Closed Bug 832203 Opened 12 years ago Closed 12 years ago

Assertion failure: shared->activeUseCount == 0, at vm/RegExpObject.cpp:656

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- unaffected
firefox21 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Unassigned)

References

Details

(6 keywords, Whiteboard: [jsbugmon:update,bisect])

The following testcase asserts on mozilla-central revision b52c02f77cf5 (no options required): gczeal(2,1); eval("(function() { " + "\ var g1 = newGlobal('same-compartment');\ function test(str, f) {\ var x = f(eval(str));\ assertEq(x, f(g1.eval(str)));\ }\ test('new RegExp(\"1\")', function(r) assertEq('a1'.search(r), 1));\ " + " })();"); eval("(function() { " + "" + " })();");
Possibly related to bug 832197. The test in this bug causes use-after-free on opt builds: ==51784== Invalid read of size 4 ==51784== at 0x8284F53: js::gc::MarkStringUnbarriered(JSTracer*, JSAtom**, char const*) (Marking.cpp:170) ==51784== by 0x827CCAA: resc_trace(JSTracer*, JSObject*) (RegExpObject.h:157) ==51784== by 0x8290045: js::GCMarker::drainMarkStack(js::SliceBudget&) (Marking.cpp:1421) ==51784== by 0x80CDEAC: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3645) ==51784== by 0x80CFBBC: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4260) ==51784== by 0x80CFF1A: _ZL7CollectP9JSRuntimebxN2js18JSGCInvocationKindENS1_8gcreason6ReasonE.part.281 (jsgc.cpp:4378) ==51784== by 0x80D0DAE: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4301) ==51784== by 0x81102DA: NewObject(JSContext*, js::Class*, js::types::TypeObject*, JSObject*, js::gc::AllocKind) (jsgcinlines.h:497) ==51784== by 0x811E43A: _ZN2js23NewObjectWithClassProtoEP9JSContextPNS_5ClassEP8JSObjectS5_NS_2gc9AllocKindE.part.306 (jsobj.cpp:1281) ==51784== by 0x80C0BBF: js_NewFunction(JSContext*, JS::Handle<JSObject*>, int (*)(JSContext*, unsigned int, JS::Value*), unsigned int, JSFunction::Flags, JS::Handle<JSObject*>, JS::Handle<JSAtom*>, js::gc::AllocKind) (jsfun.cpp:1439) ==51784== by 0x8243DF2: js::frontend::Parser::newFunction(js::frontend::ParseContext*, JS::Handle<JSAtom*>, js::frontend::FunctionSyntaxKind) (Parser.cpp:1084) ==51784== by 0x825A077: js::frontend::Parser::functionDef(JS::Handle<js::PropertyName*>, js::frontend::TokenStream::Position const&, js::frontend::Parser::FunctionType, js::frontend::FunctionSyntaxKind) (Parser.cpp:1620) ==51784== Address 0xa0fa798 is 0 bytes inside a block of size 56 free'd ==51784== at 0x48BD06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==51784== by 0x827923F: js::RegExpCompartment::~RegExpCompartment() (Utility.h:165) ==51784== by 0x8096470: JSCompartment::~JSCompartment() (jscompartment.cpp:99) ==51784== by 0x80CD4B3: _ZL17SweepCompartmentsPN2js6FreeOpEb.constprop.285 (jscntxt.h:390) ==51784== by 0x80CECEC: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3751) ==51784== by 0x80CFBBC: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4260) ==51784== by 0x80CFF1A: _ZL7CollectP9JSRuntimebxN2js18JSGCInvocationKindENS1_8gcreason6ReasonE.part.281 (jsgc.cpp:4378) ==51784== by 0x80D0DAE: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4301) ==51784== by 0x80D7A1D: js::types::TypeCompartment::newTypeObject(JSContext*, JSProtoKey, JS::Handle<js::TaggedProto>, bool, bool) (jsgcinlines.h:497) ==51784== by 0x80EA205: JSCompartment::getNewType(JSContext*, js::TaggedProto, JSFunction*, bool) (jsinfer.cpp:5990) ==51784== by 0x80EA65E: JSObject::getNewType(JSContext*, JSFunction*, bool) (jsinfer.cpp:6052) ==51784== by 0x5: ??? ==51784== ==51784== Invalid read of size 4 ==51784== at 0x827CD0E: resc_finalize(js::FreeOp*, JSObject*) (RegExpStatics.cpp:106) ==51784== by 0x80CBB76: