Closed Bug 1701899 Opened 3 years ago Closed 3 years ago

Assertion failure: propShape.writable(), at vm/PlainObject.cpp:76

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox86 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 + verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
157 bytes, text/plain
Details
Bug 1701899 - Update object flags in a few places where properties are added. r?jonco!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210328-058997a8167d (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

Object.freeze(Object.prototype);
function Foo() {
  Object.defineProperty(this, "a", this);
}
var o2 = new Foo();
var target = {};
Object.assign(target, o2);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556f073e6 in js::PlainObject::assertHasNoNonWritableOrAccessorPropExclProto() const ()
#1  0x0000555556c417b9 in JS_AssignObject(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) ()
#2  0x0000555556c5c711 in obj_assign(JSContext*, unsigned int, JS::Value*) ()
#3  0x0000555556b89e61 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#4  0x0000555556b895a0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5  0x0000555556b8a9c1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#6  0x0000555556b7e24d in Interpret(JSContext*, js::RunState&) ()
#7  0x0000555556b750d1 in js::RunScript(JSContext*, js::RunState&) ()
#8  0x0000555556b8c0be in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#9  0x0000555556b8c5f4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#10 0x0000555556d39c9d in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#11 0x0000555556d39e9e in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#12 0x0000555556a5925c in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#13 0x0000555556a58832 in Process(JSContext*, char const*, bool, FileKind) ()
#14 0x0000555556a014b6 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#15 0x00005555569f8d81 in main ()
rax	0x555555778c6c	93824994479212
rbx	0x3160b39292c0	54291399348928
rcx	0x555558001f18	93825036984088
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffba10	140737488337424
rsp	0x7fffffffb9d0	140737488337360
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x0	0
r13	0x3160b399c550	54291399820624
r14	0x7fffffffb9d8	140737488337368
r15	0x3160b392afc0	54291399356352
rip	0x555556f073e6 <js::PlainObject::assertHasNoNonWritableOrAccessorPropExclProto() const+534>
=> 0x555556f073e6 <_ZNK2js11PlainObject45assertHasNoNonWritableOrAccessorPropExclProtoEv+534>:	movl   $0x4c,0x0
   0x555556f073f1 <_ZNK2js11PlainObject45assertHasNoNonWritableOrAccessorPropExclProtoEv+545>:	callq  0x555556a8321f <abort>

Marking s-s until investigated.

Attached file Testcase 

    
  
Flags: needinfo?(jdemooij)

    
    

    
  


  
When freezing objects, we use a fast path where we didn't set the

HasNonWritableOrAccessorPropExclProto flag.


With the planned shape changes, we will hopefully be able to change this so that

we use a shared code path so that this kind of issue can't happen.


Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

    
    

    
  
The bug lets you shadow (not mutate) a non-writable property when a prototype object is frozen (this has to throw an exception instead), via Object.assign.


I'm pretty sure this isn't security-sensitive, but I don't know if this affects sandboxes implemented in JS, so I'll just mark it sec-low.


Severity: -- → N/A
Flags: needinfo?(jdemooij)
Keywords: sec-low
Priority: -- → P1
Regressed by: 1696178

    
  
Has Regression Range: --- → yes

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20210330035059-52d2c9e672d0.

The bug appears to have been introduced in the following build range:




Start: 6b83fb4ef43ec7b9ec8a8a30aae66dbccc14b4bd (20210323124037)

End: ecf43b0add7373185d91e04d2aeadb809ed0c2c5 (20210323124640)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6b83fb4ef43ec7b9ec8a8a30aae66dbccc14b4bd&tochange=ecf43b0add7373185d91e04d2aeadb809ed0c2c5




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/e833a5f2ec97


Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago

          status-firefox89:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20210403093157-90e761348ff5.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox89:
          fixedverified
Keywords: bugmon
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: