Closed Bug 1894916 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(Association not found: 175b69ffe040 0x10 ObjectSlots) at gc/Scheduling.cpp:689

Categories

(Core :: JavaScript: GC, defect, P2)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1895086

People

(Reporter: lukas.bernhard, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: reporter-external)

Steps to reproduce:

On git commit 38377227b8f96fda8f418db614e6a8aa67d01c31 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js.
Bisecting identifies 7a9ef1ecbe17a5da9e749e43dc7bf124fe6c5b13, but this is incorrect. Previous commits also trigger the issue with slight changes to the second gczeal parameter.

gczeal(8, 43);
function f0() {
    const v2 = this.transplantableObject();
    const v3 = v2.object;
    class C4 {
    }
    const o6 = {
        "sameZoneAs": C4,
        "immutablePrototype": false,
    };
    const t10 = newGlobal(o6);
    t10.__proto__ = v3;
    const v10 = newGlobal();
    v10.nukeAllCCWs();
    v2.transplant(v10);
}
const v18 = new Float64Array(1329);
v18.toSorted(f0);

#0  MOZ_Crash (aFilename=<optimised out>, aLine=689,
    aReason=0x555559c4c510 <sPrintfCrashReason> "Association not found: 654de1e5040 0x10 ObjectSlots")
    at obj-x86_64-pc-linux-gnu/dist/include/mozilla/Assertions.h:317
#1  js::gc::MemoryTracker::untrackGCMemory (this=0x7ffff541d190, cell=0x654de1e5040, nbytes=16, use=<optimised out>)
    at js/src/gc/Scheduling.cpp:688
#2  0x00005555571b32ce in JS::GCContext::removeCellMemory (this=0x7ffff65fdbe0, cell=0x654de1e5040, nbytes=16,
    use=js::MemoryUse::ObjectSlots) at js/src/gc/GCContext-inl.h:36
#3  JS::GCContext::free_ (this=0x7ffff65fdbe0, cell=0x654de1e5040, p=0x654de1e5058, nbytes=16, use=js::MemoryUse::ObjectSlots)
    at js/src/gc/GCContext-inl.h:17
#4  0x0000555557ff4353 in JSObject::finalize (this=0x654de1e5040, gcx=0x7ffff65fdbe0)
    at js/src/vm/JSObject-inl.h:110
#5  0x0000555557ff3a1f in js::gc::Arena::finalize<JSObject> (this=this@entry=0x654de1e5000, gcx=gcx@entry=0x7ffff65fdbe0,
    thingKind=<optimised out>, thingSize=thingSize@entry=56) at js/src/gc/Sweeping.cpp:133
#6  0x0000555557fe8888 in FinalizeTypedArenas<JSObject> (gcx=0x7ffff65fdbe0, src=..., dest=..., thingKind=<optimised out>, budget=...)
    at js/src/gc/Sweeping.cpp:200
#7  0x0000555557fc5b23 in FinalizeArenas (gcx=0xaaaaaaaaaaaa0008, gcx@entry=0x7ffff65fdbe0, src=..., dest=..., 
    thingKind=thingKind@entry=js::gc::AllocKind::OBJECT4_BACKGROUND, budget=...) at js/src/gc/Sweeping.cpp:231
#8  0x0000555557fc5577 in js::gc::GCRuntime::backgroundFinalize (this=this@entry=0x7ffff742f798, gcx=gcx@entry=0x7ffff65fdbe0,
    zone=zone@entry=0x7ffff541d000, kind=<optimised out>, empty=empty@entry=0x7ffff65fdae0)
    at js/src/gc/Sweeping.cpp:270
#9  0x0000555557fc8aa2 in js::gc::GCRuntime::sweepBackgroundThings (this=this@entry=0x7ffff742f798, zones=...)
    at js/src/gc/Sweeping.cpp:348
#10 0x0000555557fc948a in js::gc::GCRuntime::sweepFromBackgroundThread (this=0x7ffff742f798, lock=...)
    at js/src/gc/Sweeping.cpp:425
#11 0x0000555557f3d210 in js::GCParallelTask::runTask (this=this@entry=0x7ffff7431768, gcx=gcx@entry=0x7ffff65fdbe0, lock=...)
    at js/src/gc/GCParallelTask.cpp:207
#12 0x0000555557f3d5e9 in js::GCParallelTask::runHelperThreadTask (this=0x7ffff7431768, lock=...)
    at js/src/gc/GCParallelTask.cpp:189
#13 0x000055555755c307 in js::GlobalHelperThreadState::runTaskLocked (this=this@entry=0x7ffff7417c00, task=0x7ffff7431768, locked=...)
    at js/src/vm/HelperThreads.cpp:1730
#14 0x000055555755bf94 in js::GlobalHelperThreadState::runOneTask (this=this@entry=0x7ffff7417c00, lock=...)
    at js/src/vm/HelperThreads.cpp:1699
#15 0x000055555755bec3 in JS::RunHelperThreadTask () at js/src/vm/HelperThreads.cpp:1686
#16 0x000055555759326e in js::HelperThread::threadLoop (this=this@entry=0x7ffff74273e0, pool=pool@entry=0x7ffff7423e00)
    at js/src/vm/InternalThreadPool.cpp:287
#17 0x0000555557592fa8 in js::HelperThread::ThreadMain (pool=0x7ffff7423e00, helper=0x7ffff74273e0)
    at js/src/vm/InternalThreadPool.cpp:228
#18 0x00005555575affa4 in js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::callMain<0ul, 1ul> (this=0x7ffff740f5f0) at js/src/threading/Thread.h:228
#19 js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::Start (aPack=0x7ffff740f5f0) at js/src/threading/Thread.h:217
#20 0x00007ffff7897b5a in start_thread (arg=<optimised out>) at ./nptl/pthread_create.c:444
#21 0x00007ffff79285fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
Blocks: l11d-js-fuzzing
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript: GC
Product: Firefox → Core
Summary: it MOZ_CRASH(Association not found: 175b69ffe040 0x10 ObjectSlots) at gc/Scheduling.cpp:689 → Hit MOZ_CRASH(Association not found: 175b69ffe040 0x10 ObjectSlots) at gc/Scheduling.cpp:689
Group: core-security → javascript-core-security
See Also: → CVE-2024-5688

(same reasoning as Bug 1895086, which is listed as see-also)

Blocks: GC.stability
Severity: -- → S4
Priority: -- → P2

Yes, this is the same issue as bug 1895086.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2024-5688
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.