Closed Bug 1610189 Opened 6 years ago Closed 5 years ago

Assertion failure: maybeCCWRealm() == group->realm(), at js/src/vm/JSObject-inl.h:150

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- fixed

People

(Reporter: decoder, Assigned: jandem)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

Bug 1610189 - Don't reuse ObjectGroups of cross-realm arrays. r?anba!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200107-e728bf01a2b6 (build with (buildFlags not available), run with --fuzzing-safe --no-threads):

var other = newGlobal();
var newTarget = new other.Function();
newTarget.prototype = undefined;
arr = Reflect.construct(Array, [], newTarget);
function newArrayWithGetter() {
  return arr;
}
var a60 = newArrayWithGetter();
var s22 = a60.slice(1);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555558fff92 in JSObject::setGroup(js::ObjectGroup*) ()
#1  0x000055555593f7f9 in js::ArrayObject* NewArrayTryUseGroup<4294967295u>(JSContext*, JS::Handle<js::ObjectGroup*>, unsigned long, js::NewObjectKind) ()
#2  0x000055555593ffb7 in js::NewFullyAllocatedArrayTryReuseGroup(JSContext*, JS::Handle<JSObject*>, unsigned long, js::NewObjectKind) ()
#3  0x000055555595df46 in CopyDenseArrayElements(JSContext*, JS::Handle<js::NativeObject*>, unsigned int, unsigned int) ()
#4  0x0000555555938543 in js::array_slice(JSContext*, unsigned int, JS::Value*) ()
#5  0x00005555558f07b2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#16 0x0000555555772d8a in main ()
rax	0x555556e7232f	93825018569519
rbx	0x1ad209300a40	29489399597632
rcx	0x555557f1d838	93825036048440
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffffb7e0	140737488336864
rsp	0x7fffffffb7d0	140737488336848
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f98d00	140737353714944
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x7fffffffb870	140737488337008
r13	0x7fffffffb800	140737488336896
r14	0xd7a95eab250	14820152357456
r15	0x7ffff5e27000	140737318645760
rip	0x5555558fff92 <JSObject::setGroup(js::ObjectGroup*)+242>
=> 0x5555558fff92 <_ZN8JSObject8setGroupEPN2js11ObjectGroupE+242>:	movl   $0x96,0x0
   0x5555558fff9d <_ZN8JSObject8setGroupEPN2js11ObjectGroupE+253>:	callq  0x5555557f7fc2 <abort>

Marking s-s until investigated because I don't know the implications of this cross compartment assert.

Flags: needinfo?(jdemooij)

Simpler test:

var newTarget = newGlobal().Function();
newTarget.prototype = undefined;
Reflect.construct(Array, [], newTarget).slice();
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

This probably isn't security-sensitve - in some edge cases array.slice() can return an object in the array's realm instead of slice's realm.

Flags: needinfo?(jdemooij)
Priority: -- → P1
Group: javascript-core-security
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/850f113c0870 Don't reuse ObjectGroups of cross-realm arrays. r=anba

https://hg.mozilla.org/mozilla-central/rev/850f113c0870

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox74: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: