8Chars const&, JS::SmallestEncoding, js::gc::Heap) /home/user/firefox/js/src/vm/StringType.cpp:2296:12
    #12 0x6278fc3647d2 in js::NewStringCopyUTF8Z(JSContext*, JS::ConstUTF8CharsZ, js::gc::Heap) /home/user/firefox/js/src/vm/StringType.h:2055:10
    #13 0x6278fc3647d2 in JS_NewStringCopyUTF8Z(JSContext*, JS::ConstUTF8CharsZ) /home/user/firefox/js/src/jsapi.cpp:3260:10
    #14 0x6278fc3aab1a in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) /home/user/firefox/js/src/jsexn.cpp:319:40
    #15 0x6278fbc81641 in ReportError(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) /home/user/firefox/js/src/vm/ErrorReporting.cpp:175:10
    #16 0x6278fbc81641 in js::ReportErrorNumberVA(JSContext*, js::IsWarning, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) /home/user/firefox/js/src/vm/ErrorReporting.cpp:489:8
    #17 0x6278fc34b665 in JS_ReportErrorNumberASCIIVA(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, __va_list_tag*) /home/user/firefox/js/src/jsapi.cpp:3899:3
    #18 0x6278fc34b665 in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) /home/user/firefox/js/src/jsapi.cpp:3889:3
    #19 0x6278fc448379 in js::Debugger::addAllocationsTracking(JSContext*, JS::Handle<js::GlobalObject*>) /home/user/firefox/js/src/debugger/Debugger.cpp:3716:5
    #20 0x6278fc450883 in js::Debugger::addDebuggeeGlobal(JSContext*, JS::Handle<js::GlobalObject*>) /home/user/firefox/js/src/debugger/Debugger.cpp:5073:8
    #21 0x6278fc44ff38 in js::Debugger::CallData::addDebuggee() /home/user/firefox/js/src/debugger/Debugger.cpp:4728:13
    #22 0x6278fc45fbab in bool js::Debugger::CallData::ToNative<&js::Debugger::CallData::addDebuggee()>(JSContext*, unsigned int, JS::Value*) /home/user/firefox/js/src/debugger/Debugger.cpp:4318:10
    #23 0x6278fba2ecee in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/user/firefox/js/src/vm/Interpreter.cpp:490:13
    #24 0x6278fba2e2b2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/user/firefox/js/src/vm/Interpreter.cpp:586:12
    #25 0x6278fba43cf1 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/user/firefox/js/src/vm/Interpreter.cpp:658:10
    #26 0x6278fba43cf1 in js::Interpret(JSContext*, js::RunState&) /home/user/firefox/js/src/vm/Interpreter.cpp:3272:16
    #27 0x6278fba2d812 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/user/firefox/js/src/vm/Interpreter.cpp:384:10
    #28 0x6278fba2d812 in js::RunScript(JSContext*, js::RunState&) /home/user/firefox/js/src/vm/Interpreter.cpp:460:13
    #29 0x6278fba31879 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/user/firefox/js/src/vm/Interpreter.cpp:850:10
    #30 0x6278fba3207c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/user/firefox/js/src/vm/Interpreter.cpp:880:10
    #31 0x6278fbc080c9 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/user/firefox/js/src/vm/CompilationAndEvaluation.cpp:548:10
    #32 0x6278fbc0831f in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/user/firefox/js/src/vm/CompilationAndEvaluation.cpp:572:10
    #33 0x6278fb9ba53d in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/user/firefox/js/src/shell/js.cpp:1360:10
    #34 0x6278fb9b9a7a in Process(JSContext*, char const*, bool, FileKind) /home/user/firefox/js/src/shell/js.cpp
    #35 0x6278fb953e63 in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/user/firefox/js/src/shell/js.cpp:12174:10
    #36 0x6278fb953e63 in Shell(JSContext*, js::cli::OptionParser*) /home/user/firefox/js/src/shell/js.cpp:12427:12
    #37 0x6278fb94b1d7 in main /home/user/firefox/js/src/shell/js.cpp:12830:12
    #38 0x794930c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #39 0x794930c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #40 0x6278fb9115b8 in _start (/home/user/firefox/obj-fuzzbuild-release/dist/bin/js+0x1ad55b8) (BuildId: d06a034e90cbb3b5a0785e2f6addd88658ae38ef)

==123765==Register values:
rax = 0x0000000000000000  rbx = 0x000079493093c200  rcx = 0x0000000000000260  rdx = 0x0000794930e04563  
rdi = 0x0000794930e05700  rsi = 0x0000000000000000  rbp = 0x00007ffe96d5a1a0  rsp = 0x00007ffe96d5a130  
 r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000002  r11 = 0x0000000000000293  
r12 = 0x0000000000000018  r13 = 0x0000000000000000  r14 = 0x000000000000002c  r15 = 0x000000000000002c  
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/user/firefox/obj-fuzzbuild-release/dist/include/mozilla/Assertions.h:237:3 in MOZ_CrashSequence(void*, long)
==123765==ABORTING

Expected results:

Assertion should not be triggered

Comment 1

[Nicolas B. Pierron [:nbp]]

This is possibly a shell-only issue, related to the debugger, given how the test case is written.

Comment 2

[Bryan Thrall [:bthrall]]

Yes, this appears to be only possible in the shell.

Debugger::addAllocationMetadataBuilder() is trying to throw an error because there is already an AllocationMetadataBuilder, but we are inside the scope of AutoAssertNoGC. js::ErrorToException() allocates a string which could GC, which leads to the failed assertion.

addAllocationMetadataBuilder() wouldn't try to throw this exception if enableShellAllocationMetadataBuilder() didn't already set an AllocationMetadataBuilder. There doesn't seem to be a way to follow this code path without the shell testing function enableShellAllocationMetadataBuilder().

Comment 3

[Jon Coppeard (:jonco)]

Attachment: Bug 2012589 - Check whether we can track allocations in the debugger outside the AutoAssertNoGC region r?#spidermonkey-reviewers

The problem is that we can potentially allocate and exception to throw inside
an AutoAssertNoGC region. The patch rearranges the code so the check that
throws is outside this region.

Comment 4

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/26bd8d4af719
https://hg.mozilla.org/integration/autoland/rev/e02133111d37
Check whether we can track allocations in the debugger outside the AutoAssertNoGC region r=spidermonkey-reviewers,jandem

Comment 6

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/e02133111d37