Assertion failure: (ptrBits & 0x7) == 0, at jsval.h:760 or Crash [@ compartment]

VERIFIED FIXED in Firefox 14

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: billm)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
mozilla16
x86_64
Linux
assertion, crash, regression, sec-critical, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox13 wontfix, firefox14+ fixed, firefox15+ fixed, firefox16 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [js:p1:fx16][sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore][advisory-tracking+], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test asserts/crashes on mozilla-central revision c758cc9b60e5 (options -m -n):


try {
function fun() {
    (new fun (("10"))) ('function pf' + (((true) )[ fun ]) + '() {}');
}
fun();
} catch(exc1) {}
function eval() { eval(  ) ; }
function DoWhile_3()
  eval();
try {
  DoWhile_3(  ) ;
} catch(e) { }
function f()
  test();
function test() {
  try {
    for (var i in f());
  } catch ( foopy  ) {  }  
  gc();
}
test();


Backtrace in Opt build:

==7571== Invalid read of size 8
==7571==    at 0x5781C1: void js::gc::MarkInternal<JSString>(JSTracer*, JSString**) (Heap.h:969)
==7571==    by 0x5799BD: js::gc::MarkValueInternal(JSTracer*, JS::Value*) (Marking.cpp:329)
==7571==    by 0x579BBE: js::gc::MarkValueRootRange(JSTracer*, unsigned long, JS::Value*, char const*) (Marking.cpp:369)
==7571==    by 0x5384B1: js::StackSpace::mark(JSTracer*) (Stack.cpp:527)
==7571==    by 0x4567DD: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.246 (jsgc.cpp:2325)
==7571==    by 0x456D37: BeginMarkPhase(JSRuntime*) (jsgc.cpp:2975)
==7571==    by 0x45A210: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind) (jsgc.cpp:3271)
==7571==    by 0x45B38F: Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3719)
==7571==    by 0x56C80C: GC(JSContext*, unsigned int, JS::Value*) (TestingFunctions.cpp:52)
==7571==    by 0x47E337: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:426)
==7571==    by 0x47A234: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2744)
==7571==    by 0x5F9DDD: UncachedInlineCall(js::VMFrame&, js::InitialFrameFlags, void**, bool*, unsigned int) (InvokeHelpers.cpp:376)
==7571==  Address 0xe3000 is not stack'd, malloc'd or (recently) free'd


Assuming s-s and sec-critical due to GC related crash. Furthermore, this crash affects mozilla-aurora and mozilla-beta as well.
(Assignee)

Updated

5 years ago
Assignee: general → wmccloskey
(Reporter)

Comment 1

5 years ago
Just testing some new JSBugMon functionality here.
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [jsbugmon:verify-branch:mozilla-aurora,mozilla-beta,mozilla-release]
(Reporter)

Comment 2

5 years ago
Should probably learn my own syntax...
Whiteboard: [sg:critical] js-triage-needed [jsbugmon:verify-branch:mozilla-aurora,mozilla-beta,mozilla-release] → [sg:critical] js-triage-needed [jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release]
(Reporter)

Comment 3

5 years ago
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-aurora  (reproduced on revision 56d137349efc).
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-beta  (reproduced on revision 0540130b5f2f).
JSBugMon: The testcase found in this bug does not reproduce on branch mozilla-release (tried revision 5bcfa0da3be9).
(Reporter)

Updated

5 years ago
Crash Signature: [@ js::gc::MarkInternal<JSString>] [@ compartment] → [@ js::gc::MarkInternal<JSString>] [@ compartment]
Whiteboard: [sg:critical] js-triage-needed [jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release] → [sg:critical] js-triage-needed [jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore]

Updated

5 years ago
Crash Signature: [@ js::gc::MarkInternal<JSString>] [@ compartment] → [@ js::gc::MarkInternal<JSString>] [@ compartment]
tracking-firefox13: ? → +
tracking-firefox14: ? → +
tracking-firefox15: ? → +
Whiteboard: [sg:critical] js-triage-needed [jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore] → [sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore][js:p1:fx15]]
Moving this back a cycle--IGC takes priority.
Whiteboard: [sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore][js:p1:fx15]] → [js:p1:fx16][sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore]
(Assignee)

Comment 5

5 years ago
Created attachment 632965 [details] [diff] [review]
patch

In this test, we have a dead value on the VM stack. It contains garbage--in this case, the tag makes it look like a NullValue, but the low bits are nonzero so that isNull() is false. We do one GC and avoid marking the value because it's dead. However, we don't overwrite it with anything because it's not an object or a string. Later, we do a second GC and try to mark it. isGCThing() returns true because something with a NULL tag counts as a GC thing. But then when we convert it to a Cell and try to mark it, we crash.

The fix is to normalize the low bits of the value while still leaving the tag unaffected.
Attachment #632965 - Flags: review?(bhackett1024)
Attachment #632965 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 6

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/84af366e007f
Target Milestone: --- → mozilla16

Comment 7

5 years ago
https://hg.mozilla.org/mozilla-central/rev/84af366e007f
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox16: --- → fixed
Resolution: --- → FIXED
Am I interpreting comment 3 correctly that this is a regression in Firefox 13, and therefore doesn't affect the ESR branch? Although if we don't know the cause of the regression we might still need it if it was due to a security fix taken on that branch.

qawanted: please find when this bug crept in.
status-firefox13: affected → wontfix
tracking-firefox13: + → ---
Keywords: qawanted, regression, regressionwindow-wanted
(Assignee)

Comment 9

5 years ago
Comment on attachment 632965 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 723313
User impact if declined: Low likelihood of GC crashes, exploits.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Low. Semantics should be unchanged except when the bug happens.
String or UUID changes made by this patch: None

Regarding ESR, there's no need to take this. It regressed in FF13.
Attachment #632965 - Flags: approval-mozilla-beta?
Attachment #632965 - Flags: approval-mozilla-aurora?
(removing keywords because bug 723313 has been identified as the regressor)
Keywords: qawanted, regressionwindow-wanted
Comment on attachment 632965 [details] [diff] [review]
patch

low risk, sec critical - approving.
Attachment #632965 - Flags: approval-mozilla-beta?
Attachment #632965 - Flags: approval-mozilla-beta+
Attachment #632965 - Flags: approval-mozilla-aurora?
Attachment #632965 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 12

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/1f4ac5f52188
https://hg.mozilla.org/releases/mozilla-beta/rev/6a43080525ab
status-firefox14: affected → fixed
status-firefox15: affected → fixed
(Reporter)

Comment 13

5 years ago
JSBugMon: This bug has been automatically verified fixed.
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::gc::MarkInternal<JSString>] [@ compartment] → [@ js::gc::MarkInternal<JSString>] [@ compartment]

Updated

5 years ago
Crash Signature: [@ js::gc::MarkInternal<JSString>] [@ compartment] → [@ js::gc::MarkInternal<JSString>] [@ compartment]
status-firefox-esr10: --- → unaffected
Whiteboard: [js:p1:fx16][sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore] → [js:p1:fx16][sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore][advisory-tracking+]
Group: core-security
(Reporter)

Comment 14

4 years ago
Test is too slow to be added and I did not succeed in rewriting, marking in-testsuite-.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.