Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode, at js/src/vm/Interpreter.cpp:394
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
People
(Reporter: decoder, Assigned: jandem)
Details
(4 keywords, Whiteboard: [jsbugmon:ignore][post-critsmash-triage][adv-main74-])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 9f55d547e196+ (apply debug instrumentation patch from bug 1607443 , build with --enable-gczeal --enable-optimize --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-full-warmup-threshold=0 --baseline-eager):
let lfMod = parseModule("import.meta()");
lfMod.declarationInstantiation();
lfMod.evaluation();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::RunScript (cx=0x7ffff5f27000, state=...) at js/src/vm/Interpreter.cpp:393
#1 0x0000555556bc6e91 in js::InternalCallOrConstruct (cx=0x7ffff5f27000, args=..., construct=js::NO_CONSTRUCT, reason=(unknown: -168770560)) at js/src/vm/Interpreter.cpp:583
#2 0x0000555556bc7b50 in js::Call (cx=0x7ffff6eea540 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=..., reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:628
#3 0x0000555556ce457b in JS_CallFunctionValue (cx=0x7ffff5f27000, obj=..., fval=..., args=..., rval=...) at js/src/jsapi.cpp:2706
#4 0x0000555556adc11f in CallModuleMetadataHook (cx=0x7ffff5f27000, modulePrivate=..., metaObject=...) at js/src/shell/js.cpp:4952
#5 0x0000555556c7fe47 in js::GetOrCreateModuleMetaObject (cx=0x7ffff5f27000, moduleArg=...) at js/src/builtin/ModuleObject.cpp:1696
#6 0x000035d7b4417b45 in ?? ()
#7 0x0000000000000000 in ?? ()
rax 0x555555a019b7 93824997136823
rbx 0x3 3
rcx 0x55555838c380 93825040696192
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffff9310 140737488327440
rsp 0x7fffffff92c0 140737488327360
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6c80 140737354034304
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7ffff5f27000 140737319694336
r13 0x7fffffff9408 140737488327688
r14 0x7fffffff9360 140737488327520
r15 0xfffdffffffffffff -562949953421313
rip 0x555556bb1c07 <js::RunScript(JSContext*, js::RunState&)+919>
=> 0x555556bb1c07 <js::RunScript(JSContext*, js::RunState&)+919>: movl $0x18a,0x0
0x555556bb1c12 <js::RunScript(JSContext*, js::RunState&)+930>: callq 0x555556b48be0 <abort()>
Assignee | ||
Comment 1•4 years ago
|
||
We should remove this line: https://searchfox.org/mozilla-central/rev/a92ed79b0bc746159fc31af1586adbfa9e45e264/js/src/jit/MIR.h#6779
The module metadata hook is not content controlled AFAIK. That makes this less severe I think.
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
I looked into this a bit more. The JS-implemented hook is indeed shell-specific. In the browser js::GetOrCreateModuleMetaObject
creates the metadata object and calls the C++ hook where we define the "url" property on that object. We don't modify existing objects other than the module's reserved slot so it should be safe. I'll land this.
Assignee | ||
Comment 4•4 years ago
|
||
Comment 5•4 years ago
|
||
Comment 6•4 years ago
|
||
Changing to sec-other based on comment 3. Thanks for the writeup, Jan.
Comment 7•4 years ago
|
||
Sounds like this can just ride the trains if it's shell-only.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Description
•