Closed Bug 1542130 Opened 8 months ago Closed 8 months ago

Assertion failure: maybeCCWRealm() == group->realm(), at js/src/vm/JSObject-inl.h:133

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision bdaf1b36c442 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var g = newGlobal();
evaluate(`
    function h() {
      function f() {
        'use asm';
        function g() {
        }
        return g
      }
    }
    `, { global: g });
var h = clone(g.h);
h()(async function() {}.length, 0)()

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  JSObject::setGroup (this=0x37399bc009b8, group=0x166195089c70) at js/src/vm/JSObject-inl.h:133
#1  0x0000555555b38200 in js::CloneAsmJSModuleFunction (cx=cx@entry=0x7ffff5f19000, fun=fun@entry=...) at js/src/vm/JSFunction.cpp:2339
#2  0x00005555558d13f0 in js::Lambda (cx=0x7ffff5f19000, fun=..., parent=...) at js/src/vm/Interpreter.cpp:4499
#3  0x00005555558d787d in Interpret (cx=0x7ffff5f19000, state=...) at js/src/vm/Interpreter.cpp:3582
[...]
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11288
rax	0x555557c3d300	93825033032448
rbx	0x166195089c70	24608368008304
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x555556b27bd8	93825015118808
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc7b0	140737488340912
rsp	0x7fffffffc7a0	140737488340896
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x37399bc009b8	60720565717432
r13	0x555557ba36e0	93825032402656
r14	0x7fffffffccb0	140737488342192
r15	0x7fffffffcd00	140737488342272
rip	0x5555558ea589 <JSObject::setGroup(js::ObjectGroup*)+249>
=> 0x5555558ea589 <JSObject::setGroup(js::ObjectGroup*)+249>:	movl   $0x0,0x0
   0x5555558ea594 <JSObject::setGroup(js::ObjectGroup*)+260>:	ud2

Marking s-s until investigated because this assert is about Realms/CCW.

I added this assertion a few days ago.

Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a3b68989fb59
user:        Jan de Mooij
date:        Tue Apr 02 19:41:07 2019 +0000
summary:     Bug 1540944 - Get new group from the correct realm in SetProto. r=luke

This iteration took 526.865 seconds to run.

I don't think this is s-s. Cross-realm script cloning is not something content does and even if it happened you'd get an asm.js module with a different realm but things should still "work".

Assignee: nobody → jdemooij
Group: javascript-core-security
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4ff589e86c0a
Fix asm.js check in PrivateScriptData::Clone to check for realms instead of compartments. r=luke
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Flags: in-testsuite+
Regressed by: 1540944
You need to log in before you can comment on or make changes to this bug.