1487238 - Crash [@ MOZ_CrashPrintf] involving realm mismatch and sameCompartmentAs

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 726b6afe04a7 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/realms/basic.js
var x = newGlobal({
    sameCompartmentAs: this
});
// jsfunfuzz-generated
x instanceof x.Map.prototype.set;

Backtrace:

#0  0x0000000001085634 in MOZ_CrashPrintf (aFilename=0x2983e8 "js/src/vm/JSContext-inl.h", aLine=49, aFormat=<optimized out>) at mfbt/Assertions.cpp:67
#1  0x00000000017fc421 in js::ContextChecks::fail (r1=0xb40, r2=0x7f4cae0808b0 <_IO_stdfile_2_lock>, argIndex=0) at js/src/vm/JSContext-inl.h:48
#2  js::ContextChecks::check (r=0x7f4cae0808b0 <_IO_stdfile_2_lock>, argIndex=0, this=<optimized out>) at js/src/vm/JSContext-inl.h:62
#3  js::ContextChecks::check (script=0x7f4cacd8f0d0, argIndex=0, this=<optimized out>) at js/src/vm/JSContext-inl.h:158
#4  JSContext::checkImpl<JS::Rooted<JSScript*>>(int, JS::Rooted<JSScript*> const&) (this=0x7f4cacf16000, argIndex=0, head=...) at js/src/vm/JSContext-inl.h:182
/snip

For detailed crash information, see attachment.

Setting s-s because the actual stdout from running this testcase also involves a "realm mismatch":

$ ./js-dbg-64-linux-726b6afe04a7 --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js 
Hit MOZ_CRASH(*** Realm mismatch 0x7ff157364000 vs. 0x7ff157363800 at argument 0
) at /home/ubuntu/trees/mozilla-central/js/src/vm/JSContext-inl.h:49
Segmentation fault (core dumped)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/64a85b3753ac
user:        Jan de Mooij
date:        Tue Aug 21 13:14:23 2018 +0200
summary:     Bug 1466118 part 8 - Change compartment check to realm check for JSScript and AbstractFramePtr. r=luke

Jan, is bug 1466118 a likely regressor?

Comment 3

[Daniel Veditz [:dveditz]]

realm mismatch sounds sec-high. If these runtime checks run all the time and not just test settings then we could downgrade it a bit.

Comment 4

[Jan de Mooij [:jandem]]

This is harmless and actually can't happen in the browser because we're not using same-compartment-realms there yet.

Comment 5

[Jan de Mooij [:jandem]]

Attachment: Bug 1487238 - Do realm checks instead of compartment checks in the expression decompiler code. r=luke

Another option is to allow same-compartment realms here, but this seems simpler and safer (to ensure we don't leak any information in document.domain cases or if we ever change from CPO to something else). A principals check is probably not worth the complexity.

Comment 6

[Luke Wagner [:luke]]

Comment on attachment 9006016 [details]
Bug 1487238 - Do realm checks instead of compartment checks in the expression decompiler code. r=luke

Luke Wagner [:luke] has approved the revision.

Comment 7

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/6029e0377dda
Do realm checks instead of compartment checks in the expression decompiler code. r=luke

Comment 8

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/6029e0377dda

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Doesn't sound like we need to worry about backporting this.