Closed Bug 1559974 Opened 6 years ago Closed 6 years ago

Differential Testing: Different output message involving nukeAllCCWs

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox69 --- affected

People

(Reporter: gkw, Unassigned)

Details

(Keywords: testcase) 

gczeal(2);
with({}) {};
evalcx("");
for (let i = 0; i < 999; i++) {};
nukeAllCCWs();
x = newGlobal({
    newCompartment: true
});
try {
    print(x);
} catch (e) { print(e); }

$ ./js-dbg-64-dm-linux-x86_64-9b4c8fb46d85 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js
[object global]

$ ./js-dbg-64-dm-linux-x86_64-9b4c8fb46d85 --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js
TypeError: can't access dead object

Tested this on m-c rev 9b4c8fb46d85.

My configure flags are:

AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift

python3 -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic" -r 9b4c8fb46d85

Setting s-s as a start as I don't know how bad bugs involving nukeAllCCWs are.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/6ec84030fb70
user: Jan de Mooij
date: Tue Jan 15 20:03:43 2019 +0000
summary: Bug 1520093 - Make evalcx work with same-compartment realms. r=jorendorff

Jan, is bug 1520093 a likely regressor?

Flags: needinfo?(jdemooij)
Regressed by: 1520093

Wrapper nuking is GC sensitive because of the NukedAllRealms behavior. This testcase stops throwing if you remove the gc() call:

newGlobal();
gc();
nukeAllCCWs();
print(newGlobal({newCompartment: true}));

That's okay because wrapper nuking is not exposed to the web in an observable way.

Gary, maybe you can delete the nukeAllCCWs function in your differential testing harness, or else we can make it print to stderr so you can ignore those runs.

Group: javascript-core-security
Flags: needinfo?(jdemooij)
No longer regressed by: 1520093
Component: JavaScript Engine: JIT → JavaScript Engine

(In reply to Jan de Mooij [:jandem] from comment #2)

Gary, maybe you can delete the nukeAllCCWs function in your differential testing harness

I've stopped it from being tested here in:

https://github.com/MozillaSecurity/funfuzz/commit/c482c8137d529da72297113f5ff819f15b3a4c66

I'll let you know if other changes are needed. Thanks for looking at this!

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.