FinalizeArenas(js::FreeOp*, js::gc::ArenaHeader**, js::gc::ArenaList&, js::gc::AllocKind, js::SliceBudget&) (jsobjinlines.h:239) ==51784== by 0x80CC656: BeginSweepingCompartmentGroup(JSRuntime*) (jsgc.cpp:1295) ==51784== by 0x80CE30F: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3627) ==51784== by 0x80CFBBC: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4260) ==51784== by 0x80CFF1A: _ZL7CollectP9JSRuntimebxN2js18JSGCInvocationKindENS1_8gcreason6ReasonE.part.281 (jsgc.cpp:4378) ==51784== by 0x80D03A0: js::GC(JSRuntime*, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4402) ==51784== by 0x8092E6A: js::DestroyContext(JSContext*, js::DestroyContextMode) (jscntxt.cpp:410) ==51784== by 0x8062B86: JS_DestroyContext(JSContext*) (jsapi.cpp:1256) ==51784== by 0x8055C14: DestroyContext(JSContext*, bool) (js.cpp:4864) ==51784== by 0x804B6D5: main (js.cpp:5405) ==51784== Address 0xa0fa798 is 0 bytes inside a block of size 56 free'd ==51784== at 0x48BD06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==51784== by 0x827923F: js::RegExpCompartment::~RegExpCompartment() (Utility.h:165) ==51784== by 0x8096470: JSCompartment::~JSCompartment() (jscompartment.cpp:99) ==51784== by 0x80CD4B3: _ZL17SweepCompartmentsPN2js6FreeOpEb.constprop.285 (jscntxt.h:390) ==51784== by 0x80CECEC: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3751) ==51784== by 0x80CFBBC: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4260) ==51784== by 0x80CFF1A: _ZL7CollectP9JSRuntimebxN2js18JSGCInvocationKindENS1_8gcreason6ReasonE.part.281 (jsgc.cpp:4378) ==51784== by 0x80D0DAE: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4301) ==51784== by 0x80D7A1D: js::types::TypeCompartment::newTypeObject(JSContext*, JSProtoKey, JS::Handle<js::TaggedProto>, bool, bool) (jsgcinlines.h:497) ==51784== by 0x80EA205: JSCompartment::getNewType(JSContext*, js::TaggedProto, JSFunction*, bool) (jsinfer.cpp:5990) ==51784== by 0x80EA65E: JSObject::getNewType(JSContext*, JSFunction*, bool) (jsinfer.cpp:6052) ==51784== by 0x5: ??? Marking s-s and sec-critical.
Depends on: 832197
Keywords: crash, csec-uaf, sec-critical
Whiteboard: [jsbugmon:update,bisect]
Marking flags as per Gary's awesomeness during CritSmash.
status-firefox18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → unaffected
status-firefox21: --- → affected
tracking-firefox21: --- → +
(We mirrored the flags to/from bug 832197 - Sean, please feel free to dupe this/that if necessary, but landing both testcases will be fantastic)
Flags: needinfo?(sstangl)
This bug will no longer reproduce per Bug 832197 Comment 11, but it is not fixed.
status-firefox18: unaffected → ---
status-firefox19: unaffected → ---
status-firefox20: unaffected → ---
status-firefox21: affected → ---
tracking-firefox21: + → ---
Flags: needinfo?(sstangl)
This should now be fixed without the workaround: fix landed in Bug 832217, testcases added in Bug 829758.
Flags: needinfo?(choller)
Flags: in-testsuite+
Sean, did you inadvertently clear the flags in comment 4? (Critsmash was wondering about this) Assuming fixed by bug 832217, moreover testcases have already landed.
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox21: affectedfixed
Flags: needinfo?(choller) → needinfo?(sstangl)
Resolution: --- → FIXED
Setting VERIFIED based on in-testsuite+.
Status: RESOLVED → VERIFIED
Flags: needinfo?(sstangl)
(In reply to Gary Kwong [:gkw] from comment #6) > Sean, did you inadvertently clear the flags in comment 4? (Critsmash was > wondering about this) > > Assuming fixed by bug 832217, moreover testcases have already landed. Apparently so. I never touch those flags and have no idea why they were modified.
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.