Closed Bug 1540944 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(*** Realm mismatch 0x7ffff5f73000 vs. 0x7ffff5f59800 at argument 0) at js/src/vm/JSContext-inl.h:40 with evalcx and __proto__


(Core :: JavaScript Engine, defect)

Not set



Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 + fixed
firefox68 + fixed


(Reporter: decoder, Assigned: jandem)



(5 keywords, Whiteboard: [jsbugmon:update])


(1 file)

The following testcase crashes on mozilla-central revision c06dfc552c64 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

class b {}
b.__proto__ = evalcx("lazy");
b.__proto__ = evalcx("lazy");
new b();


received signal SIGSEGV, Segmentation fault.
#0  MOZ_Crash (aReason=0x555557c22260 <sPrintfCrashReason> "*** Realm mismatch 0x7ffff5f73000 vs. 0x7ffff5f59800 at argument 0", aLine=40, aFilename=0x555556af57e0 "js/src/vm/JSContext-inl.h") at dist/include/mozilla/Assertions.h:314
#1  MOZ_CrashPrintf (aFilename=aFilename@entry=0x555556af57e0 "js/src/vm/JSContext-inl.h", aLine=aLine@entry=40, aFormat=aFormat@entry=0x555556b25d28 "*** Realm mismatch %p vs. %p at argument %d") at mfbt/Assertions.cpp:53
#2  0x0000555555b42328 in js::ContextChecks::fail (argIndex=0, r2=<optimized out>, r1=<optimized out>) at js/src/vm/JSContext-inl.h:39
#3  js::ContextChecks::check (argIndex=0, r=<optimized out>, this=<optimized out>) at js/src/vm/JSContext-inl.h:53
#4  js::ContextChecks::check (argIndex=0, script=0xc92d3cb0af0, this=<optimized out>) at js/src/vm/JSContext-inl.h:157
#5  JSContext::checkImpl<JSScript*, js::TypeSet::Type> (head=<synthetic pointer>, argIndex=0, this=0x7ffff5f17000) at js/src/vm/JSContext-inl.h:184
#6  JSContext::check<JSScript*, js::TypeSet::Type> (this=0x7ffff5f17000) at js/src/vm/JSContext-inl.h:192
#7  js::TypeScript::SetThis (cx=0x7ffff5f17000, script=script@entry=0xc92d3cb0af0, type=...) at js/src/vm/TypeInference-inl.h:740
#8  0x0000555555b3cf70 in js::CreateThisForFunctionWithProto (cx=<optimized out>, callee=..., newTarget=..., proto=..., proto@entry=..., newKind=newKind@entry=js::GenericObject) at js/src/vm/JSObject.cpp:1157
#9  0x0000555555b3d7ec in js::CreateThisForFunction (cx=<optimized out>, cx@entry=0x7ffff5f17000, callee=callee@entry=..., newTarget=newTarget@entry=..., newKind=newKind@entry=js::GenericObject) at js/src/vm/JSObject.cpp:1215
#10 0x00005555558c9458 in js::CreateThis (thisv=..., newKind=js::GenericObject, newTarget=..., calleeScript=0xc92d3cb0af0, callee=..., cx=0x7ffff5f17000) at js/src/vm/JSObject-inl.h:628
#11 MaybeCreateThisForConstructor (cx=<optimized out>, calleeScript=0xc92d3cb0af0, args=..., createSingleton=<optimized out>) at js/src/vm/Interpreter.cpp:356
#12 0x00005555558db647 in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3111
#22 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11276
rax	0x0	0
rbx	0x555556af57e0	93825014912992
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc3f0	140737488339952
rsp	0x7fffffffc300	140737488339712
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x28	40
r13	0xc92d3c87d60	13824757890400
r14	0x3	3
r15	0x7fffffffc560	140737488340320
rip	0x55555581e4a5 <MOZ_CrashPrintf(char const*, int, char const*, ...)+286>
=> 0x55555581e4a5 <MOZ_CrashPrintf(char const*, int, char const*, ...)+286>:	movl   $0x0,0x0
   0x55555581e4b0 <MOZ_CrashPrintf(char const*, int, char const*, ...)+297>:	ud2

Marking s-s until investigated. This could be shell-only due to the way evalcx is used.

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Jan de Mooij
date:        Thu Feb 14 16:26:19 2019 +0000
summary:     Bug 1527843 - Don't take the slow path for cross-realm functions in IonBuilder::createThis. r=anba

This iteration took 510.585 seconds to run.
Flags: needinfo?(jdemooij)

(In reply to Fuzzing Team from comment #1)

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The underlying bug here is in SetProto and is from same-compartment realms.

Assignee: nobody → jdemooij
Flags: needinfo?(jdemooij)

I think only FF 67+ is affected in that we enabled same-compartment realms for content globals there. FF 66 has it enabled for chrome code but this likely isn't an issue there.

Pushed this because I don't think it's an actual security bug.

Group: javascript-core-security
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Comment on attachment 9055198 [details]
Bug 1540944 - Get new group from the correct realm in SetProto. r?luke!

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: same-compartment-realms
  • User impact if declined: Potentially broken websites, weird behavior.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Fix is small, well understood, has tests.
  • String changes made/needed: None
Attachment #9055198 - Flags: approval-mozilla-beta?

Comment on attachment 9055198 [details]
Bug 1540944 - Get new group from the correct realm in SetProto. r?luke!

Low risk patch with tests, uplift approved for 67 beta 9, thanks.

Attachment #9055198 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Regressions: 1542130
You need to log in before you can comment on or make changes to this bug.