Closed
Bug 942530
Opened 11 years ago
Closed 11 years ago
Assertion failure: obj->compartment() == obj2->compartment(), at c:\work\mozilla\builds\nightly\mozilla\js\src\gc/Marking.cpp:1448
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
Tracking | Status | |
---|---|---|
firefox26 | --- | unaffected |
firefox27 | --- | unaffected |
firefox28 | + | verified |
firefox29 | + | verified |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | unaffected |
People
(Reporter: cbook, Assigned: jandem)
References
()
Details
(Keywords: assertion, regression, sec-critical)
Attachments
(2 files, 1 obsolete file)
91.82 KB,
text/plain
|
Details | |
2.70 KB,
patch
|
bhackett1024
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
same issue as bug 942529 but someone different assertion on a Windows 7 Debug Build, loading a local copy of https://codenvy.com/ide/edunogodz caused Assertion failure: obj->compartment() == obj2->compartment(), at c:\work\mozilla\builds\nightly\mozilla\js\src\gc/Marking.cpp:1448 will try to generate a testcase
Reporter | ||
Comment 1•11 years ago
|
||
Updated•11 years ago
|
Flags: needinfo?(cbook)
Comment 3•11 years ago
|
||
Sounds like a compartment mismatch.
Reporter | ||
Comment 5•11 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #4) > Tomcat, can you still reproduce this? well, i can still reproduce the crash loading the site https://codenvy.com/ide/edunogodz in a super new tip debug build on win7 :) but the issue is, that the assertion has now changed its now Assertion failure: GetGCThingTraceKind(rope) == JSTRACE_STRING, at c:\Users\mozilla\debug-builds\mozilla-central\js\src\gc/Marking.cpp:961
Flags: needinfo?(cbook)
Reporter | ||
Comment 6•11 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #5) > (In reply to Jan de Mooij [:jandem] from comment #4) > > Tomcat, can you still reproduce this? > > well, i can still reproduce the crash loading the site > https://codenvy.com/ide/edunogodz in a super new tip debug build on win7 :) > but the issue is, that the assertion has now changed its now > > Assertion failure: GetGCThingTraceKind(rope) == JSTRACE_STRING, at > c:\Users\mozilla\debug-builds\mozilla-central\js\src\gc/Marking.cpp:961 erm ok was reading my own bug wrong :) Loading the Site from the web result in the assertion from comment 4 -> bug 942529 but loading the same site after grabbing via wget -> the assertion from comment #0
Assignee | ||
Comment 7•11 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #6) > erm ok was reading my own bug wrong :) Loading the Site from the web result > in the assertion from comment 4 -> bug 942529 but loading the same site > after grabbing via wget -> the assertion from comment #0 OK, it's likely the same underlying problem though. It would be great to have a testcase; both asserts are scary.
Updated•11 years ago
|
Keywords: testcase-wanted
Reporter | ||
Comment 9•11 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #7) > OK, it's likely the same underlying problem though. It would be great to > have a testcase; both asserts are scary. Hm i tried about a week to reduce the testcase with lithium and in the end the reduced testcase didn't crashed anymore (and still don't crash when i load the page now again), so seems this GC crashes are really hard to catch.
Assignee | ||
Comment 10•11 years ago
|
||
I can reproduce this with a Windows debug build I downloaded from tbpl. Unfortunately it doesn't crash on OS X. My Windows debugging skills aren't very good, but I will see if I can get some info before they modify their website.
Assignee | ||
Comment 11•11 years ago
|
||
Looks like we have some bogus string/object values in the GC heap. There may be a rogue SETELEM somewhere: I can't reproduce this if I disable Ion's dense SETELEM path, but that could just be hiding the problem. As a first step, I want to add a new debugging mode for Ion code where we check that every string/object/Value that flows between MIR instructions is "sane": valid arena, valid zone/compartment, matches known type info etc. It may or may not help here, but it shouldn't be that much work and could also be really useful for fuzzing.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Assignee | ||
Comment 12•11 years ago
|
||
Assignee | ||
Comment 13•11 years ago
|
||
With the extra type checks I just landed for bug 949475, I was able to track this down. We had an MLoadSlot (JSOP_GETGNAME) that was loading a function instead of an array, and the TypeObject check failed. The problem is this enum in jsinfer.h: enum { ... TYPE_FLAG_DEFINITE_MASK = 0xfffe0000, TYPE_FLAG_DEFINITE_SHIFT = 17 MSVC uses signed enums and miscompiles this, and we end up with totally bogus definite slots if the global has more than 32767 (!) slots. This patch uses MOZ_ENUM_TYPE, but that alone didn't fix it, even though it should be defined for MSVC 2010. I also had to add a cast to canSetDefinite. Regression from bug 930048 / bug 932769 (Firefox 28).
Attachment #8347654 -
Attachment is obsolete: true
Attachment #8347656 -
Flags: review?(bhackett1024)
Assignee | ||
Updated•11 years ago
|
status-firefox26:
--- → unaffected
status-firefox27:
--- → unaffected
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox-esr24:
--- → unaffected
tracking-firefox28:
--- → ?
tracking-firefox29:
--- → ?
Hardware: x86 → All
Updated•11 years ago
|
Attachment #8347656 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 14•11 years ago
|
||
Comment on attachment 8347656 [details] [diff] [review] Patch [Security approval request comment] > How easily could an exploit be constructed based on the patch? Not easily but it's possible. > Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No, there's a comment but it doesn't add that much info compared to the rest of the patch. > Which older supported branches are affected by this flaw? 28+ > If not all supported branches, which bug introduced the flaw? Bug 930048. > Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Should apply to aurora. > How likely is this patch to cause regressions; how much testing does it need? Very unlikely.
Attachment #8347656 -
Flags: sec-approval?
Comment 15•11 years ago
|
||
Comment on attachment 8347656 [details] [diff] [review] Patch Sec-approval+ for trunk and I approved it for Aurora after that.
Attachment #8347656 -
Flags: sec-approval?
Attachment #8347656 -
Flags: sec-approval+
Attachment #8347656 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 16•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e65d37d2e3e4
Reporter | ||
Comment 17•11 years ago
|
||
landed on central - super great thanks jan! -> https://hg.mozilla.org/mozilla-central/rev/e65d37d2e3e4 setting in testsuite just in case we are to have a handy test
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 18•11 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #17) > landed on central - super great thanks jan! Thank you for reporting this; I'm glad we fixed this one before it hit a release :)
Updated•10 years ago
|
Updated•10 years ago
|
Blocks: 930048
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
Keywords: regression
Comment 20•10 years ago
|
||
Confirmed assert in Fx28 2013-12-13. Verified fixed in Fx28 and Fx29, 2013-12-20.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•