firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 + fixed
firefox68 + fixed


The following testcase crashes on mozilla-central revision c06dfc552c64 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

class b {}
b.__proto__ = evalcx("lazy");
b.__proto__ = evalcx("lazy");
new b();


received signal SIGSEGV, Segmentation fault.
#0  MOZ_Crash (aReason=0x555557c22260 <sPrintfCrashReason> "*** Realm mismatch 0x7ffff5f73000 vs. 0x7ffff5f59800 at argument 0", aLine=40, aFilename=0x555556af57e0 "js/src/vm/JSContext-inl.h") at dist/include/mozilla/Assertions.h:314
#1  MOZ_CrashPrintf (aFilename=aFilename@entry=0x555556af57e0 "js/src/vm/JSContext-inl.h", aLine=aLine@entry=40, aFormat=aFormat@entry=0x555556b25d28 "*** Realm mismatch %p vs. %p at argument %d") at mfbt/Assertions.cpp:53
#2  0x0000555555b42328 in js::ContextChecks::fail (argIndex=0, r2=<optimized out>, r1=<optimized out>) at js/src/vm/JSContext-inl.h:39
#3  js::ContextChecks::check (argIndex=0, r=<optimized out>, this=<optimized out>) at js/src/vm/JSContext-inl.h:53
#4  js::ContextChecks::check (argIndex=0, script=0xc92d3cb0af0, this=<optimized out>) at js/src/vm/JSContext-inl.h:157
#5  JSContext::checkImpl<JSScript*, js::TypeSet::Type> (head=<synthetic pointer>, argIndex=0, this=0x7ffff5f17000) at js/src/vm/JSContext-inl.h:184
#6  JSContext::check<JSScript*, js::TypeSet::Type> (this=0x7ffff5f17000) at js/src/vm/JSContext-inl.h:192
#7  js::TypeScript::SetThis (cx=0x7ffff5f17000, script=script@entry=0xc92d3cb0af0, type=...) at js/src/vm/TypeInference-inl.h:740
#8  0x0000555555b3cf70 in js::CreateThisForFunctionWithProto (cx=<optimized out>, callee=..., newTarget=..., proto=..., proto@entry=..., newKind=newKind@entry=js::GenericObject) at js/src/vm/JSObject.cpp:1157
#9  0x0000555555b3d7ec in js::CreateThisForFunction (cx=<optimized out>, cx@entry=0x7ffff5f17000, callee=callee@entry=..., newTarget=newTarget@entry=..., newKind=newKind@entry=js::GenericObject) at js/src/vm/JSObject.cpp:1215
#10 0x00005555558c9458 in js::CreateThis (thisv=..., newKind=js::GenericObject, newTarget=..., calleeScript=0xc92d3cb0af0, callee=..., cx=0x7ffff5f17000) at js/src/vm/JSObject-inl.h:628
#11 MaybeCreateThisForConstructor (cx=<optimized out>, calleeScript=0xc92d3cb0af0, args=..., createSingleton=<optimized out>) at js/src/vm/Interpreter.cpp:356
#12 0x00005555558db647 in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3111
#22 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11276
Marking s-s until investigated. This could be shell-only due to the way evalcx is used.

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Jan de Mooij
date:        Thu Feb 14 16:26:19 2019 +0000
summary:     Bug 1527843 - Don't take the slow path for cross-realm functions in IonBuilder::createThis. r=anba

This iteration took 510.585 seconds to run.
The underlying bug here is in SetProto and is from same-compartment realms.

Assignee: nobody → jdemooij
I think only FF 67+ is affected in that we enabled same-compartment realms for content globals there. FF 66 has it enabled for chrome code but this likely isn't an issue there.

Pushed this because I don't think it's an actual security bug.

Comment on attachment 9055198 [details]
Bug 1540944 - Get new group from the correct realm in SetProto. r?luke!

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: same-compartment-realms
  • User impact if declined: Potentially broken websites, weird behavior.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Fix is small, well understood, has tests.
  • String changes made/needed: None
Attachment #9055198 - Flags: approval-mozilla-beta?

Comment on attachment 9055198 [details]
Bug 1540944 - Get new group from the correct realm in SetProto. r?luke!

Low risk patch with tests, uplift approved for 67 beta 9, thanks.

Attachment #9055198 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
