Closed
Bug 1487238
Opened 6 years ago
Closed 6 years ago
Crash [@ MOZ_CrashPrintf] involving realm mismatch and sameCompartmentAs
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla64
Tracking | Status | |
---|---|---|
geckoview62 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | --- | unaffected |
firefox63 | --- | wontfix |
firefox64 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 726b6afe04a7 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // Adapted from randomly chosen test: js/src/jit-test/tests/realms/basic.js var x = newGlobal({ sameCompartmentAs: this }); // jsfunfuzz-generated x instanceof x.Map.prototype.set; Backtrace: #0 0x0000000001085634 in MOZ_CrashPrintf (aFilename=0x2983e8 "js/src/vm/JSContext-inl.h", aLine=49, aFormat=<optimized out>) at mfbt/Assertions.cpp:67 #1 0x00000000017fc421 in js::ContextChecks::fail (r1=0xb40, r2=0x7f4cae0808b0 <_IO_stdfile_2_lock>, argIndex=0) at js/src/vm/JSContext-inl.h:48 #2 js::ContextChecks::check (r=0x7f4cae0808b0 <_IO_stdfile_2_lock>, argIndex=0, this=<optimized out>) at js/src/vm/JSContext-inl.h:62 #3 js::ContextChecks::check (script=0x7f4cacd8f0d0, argIndex=0, this=<optimized out>) at js/src/vm/JSContext-inl.h:158 #4 JSContext::checkImpl<JS::Rooted<JSScript*>>(int, JS::Rooted<JSScript*> const&) (this=0x7f4cacf16000, argIndex=0, head=...) at js/src/vm/JSContext-inl.h:182 /snip For detailed crash information, see attachment. Setting s-s because the actual stdout from running this testcase also involves a "realm mismatch": $ ./js-dbg-64-linux-726b6afe04a7 --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js Hit MOZ_CRASH(*** Realm mismatch 0x7ff157364000 vs. 0x7ff157363800 at argument 0 ) at /home/ubuntu/trees/mozilla-central/js/src/vm/JSContext-inl.h:49 Segmentation fault (core dumped)
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Updated•6 years ago
|
Blocks: 1466118
Summary: Crash [@ MOZ_CrashPrintf] → Crash [@ MOZ_CrashPrintf] involving realm mismatch
Reporter | ||
Comment 2•6 years ago
|
||
autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/64a85b3753ac user: Jan de Mooij date: Tue Aug 21 13:14:23 2018 +0200 summary: Bug 1466118 part 8 - Change compartment check to realm check for JSScript and AbstractFramePtr. r=luke Jan, is bug 1466118 a likely regressor?
Flags: needinfo?(jdemooij)
Comment 3•6 years ago
|
||
realm mismatch sounds sec-high. If these runtime checks run all the time and not just test settings then we could downgrade it a bit.
Keywords: sec-high
Assignee | ||
Comment 4•6 years ago
|
||
This is harmless and actually can't happen in the browser because we're not using same-compartment-realms there yet.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
status-geckoview62:
--- → unaffected
Keywords: sec-high
Assignee | ||
Updated•6 years ago
|
Group: javascript-core-security
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 5•6 years ago
|
||
Another option is to allow same-compartment realms here, but this seems simpler and safer (to ensure we don't leak any information in document.domain cases or if we ever change from CPO to something else). A principals check is probably not worth the complexity.
Comment 6•6 years ago
|
||
Comment on attachment 9006016 [details] Bug 1487238 - Do realm checks instead of compartment checks in the expression decompiler code. r=luke Luke Wagner [:luke] has approved the revision.
Attachment #9006016 -
Flags: review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/autoland/rev/6029e0377dda Do realm checks instead of compartment checks in the expression decompiler code. r=luke
Comment 8•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/6029e0377dda
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Comment 9•6 years ago
|
||
Doesn't sound like we need to worry about backporting this.
Flags: in-testsuite+
Reporter | ||
Updated•6 years ago
|
Summary: Crash [@ MOZ_CrashPrintf] involving realm mismatch → Crash [@ MOZ_CrashPrintf] involving realm mismatch and sameCompartmentAs
You need to log in
before you can comment on or make changes to this bug.
Description
•