Closed Bug 1787351 Opened 3 years ago Closed 3 years ago

Crash[@ js::CompartmentsInZoneIter::CompartmentsInZoneIter] or Assertion failure: !done(), at gc/PublicIterators.h:54

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- unaffected
firefox106 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(1 file)

Bug 1787351 - Don't remove the atoms zone from the zones list until after we've marked everything black r?sfink
48 bytes, text/x-phabricator-request
Details | Review

No testcase is needed.

Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
js::ZonesIter::get (this=0x7fffffffd3a0) at /home/skygentoo/trees/mozilla-central/js/src/gc/PublicIterators.h:54
54	    MOZ_ASSERT(!done());
(gdb) bt
#0  js::ZonesIter::get (this=0x7fffffffd3a0) at /home/skygentoo/trees/mozilla-central/js/src/gc/PublicIterators.h:54
#1  js::ZonesIter::ZonesIter (this=0x7fffffffd3a0, gc=0x7ffff6c18768, selector=js::SkipAtoms) at /home/skygentoo/trees/mozilla-central/js/src/gc/PublicIterators.h:39
#2  0x00005555575dedbd in js::NonAtomZonesIter::NonAtomZonesIter (this=0x7fffffffd3a0, gc=0x7ffff6c18768)
    at /home/skygentoo/trees/mozilla-central/js/src/gc/PublicIterators.h:65
#3  js::NestedIterator<js::NonAtomZonesIter, js::NestedIterator<js::CompartmentsInZoneIter, js::RealmsInCompartmentIter> >::NestedIterator<js::gc::GCRuntime*&> (
    this=0x7fffffffd3a0, args=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/gc/IteratorUtils.h:31
#4  js::CompartmentsOrRealmsIterT<js::NonAtomZonesIter, js::NestedIterator<js::CompartmentsInZoneIter, js::RealmsInCompartmentIter> >::CompartmentsOrRealmsIterT (
    this=0x7fffffffd3a0, gc=0x7ffff6c18768) at /home/skygentoo/trees/mozilla-central/js/src/gc/PublicIterators.h:146
#5  js::CompartmentsOrRealmsIterT<js::NonAtomZonesIter, js::NestedIterator<js::CompartmentsInZoneIter, js::RealmsInCompartmentIter> >::CompartmentsOrRealmsIterT (
    this=0x7fffffffd3a0, rt=0x7ffff6c18000) at /home/skygentoo/trees/mozilla-central/js/src/gc/PublicIterators.h:148
#6  js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff6c18768, trc=trc@entry=0x7fffffffd4b0, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime)
    at /home/skygentoo/trees/mozilla-central/js/src/gc/RootMarking.cpp:330
#7  0x00005555575df555 in js::gc::GCRuntime::traceRuntime (this=0x7ffff6c18768, trc=0x7fffffffd4b0, session=...)
    at /home/skygentoo/trees/mozilla-central/js/src/gc/RootMarking.cpp:285
#8  0x00005555576266ed in HeapCheckTracerBase::traceHeap (this=this@entry=0x7fffffffd4a8, session=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/Verifier.cpp:860
#9  0x0000555557626f38 in CheckHeapTracer::check (this=0x7fffffffd4a8, session=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/Verifier.cpp:937
#10 js::gc::CheckHeapAfterGC (rt=0x7ffff6c18000) at /home/skygentoo/trees/mozilla-central/js/src/gc/Verifier.cpp:958
#11 0x00005555575642d3 in js::gc::GCRuntime::minorGC (this=0x7ffff6c18768, reason=reason@entry=JS::GCReason::EVICT_NURSERY, 
    phase=phase@entry=js::gcstats::PhaseKind::EVICT_NURSERY) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:4225
#12 0x0000555557583727 in js::gc::GCRuntime::evictNursery (this=0x7ffff7c6ca40 <_IO_stdfile_2_lock>, reason=JS::GCReason::EVICT_NURSERY)
    at /home/skygentoo/trees/mozilla-central/js/src/gc/GCRuntime.h:385
#13 js::gc::ZoneAllCellIter<js::gc::TenuredCell>::ZoneAllCellIter (this=0x7fffffffd630, zone=0x7ffff6c3f000, kind=<optimized out>)
    at /home/skygentoo/trees/mozilla-central/js/src/gc/GC-inl.h:164
#14 0x000055555754dd7c in JS::Zone::cellIterUnsafe<js::gc::TenuredCell, js::gc::AllocKind&> (this=0x1, args=<optimized out>)
    at /home/skygentoo/trees/mozilla-central/js/src/gc/Zone.h:352
#15 js::gc::GCRuntime::freezeSharedAtomsZone (this=0x7ffff6c18768) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:952
#16 0x0000555556eb2e35 in JSRuntime::initializeAtoms (this=this@entry=0x7ffff6c18000, cx=cx@entry=0x7ffff6c2fc00)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/JSAtom.cpp:311
#17 0x0000555556eb21d2 in JS::InitSelfHostedCode (cx=0x7ffff6c2fc00, cache=..., writer=writer@entry=0x0)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/Initialization.cpp:225
#18 0x0000555556bb204b in main (argc=<optimized out>, argv=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12368
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/73928903648a
user:        Jon Coppeard
date:        Wed Aug 24 09:43:06 2022 +0000
summary:     Bug 1786506 - Part 2: Give shared permanent things their own zone r=sfink

