Closed Bug 1636306 Opened 5 years ago Closed 5 years ago

OOM during delazification can clobber TI groups

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: tcampbell, Assigned: tcampbell)

Details

Attachments

(1 file)

Bug 1636306 - Allow existing group in setTypeForScriptedFunction. r?jandem
47 bytes, text/x-phabricator-request
Details | Review

The code in [1] is fired when the parent of a script is first compiled. If we OOM during this, the delazification is unwound but the group remains initialized. This is a design issue and triggers asserts. Unclear if this is a real security issue in practice..

[1] https://searchfox.org/mozilla-central/rev/dc4560dcaafd79375b9411fdbbaaebb0a59a93ac/js/src/frontend/BytecodeEmitter.cpp#5723

oomTest(() => { eval(`
    function getCallee() { return getCallee.caller; }

    // Use trickery to get a reference to a run-once function. We avoid
    // expanding the lazy inner functions in this first invocation.
    let fn = function(x) {
        if (x) {
            // Singletons inside lazy
            let _ = function() {
                function x00() {}
                function x01() {}
                function x02() {}
                function x03() {}
                function x04() {}
                function x05() {}
                function x06() {}
                function x07() {}
                function x08() {}
                function x09() {}
            }();
        }

        return getCallee();
    }(false);

    // Run fn but expand inner-lazy this time. Run in a loop to expand 
    for (var i = 0; i < 2; i += 1) {
        try { fn(true); }
        catch (e) { }
    }
`)});

This triggers the following debug assert:
Assertion failure: !obj->isSingleton(), at /home/tcampbell/projects/gecko.dev/js/src/vm/ObjectGroup-inl.h:108

The function objects never escape to script if their parent failed to delazify. As a result I think this issue is benign. I'll add a check for an existing (non-default) function group to setTypeForScriptedFunction.

Assignee: nobody → tcampbell
Status: NEW → ASSIGNED

These functions with clobbered groups cannot escape to script before the outer delazification completes successfully. The result is that know meaningful info can be lost, so this is just a debug-assert. The patch still makes sense to apply because otherwise this is a big footgun.

Group: javascript-core-security
Severity: -- → S3
status-firefox78: --- → affected
Priority: -- → P2
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1a1f0d1c867d Allow existing group in setTypeForScriptedFunction. r=jandem

https://hg.mozilla.org/mozilla-central/rev/1a1f0d1c867d

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox78: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: