Closed Bug 1688622 Opened 5 years ago Closed 5 years ago

Assertion failure: cx->compartment() != untaggedReferent->compartment(), at js/src/debugger/Debugger.cpp:6274

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox85 --- wontfix
firefox86 --- wontfix
firefox87 --- verified

People

(Reporter: decoder, Assigned: sfink)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(2 files)

Testcase
81 bytes, text/plain
Details
Bug 1688622 - createSource should only work for debuggees
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210124-63534c66d7b8 (debug build, run with --fuzzing-safe --no-threads):

const v5 = Debugger().findAllGlobals();
for (v6 of v5)
  v6.createSource("this");

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555571ef942 in js::DebuggerWeakMap<...>) ()
#1  0x00005555571e6c29 in js::Debugger::wrapVariantReferent(JSContext*, JS::Handle<mozilla::Variant<js::ScriptSourceObject*, js::WasmInstanceObject*> >) ()
#2  0x00005555571efe7e in js::Debugger::wrapSource(JSContext*, JS::Handle<js::ScriptSourceObject*>) ()
#3  0x0000555557264d93 in js::DebuggerObject::CallData::createSource() ()
#4  0x0000555557272aef in bool js::DebuggerObject::CallData::ToNative<&js::DebuggerObject::CallData::createSource>(JSContext*, unsigned int, JS::Value*) ()
#5  0x0000555556b973f2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#17 0x0000555556a00a7f in main ()
rax	0x5555557dcfde	93824994889694
rbx	0x7fffffffb688	140737488336520
rcx	0x555557fd5c18	93825036803096
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb620	140737488336416
rsp	0x7fffffffb570	140737488336240
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f998c0	140737353717952
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff6029000	140737320751104
r13	0x7fffffffb850	140737488336976
r14	0x7ffff6029278	140737320751736
r15	0x7ffff6024000	140737320730624
rip	0x5555571ef942 <js::DebuggerWeakMap<js::ScriptSourceObject, js::DebuggerSource, true>::WrapperType* js::Debugger::wrapVariantReferent<js::ScriptSourceObject, js::DebuggerWeakMap<js::ScriptSourceObject, js::DebuggerSource, true> >(JSContext*, js::DebuggerWeakMap<js::ScriptSourceObject, js::DebuggerSource, true>&, JS::Handle<js::DebuggerWeakMap<js::ScriptSourceObject, js::DebuggerSource, true>::WrapperType::ReferentVariant>)+1026>
=> 0x5555571ef942 <_ZN2js8Debugger19wrapVariantReferentINS_18ScriptSourceObjectENS_15DebuggerWeakMapIS2_NS_14DebuggerSourceELb1EEEEEPNT0_11WrapperTypeEP9JSContextRS6_N2JS6HandleINS6_11WrapperType15ReferentVariantEEE+1026>:	movl   $0x1882,0x0
   0x5555571ef94d <_ZN2js8Debugger19wrapVariantReferentINS_18ScriptSourceObjectENS_15DebuggerWeakMapIS2_NS_14DebuggerSourceELb1EEEEEPNT0_11WrapperTypeEP9JSContextRS6_N2JS6HandleINS6_11WrapperType15ReferentVariantEEE+1037>:	callq  0x555556a8ce80 <abort>

This is a fuzzblocker for fuzzilli.

Attached file Testcase

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210125154208-130c2c4e36d6.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: c0fa6d007c58437398cc06a97d221c42d41dcf9e (20200127093737)
End: 63534c66d7b813bf04d9753d942f59984c05b8a9 (20210124215058)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]

I think the assertion is right and createSource should be throwing an Error before we get this far.

A debugger shouldn't try to inject code into the Debugger's realm, only debuggee realms.

Steve, would you mind fixing this? For example Debugger code that throws, see CheckArgCompartment. (We already have code that prevents debugger-compartment Frames from being reflected, but we only ignore them; we never have to throw.)

Flags: needinfo?(sphink)
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Flags: needinfo?(sphink)
Severity: -- → S3
Priority: -- → P2
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4c36b4b60239 createSource should only work for debuggees r=jorendorff

https://hg.mozilla.org/mozilla-central/rev/4c36b4b60239

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox87: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210212040715-1941f4130b28.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox87: fixedverified
Keywords: bugmon

:sfink, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(sphink)

Sorry, bug in the bot.

Flags: needinfo?(sphink)
Duplicate of this bug: 1675953
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: