Closed Bug 1527592 Opened 5 years ago Closed 5 years ago

Assertion failure: IsConstructor(args.CallArgs::newTarget()) (provided new.target value must be a constructor), at js/src/vm/Interpreter.cpp:622

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla67
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- wontfix
firefox67 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect][adv-main67+])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 2bf86657a448 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-offthread-compile=off):

var lfOffThreadGlobal = newGlobal();
var g = newGlobal({
    newCompartment: true
});
var f = g.Function("fn", "fn()");
nukeAllCCWs();
new class extends f {}(() => {});

Backtrace:

received signal SIGSEGV, Segmentation fault.
InternalConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:621
#0  InternalConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:621
#1  0x00005555558f5c3a in js::Construct (cx=cx@entry=0x7ffff5f17000, fval=..., fval@entry=..., args=..., newTarget=..., objp=objp@entry=...) at js/src/vm/Interpreter.cpp:690
#2  0x0000555555e61e5b in js::ForwardingProxyHandler::construct (this=<optimized out>, cx=0x7ffff5f17000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:182
#3  0x0000555555e4cbad in js::CrossCompartmentWrapper::construct (this=0x555557be3a20 <js::CrossCompartmentWrapper::singleton>, cx=<optimized out>, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:260
#4  0x0000555555e58fb5 in js::Proxy::construct (cx=0x7ffff5f17000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:520
#5  0x00005555558f5809 in InternalConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:645
#6  0x00005555558f5c3a in js::Construct (cx=cx@entry=0x7ffff5f17000, fval=..., fval@entry=..., args=..., newTarget=..., newTarget@entry=..., objp=objp@entry=...) at js/src/vm/Interpreter.cpp:690
#7  0x00005555558f6612 in js::SpreadCallOperation (cx=0x7ffff5f17000, script=..., pc=0x7ffff5f48ab5 "\246V", thisv=..., callee=..., arr=..., newTarget=..., res=...) at js/src/vm/Interpreter.cpp:5032
#8  0x00005555558e5e78 in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3012

[...]
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11213
rax 0x555557c2e280 93825032970880
rbx 0x7fffffffc440 140737488340032
rcx 0x555556b11dc8 93825015029192
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffc330 140737488339760
rsp 0x7fffffffc2d0 140737488339664
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6c80 140737354034304
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffffc4a8 140737488340136
r13 0x7fffffffc44d 140737488340045
r14 0x7fffffffc780 140737488340864
r15 0x7fffffffc3a0 140737488339872
rip 0x5555558f5725 <InternalConstruct(JSContext*, js::AnyConstructArgs const&)+277>
=> 0x5555558f5725 <InternalConstruct(JSContext*, js::AnyConstructArgs const&)+277>: movl $0x0,0x0
0x5555558f5730 <InternalConstruct(JSContext*, js::AnyConstructArgs const&)+288>: ud2

Marking s-s because the test uses nukeAllCCWs.

guessing sec-moderate because of limited ways for web content to get rid of CCWs

Keywords: sec-moderate

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/450b8f0cbb4e
user: Jan de Mooij
date: Sat Jan 12 10:48:00 2019 +0000
summary: Bug 1518753 part 1 - Add --more-compartments JS shell flag, make same-compartment the default for newGlobal. r=jorendorff

Jan, is bug 1518753 a likely regressor?

(I think this changeset merely added newCompartment: true so I'm not sure if it's correct)

Flags: needinfo?(jdemooij)

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)

Jan, is bug 1518753 a likely regressor?

No it's an older and unrelated bug, but I'll post a patch.

Flags: needinfo?(jdemooij)

Tom I'll add you as reviewer because I think you're familiar with the DeadObjectProxy callable/constructor flags. Alternative fix is to check for dead object proxies in CrossCompartmentWrapper::construct somewhere but there might be similar issues elsewhere.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Group: javascript-core-security → core-security-release

Does this need a Beta approval request?

Blocks: 1512260
Flags: needinfo?(jdemooij)
Flags: in-testsuite+

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

Does this need a Beta approval request?

I think it can ride the trains: it's failing a sanity check but shouldn't result in anything memory unsafe in opt builds. Also I think this situation is hard to trigger from content.

Flags: needinfo?(jdemooij)
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][adv-main67+]
Group: core-security-release
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: