Closed Bug 754150 Opened 8 years ago Closed 8 years ago

Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(thing)), at js/src/jsgc.cpp:4399

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla15
Tracking Status
firefox13 --- unaffected
firefox14 + affected
firefox15 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: billm)

Details

(Keywords: assertion, sec-critical, testcase, Whiteboard: [sg:critical][advisory-tracking+])

Attachments

(1 file)

The following test asserts on mozilla-central revision 4c6d01c92dcc (options -m -n):


function printStatus (msg) {}
function toPrinted(value) {
  value = value.replace(/\\n/g, 'NL')
}
function reportCompare (expected, actual, description) {
    printStatus ("Expected value '" + toPrinted(expected) +  "' matched actual value '" + toPrinted(actual) + "'");
}
var UBound = 0;
var statusitems = [];
var actual = '';
var actualvalues = [];
var expect= '';
var expectedvalues = [];
testThis('x()');
testThis('"abc"()');
testThis('x()');
testThis('Date(12345)()');
testThis('x()');
testThis('1()');
testThis('x()');
testThis('void(0)()');
testThis('x()');
testThis('[1,2,3,4,5](1)');
gczeal(4);
testThis('x(1)');
checkThis('(function (y) {return y+1;})("abc")');
checkThis('f("abc")');
function testThis(sInvalidSyntax) {
  expectedvalues[UBound] = expect;
  actualvalues[UBound] = actual;
  UBound++;
}
function checkThis(sValidSyntax) {
  for (var i=0; i<UBound; i++)
    reportCompare(expectedvalues[i], actualvalues[i], statusitems[i]);
}
var actualvalues = [];
for (var i=0; i<UBound; i++)
  reportCompare(expectedvalues[i], actualvalues[i], statusitems[i]);



Might be another verifier (debug-only) bug, but I'm marking s-s until this is confirmed.
Assignee: general → wmccloskey
Attached patch patchSplinter Review
We need a write barrier on the objects held by a JITChunk, since the JITChunk can be destroyed during an incremental slice.
Attachment #623280 - Flags: review?(bhackett1024)
Attachment #623280 - Flags: review?(bhackett1024) → review+
Can we land this now? The fuzzer is being spammed with these asserts and I don't even know for which of them this bug accounts.

Also, given the description in comment 1, I assume this can lead to use-after-free of JITChunk? Or is this a save assert?
Whiteboard: [fuzzblocker]
https://hg.mozilla.org/integration/mozilla-inbound/rev/f36749114f76

Yes, during an incremental GC this can lead to use-after-free.
Target Milestone: --- → mozilla15
Keywords: sec-critical
Whiteboard: [fuzzblocker] → [sg:critical]
https://hg.mozilla.org/mozilla-central/rev/f36749114f76
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
We should get this fix landed on Aurora unless we plan to disable incremental GC on that branch.
Incremental GC is disabled on Aurora (at least, prefed off).
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical] → [sg:critical][advisory-tracking+]
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug754150.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.