Assertion failure: propShape.writable(), at vm/PlainObject.cpp:76
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox86 | --- | unaffected |
firefox87 | --- | unaffected |
firefox88 | --- | unaffected |
firefox89 | + | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210328-058997a8167d (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
Object.freeze(Object.prototype);
function Foo() {
Object.defineProperty(this, "a", this);
}
var o2 = new Foo();
var target = {};
Object.assign(target, o2);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556f073e6 in js::PlainObject::assertHasNoNonWritableOrAccessorPropExclProto() const ()
#1 0x0000555556c417b9 in JS_AssignObject(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) ()
#2 0x0000555556c5c711 in obj_assign(JSContext*, unsigned int, JS::Value*) ()
#3 0x0000555556b89e61 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#4 0x0000555556b895a0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5 0x0000555556b8a9c1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#6 0x0000555556b7e24d in Interpret(JSContext*, js::RunState&) ()
#7 0x0000555556b750d1 in js::RunScript(JSContext*, js::RunState&) ()
#8 0x0000555556b8c0be in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#9 0x0000555556b8c5f4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#10 0x0000555556d39c9d in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#11 0x0000555556d39e9e in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#12 0x0000555556a5925c in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#13 0x0000555556a58832 in Process(JSContext*, char const*, bool, FileKind) ()
#14 0x0000555556a014b6 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#15 0x00005555569f8d81 in main ()
rax 0x555555778c6c 93824994479212
rbx 0x3160b39292c0 54291399348928
rcx 0x555558001f18 93825036984088
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffba10 140737488337424
rsp 0x7fffffffb9d0 140737488337360
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x0 0
r13 0x3160b399c550 54291399820624
r14 0x7fffffffb9d8 140737488337368
r15 0x3160b392afc0 54291399356352
rip 0x555556f073e6 <js::PlainObject::assertHasNoNonWritableOrAccessorPropExclProto() const+534>
=> 0x555556f073e6 <_ZNK2js11PlainObject45assertHasNoNonWritableOrAccessorPropExclProtoEv+534>: movl $0x4c,0x0
0x555556f073f1 <_ZNK2js11PlainObject45assertHasNoNonWritableOrAccessorPropExclProtoEv+545>: callq 0x555556a8321f <abort>
Marking s-s until investigated.
Reporter | ||
Comment 1•3 years ago
|
||
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
When freezing objects, we use a fast path where we didn't set the
HasNonWritableOrAccessorPropExclProto flag.
With the planned shape changes, we will hopefully be able to change this so that
we use a shared code path so that this kind of issue can't happen.
Updated•3 years ago
|
Assignee | ||
Comment 3•3 years ago
|
||
The bug lets you shadow (not mutate) a non-writable property when a prototype object is frozen (this has to throw an exception instead), via Object.assign
.
I'm pretty sure this isn't security-sensitive, but I don't know if this affects sandboxes implemented in JS, so I'll just mark it sec-low.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 4•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210330035059-52d2c9e672d0.
The bug appears to have been introduced in the following build range:
Start: 6b83fb4ef43ec7b9ec8a8a30aae66dbccc14b4bd (20210323124037)
End: ecf43b0add7373185d91e04d2aeadb809ed0c2c5 (20210323124640)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6b83fb4ef43ec7b9ec8a8a30aae66dbccc14b4bd&tochange=ecf43b0add7373185d91e04d2aeadb809ed0c2c5
Assignee | ||
Comment 5•3 years ago
|
||
Comment 6•3 years ago
|
||
Comment 7•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210403093157-90e761348ff5.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Updated•2 years ago
|
Description
•