Closed Bug 1487238 Opened Last year Closed Last year

Crash [@ MOZ_CrashPrintf] involving realm mismatch and sameCompartmentAs

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
geckoview62 --- unaffected
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- wontfix
firefox64 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 726b6afe04a7 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/realms/basic.js
var x = newGlobal({
    sameCompartmentAs: this
});
// jsfunfuzz-generated
x instanceof x.Map.prototype.set;

Backtrace:

#0  0x0000000001085634 in MOZ_CrashPrintf (aFilename=0x2983e8 "js/src/vm/JSContext-inl.h", aLine=49, aFormat=<optimized out>) at mfbt/Assertions.cpp:67
#1  0x00000000017fc421 in js::ContextChecks::fail (r1=0xb40, r2=0x7f4cae0808b0 <_IO_stdfile_2_lock>, argIndex=0) at js/src/vm/JSContext-inl.h:48
#2  js::ContextChecks::check (r=0x7f4cae0808b0 <_IO_stdfile_2_lock>, argIndex=0, this=<optimized out>) at js/src/vm/JSContext-inl.h:62
#3  js::ContextChecks::check (script=0x7f4cacd8f0d0, argIndex=0, this=<optimized out>) at js/src/vm/JSContext-inl.h:158
#4  JSContext::checkImpl<JS::Rooted<JSScript*>>(int, JS::Rooted<JSScript*> const&) (this=0x7f4cacf16000, argIndex=0, head=...) at js/src/vm/JSContext-inl.h:182
/snip

For detailed crash information, see attachment.

Setting s-s because the actual stdout from running this testcase also involves a "realm mismatch":

$ ./js-dbg-64-linux-726b6afe04a7 --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js 
Hit MOZ_CRASH(*** Realm mismatch 0x7ff157364000 vs. 0x7ff157363800 at argument 0
) at /home/ubuntu/trees/mozilla-central/js/src/vm/JSContext-inl.h:49
Segmentation fault (core dumped)
Blocks: 1466118
Summary: Crash [@ MOZ_CrashPrintf] → Crash [@ MOZ_CrashPrintf] involving realm mismatch
autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/64a85b3753ac
user:        Jan de Mooij
date:        Tue Aug 21 13:14:23 2018 +0200
summary:     Bug 1466118 part 8 - Change compartment check to realm check for JSScript and AbstractFramePtr. r=luke

Jan, is bug 1466118 a likely regressor?
Flags: needinfo?(jdemooij)
realm mismatch sounds sec-high. If these runtime checks run all the time and not just test settings then we could downgrade it a bit.
Keywords: sec-high
This is harmless and actually can't happen in the browser because we're not using same-compartment-realms there yet.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Keywords: sec-high
Group: javascript-core-security
Flags: needinfo?(jdemooij)
Another option is to allow same-compartment realms here, but this seems simpler and safer (to ensure we don't leak any information in document.domain cases or if we ever change from CPO to something else). A principals check is probably not worth the complexity.
Comment on attachment 9006016 [details]
Bug 1487238 - Do realm checks instead of compartment checks in the expression decompiler code. r=luke

Luke Wagner [:luke] has approved the revision.
Attachment #9006016 - Flags: review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/6029e0377dda
Do realm checks instead of compartment checks in the expression decompiler code. r=luke
https://hg.mozilla.org/mozilla-central/rev/6029e0377dda
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Doesn't sound like we need to worry about backporting this.
Flags: in-testsuite+
Summary: Crash [@ MOZ_CrashPrintf] involving realm mismatch → Crash [@ MOZ_CrashPrintf] involving realm mismatch and sameCompartmentAs
You need to log in before you can comment on or make changes to this bug.