Run with --fuzzing-safe --no-threads --no-baseline --no-ion --gc-zeal=15, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-bootstrap --disable-tests, tested on m-c rev a8b2c7cf7d82.

Unsure if a bounty is applicable, but keeping the flags anyway. Jon, is bug 1786506 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(jcoppeard)

ASan stack:

$ ./js-64-asan-linux-x86_64-a8b2c7cf7d82 --fuzzing-safe --no-threads --no-baseline --no-ion --gc-zeal=15
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6560==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x55acb16d9715 bp 0x7ffd1e9bf550 sp 0x7ffd1e9bf320 T0)
==6560==The signal is caused by a READ memory access.
==6560==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x55acb16d9715 in mozilla::Vector<JS::Compartment*, 1ul, js::SystemAllocPolicy>::begin() /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-a8b2c7cf7d82/objdir-js/dist/include/mozilla/Vector.h:563:12
    #1 0x55acb16d9715 in js::CompartmentsInZoneIter::CompartmentsInZoneIter(JS::Zone*) /home/skygentoo/trees/mozilla-central/js/src/gc/PublicIterators.h:79:31
    #2 0x55acb16d9715 in js::NestedIterator<js::CompartmentsInZoneIter, js::RealmsInCompartmentIter>::NestedIterator<JS::Zone*>(JS::Zone*&&) /home/skygentoo/trees/mozilla-central/js/src/gc/IteratorUtils.h:31:45
    #3 0x55acb16d9715 in void mozilla::Maybe<js::NestedIterator<js::CompartmentsInZoneIter, js::RealmsInCompartmentIter> >::emplace<JS::Zone*>(JS::Zone*&&) /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-a8b2c7cf7d82/objdir-js/dist/include/mozilla/Maybe.h:845:39
    #4 0x55acb16d9715 in js::NestedIterator<js::NonAtomZonesIter, js::NestedIterator<js::CompartmentsInZoneIter, js::RealmsInCompartmentIter> >::settle() /home/skygentoo/trees/mozilla-central/js/src/gc/IteratorUtils.h:62:9
    #5 0x55acb16d9715 in js::NestedIterator<js::NonAtomZonesIter, js::NestedIterator<js::CompartmentsInZoneIter, js::RealmsInCompartmentIter> >::NestedIterator<js::gc::GCRuntime*&>(js::gc::GCRuntime*&) /home/skygentoo/trees/mozilla-central/js/src/gc/IteratorUtils.h:32:5
    #6 0x55acb16d9715 in js::CompartmentsOrRealmsIterT<js::NonAtomZonesIter, js::NestedIterator<js::CompartmentsInZoneIter, js::RealmsInCompartmentIter> >::CompartmentsOrRealmsIterT(js::gc::GCRuntime*) /home/skygentoo/trees/mozilla-central/js/src/gc/PublicIterators.h:146:9
    #7 0x55acb16d9715 in js::CompartmentsOrRealmsIterT<js::NonAtomZonesIter, js::NestedIterator<js::CompartmentsInZoneIter, js::RealmsInCompartmentIter> >::CompartmentsOrRealmsIterT(JSRuntime*) /home/skygentoo/trees/mozilla-central/js/src/gc/PublicIterators.h:148:9
    #8 0x55acb16d9715 in js::gc::GCRuntime::traceRuntimeCommon(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime) /home/skygentoo/trees/mozilla-central/js/src/gc/RootMarking.cpp:330:19
    #9 0x55acb16daa61 in js::gc::GCRuntime::traceRuntime(JSTracer*, js::gc::AutoTraceSession&) /home/skygentoo/trees/mozilla-central/js/src/gc/RootMarking.cpp:285:3
    #10 0x55acb1744a92 in HeapCheckTracerBase::traceHeap(js::gc::AutoTraceSession&) /home/skygentoo/trees/mozilla-central/js/src/gc/Verifier.cpp:865:12
    #11 0x55acb1744a92 in CheckHeapTracer::check(js::gc::AutoTraceSession&) /home/skygentoo/trees/mozilla-central/js/src/gc/Verifier.cpp:942:8
    #12 0x55acb174510e in js::gc::CheckHeapAfterGC(JSRuntime*) /home/skygentoo/trees/mozilla-central/js/src/gc/Verifier.cpp:963:10
