Closed Bug 1656744 Opened 6 months ago Closed 6 months ago

Assertion failure: !obj->containsDenseElement(index), at vm/Iteration.cpp:1547

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
81 Branch
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox79 --- unaffected
firefox80 --- unaffected
firefox81 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 20200731-161920b70ae4 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

Object.prototype[1] = 'x';
Array.prototype[2] = 'x';
var arr = [];
for (var p24 in arr) {
    arr[0] = 0;
    arr[1] = 1;
    arr.reverse();
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555c1c68a in js::AssertDenseElementsNotIterated(js::NativeObject*) ()
#1  0x00005555559b0b68 in array_reverse(JSContext*, unsigned int, JS::Value*) ()
#2  0x0000555555944c32 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#3  0x0000555555944509 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#4  0x0000555555945b9c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#5  0x0000555555938fa9 in Interpret(JSContext*, js::RunState&) ()
[...]
#14 0x00005555557bcb40 in main ()
rax	0x555557075851	93825020680273
rbx	0x0	0
rcx	0x5555583e8840	93825041074240
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb9c0	140737488337344
rsp	0x7fffffffb980	140737488337280
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x1f4675f004f8	34387486835960
r13	0x7ffff4e1fb50	140737301838672
r14	0x7ffff4e1fb98	140737301838744
r15	0x7ffff4602a40	140737293331008
rip	0x555555c1c68a <js::AssertDenseElementsNotIterated(js::NativeObject*)+394>
=> 0x555555c1c68a <_ZN2js30AssertDenseElementsNotIteratedEPNS_12NativeObjectE+394>:	movl   $0x60b,0x0
   0x555555c1c695 <_ZN2js30AssertDenseElementsNotIteratedEPNS_12NativeObjectE+405>:	callq  0x55555584b3de <abort>

Marking s-s until triaged because this assertion can indicate potential security problems.

Attached file Testcase

This is a debug assertion I added in bug 1655451, but this looks like a false positive. Also, if it was a real bug it would only affect correctness, not security.

I'm not sure what the best fix is. Maybe when we create the iterator we can set a debug-only flag on it if the prototype chain only contains native objects without indexed properties, and then we can check for that in AssertDenseElementsNotIterated.

Group: javascript-core-security
Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)

The assertion wasn't valid when the iterator contains indexed properties that weren't
own properties.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200804091327-7cb90fa4f485.
The bug appears to have been introduced in the following build range:
> Start: 5dbeac5c0741625ea8e746af8177bfbc6a80d722 (20200728055326)
> End: a1058ad7648b1ec0734960fe060e94adcc587ed8 (20200728064548)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5dbeac5c0741625ea8e746af8177bfbc6a80d722&tochange=a1058ad7648b1ec0734960fe060e94adcc587ed8
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8128c2f6acb6
Fix AssertDenseElementsNotIterated to check for indexed properties from the prototype chain. r=anba
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200805164948-adeb132163c9.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.