Closed
Bug 1406463
Opened 7 years ago
Closed 7 years ago
Assertion failure: this->is<T>(), at /home/andre/hg/mozilla-inbound/js/src/jsobj.h:531
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla58
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox56 | --- | unaffected |
firefox57 | --- | wontfix |
firefox58 | --- | fixed |
People
(Reporter: anba, Assigned: anba)
Details
(Keywords: sec-other, Whiteboard: [adv-main58-][post-critsmash-triage])
Attachments
(1 file)
1.69 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
Follow-up from bug 1347984: --- var P = newGlobal().eval(` (class extends Promise { static resolve(o) { return o; } }); `); Promise.all.call(P, [{ then(r) { nukeAllCCWs(); r(); } }]); --- Asserts with: --- Thread 1 "js" received signal SIGSEGV, Segmentation fault. 0x0000000000524bcc in JSObject::as<js::NativeObject> (this=<optimised out>) at /home/andre/hg/mozilla-inbound/js/src/jsobj.h:531 531 MOZ_ASSERT(this->is<T>()); --- Stack trace: --- #0 0x0000000000524bcc in JSObject::as<js::NativeObject>() (this=<optimised out>) at /home/andre/hg/mozilla-inbound/js/src/jsobj.h:531 #1 0x00000000005e9aec in PromiseAllResolveElementFunction(JSContext*, unsigned int, JS::Value*) (cx=0x7ffff6976000, argc=<optimised out>, vp=<optimised out>) at /home/andre/hg/mozilla-inbound/js/src/builtin/Promise.cpp:2113 #2 0x000000000055d181 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (cx=0x7ffff6976000, native=0x5e98e0 <PromiseAllResolveElementFunction(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/andre/hg/mozilla-inbound/js/src/jscntxtinlines.h:293 #3 0x0000000000551a2f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=cx@entry=0x7ffff6976000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:495 #4 0x0000000000551ecd in InternalCall(JSContext*, js::AnyInvokeArgs const&) (cx=0x7ffff6976000, args=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:540 #5 0x0000000000543fac in Interpret(JSContext*, js::RunState&) (args=..., cx=<optimised out>) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:546 #6 0x0000000000543fac in Interpret(JSContext*, js::RunState&) (cx=0x7ffff6976000, state=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:3085 #7 0x0000000000551491 in js::RunScript(JSContext*, js::RunState&) (cx=0x7ffff6976000, state=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:435 #8 0x0000000000551b8f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=cx@entry=0x7ffff6976000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:513 #9 0x0000000000551ecd in InternalCall(JSContext*, js::AnyInvokeArgs const&) (cx=cx@entry=0x7ffff6976000, args=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:540 #10 0x0000000000552030 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (cx=cx@entry=0x7ffff6976000, fval=..., fval@entry=$jsval((JSObject *) 0x7ffff44b5420 [object Function "then"]), thisv=..., thisv@entry=$jsval((JSObject *) 0x7ffff4491190 [object Object]), args=..., rval=JSVAL_VOID) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:559 #11 0x00000000005e3965 in BlockOnPromise(JSContext*, JS::HandleValue, JS::HandleObject, JS::HandleValue, JS::HandleValue) (rval=..., arg1=$jsval((JSObject *) 0x7ffff7e00a00 [object Proxy]), arg0=$jsval((JSObject *) 0x7ffff7e00b60 [object Function <unnamed>]), thisv=..., fval=..., cx=0x7ffff6976000) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.h:122 #12 0x00000000005e3965 in BlockOnPromise(JSContext*, JS::HandleValue, JS::HandleObject, JS::HandleValue, JS::HandleValue) (cx=0x7ffff6976000, promiseVal=..., promiseVal@entry=$jsval((JSObject *) 0x7ffff4491190 [object Object]), blockedPromise_=(JSObject * const) 0x7ffff7e00a40 [object Proxy], onFulfilled=..., onFulfilled@entry=$jsval((JSObject *) 0x7ffff7e00b60 [object Function <unnamed>]), onRejected=..., onRejected@entry=$jsval((JSObject *) 0x7ffff7e00a00 [object Proxy])) at /home/andre/hg/mozilla-inbound/js/src/builtin/Promise.cpp:3128 #13 0x00000000005e9450 in Promise_static_all(JSContext*, unsigned int, JS::Value*) (done=0x7fffffffc01f, reject=(JSObject * const) 0x7ffff7e00a00 [object Proxy], resolve=..., promiseObj=(JSObject * const) 0x7ffff7e00a40 [object Proxy], C=(JSObject * const) 0x7ffff449f100 [object Proxy], iterator=..., cx=0x7ffff6976000) at /home/andre/hg/mozilla-inbound/js/src/builtin/Promise.cpp:2065 #14 0x00000000005e9450 in Promise_static_all(JSContext*, unsigned int, JS::Value*) (cx=0x7ffff6976000, argc=<optimised out>, vp=<optimised out>) at /home/andre/hg/mozilla-inbound/js/src/builtin/Promise.cpp:1735 .... ---
Updated•7 years ago
|
Group: core-security → javascript-core-security
Updated•7 years ago
|
Priority: -- → P2
Comment 1•7 years ago
|
||
Andre: what are the security implications of this? Presumably affects 57 because the original bug was uplifted?
status-firefox57:
--- → affected
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(andrebargull)
Assignee | ||
Comment 2•7 years ago
|
||
From the looks of it, it should be quite similar to bug 1347984. We're effectively invoking a NativeObject elements method on a DeadObjectProxy and to repeat :jandem's words from 1347984: > [...] we fell through to the array case and there things go horribly wrong. So we will definitely crash, but it's probably unlikely that the crash can be used as an exploit. I've only hidden this bug because I think it's better to be safe than sorry.
Flags: needinfo?(andrebargull)
Assignee | ||
Comment 3•7 years ago
|
||
Might as well just add a patch for this bug.
Comment 4•7 years ago
|
||
Comment on attachment 8917952 [details] [diff] [review] bug1406463.patch Review of attachment 8917952 [details] [diff] [review]: ----------------------------------------------------------------- Thank you for fixing this, and sorry for the review delay.
Attachment #8917952 -
Flags: review?(till) → review+
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Comment 5•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/56a94fa75d3fbf7638277e0c0c4d2a020ebfb09a
Comment 6•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/56a94fa75d3f Is there a user impact that justifies uplift consideration or can it ride the 58 train?
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(andrebargull)
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #6) > https://hg.mozilla.org/mozilla-central/rev/56a94fa75d3f > > Is there a user impact that justifies uplift consideration or can it ride > the 58 train? The bug can crash Firefox, but in comparison to bug 1347984, I don't think it's possible to hit this bug when you're just browsing, because the set-up is more involved and requires (ab)using certain extension points in ES6 Promises (a Promise subclass needs to be constructed whose static `resolve` method was replaced - and this is not a thing which occurs in normal web sites). That being said, the actual fix is super-safe to uplift, so there's no risk when we uplift it now instead of letting it ride the trains.
Flags: needinfo?(andrebargull)
Comment 8•7 years ago
|
||
Thanks for the reply. We're trying to keep uplifts to those that are high-impact at this point in the cycle, so I'm going to call 57 wontfix.
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Updated•6 years ago
|
Whiteboard: [adv-main58-]
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main58-] → [adv-main58-][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•