    #13 0x55acb163fb4b in js::gc::GCRuntime::minorGC(JS::GCReason, js::gcstats::PhaseKind) /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:4225:5
    #14 0x55acb161b588 in js::gc::GCRuntime::evictNursery(JS::GCReason) /home/skygentoo/trees/mozilla-central/js/src/gc/GCRuntime.h:385:5
    #15 0x55acb161b588 in js::gc::ZoneAllCellIter<js::gc::TenuredCell>::ZoneAllCellIter(JS::Zone*, js::gc::AllocKind) /home/skygentoo/trees/mozilla-central/js/src/gc/GC-inl.h:164:41
    #16 0x55acb161b588 in js::gc::ZoneAllCellIter<js::gc::TenuredCell> JS::Zone::cellIterUnsafe<js::gc::TenuredCell, js::gc::AllocKind&>(js::gc::AllocKind&) /home/skygentoo/trees/mozilla-central/js/src/gc/Zone.h:352:12
    #17 0x55acb161b588 in js::gc::GCRuntime::freezeSharedAtomsZone() /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:952:41
    #18 0x55acb07f4ebc in JSRuntime::initializeAtoms(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/vm/JSAtom.cpp:311:11
    #19 0x55acb07f304e in JS::InitSelfHostedCode(JSContext*, mozilla::Span<unsigned char const, 18446744073709551615ul>, bool (*)(JSContext*, mozilla::Span<unsigned char const, 18446744073709551615ul>)) /home/skygentoo/trees/mozilla-central/js/src/vm/Initialization.cpp:225:12
    #20 0x55acb025f61f in main /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12368:8
    #21 0x7f7d5f4c22c9  (/lib64/libc.so.6+0x292c9)
    #22 0x7f7d5f4c2384 in __libc_start_main (/lib64/libc.so.6+0x29384)
    #23 0x55acb0188200 in _start (/home/skygentoo/shell-cache/js-64-asan-linux-x86_64-a8b2c7cf7d82/js-64-asan-linux-x86_64-a8b2c7cf7d82+0x18f4200) (BuildId: ae49ef6d4ea4e4768b9375c0a666f1225180a2ee)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-a8b2c7cf7d82/objdir-js/dist/include/mozilla/Vector.h:563:12 in mozilla::Vector<JS::Compartment*, 1ul, js::SystemAllocPolicy>::begin()
==6560==ABORTING
Crash Signature: [@ js::CompartmentsInZoneIter::CompartmentsInZoneIter]
Summary: Assertion failure: !done(), at gc/PublicIterators.h:54 → Crash[@ js::CompartmentsInZoneIter::CompartmentsInZoneIter] or Assertion failure: !done(), at gc/PublicIterators.h:54

Set release status flags based on info from the regressing bug 1786506

status-firefox104: --- → unaffected
status-firefox105: --- → unaffected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)

Not security sensitive. This requires GC zeal which is not present in release builds.

Iterating cells in the atoms zone will try to evict the nursery (it's empty in
this case) and if the appropriate zeal mode is set we will then try to check
the heap. This causes an assertion failure because the the zones list is
unexpectedly empty.

Doing things in a different order prevents this issue from arising.

Group: core-security

This is a fuzzblocker, can we land this asap?

Flags: needinfo?(sphink)
Flags: sec-bounty?
Blocks: GC
Severity: -- → S3
Priority: -- → P1
Whiteboard: [fuzzblocker]
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3ee14a586d1a Don't remove the atoms zone from the zones list until after we've marked everything black r=sfink

https://hg.mozilla.org/mozilla-central/rev/3ee14a586d1a

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox106: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
Flags: needinfo?(sphink)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: