1782495 - Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode(), at vm/Interpreter.cpp:347

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect, P3)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20220801-4cf66fe9deb6 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

setWatchtowerCallback(function(kind, object, extra) {});
function f60() {
  o48 = function() { return true; };
  addWatchtowerTarget(o48);
  x = o48;
  Object.seal(new x);
  f60();
}
new f60;

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556d2562c in js::RunScript(JSContext*, js::RunState&) ()
#1  0x0000555556d380dd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#2  0x0000555556d39913 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#3  0x0000555556e44825 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#4  0x00005555571afb1c in InvokeWatchtowerCallback(JSContext*, char const*, JS::Handle<JSObject*>, JS::Handle<JS::Value>) ()
#5  0x00005555571af3db in js::Watchtower::watchPropertyAddSlow(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>) ()
#6  0x0000555557099076 in js::NativeObject::addProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, js::PropertyFlags, unsigned int*) ()
#7  0x0000555556fae491 in bool AddOrChangeProperty<(IsAddOrChange)0>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, js::PropertyResult*) ()
#8  0x0000555556fad201 in js::NativeDefineProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) ()
#9  0x0000555556f53b33 in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int, JS::ObjectOpResult&) ()
#10 0x0000555556f53ee4 in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int) ()
#11 0x0000555556f3a31b in fun_resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) ()
#12 0x0000555556fabb72 in bool js::NativeLookupOwnPropertyInline<(js::AllowGC)1, (js::LookupResolveMode)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::PropertyResult*) ()
#13 0x0000555556fb1b17 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#14 0x0000555556bfa899 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#15 0x0000555556bfa6ea in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#16 0x0000555556f4a55c in js::GetPrototypeFromConstructor(JSContext*, JS::Handle<JSObject*>, JSProtoKey, JS::MutableHandle<JSObject*>) ()
#17 0x0000555556fba9d3 in js::ThisShapeForFunction(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>) ()
#18 0x00005555577e0a75 in js::CreateThis(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, js::NewObjectKind, JS::MutableHandle<JS::Value>) ()
#19 0x00005555577e0e48 in js::jit::CreateThisFromIon(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#20 0x000010dc431dffac in ?? ()
#21 0x0000000000000000 in ?? ()
rax	0x55555579195c	93824994580828
rbx	0x7ffff5707c00	140737311177728
rcx	0x555558295928	93825039685928
rdx	0x0	0
rsi	0x7ffff6abd770	140737331844976
rdi	0x7ffff6abc540	140737331840320
rbp	0x7ffffffc0570	140737488094576
rsp	0x7ffffffc0520	140737488094496
r8	0x7ffff6abd770	140737331844976
r9	0x7ffff7fe3840	140737354020928
r10	0x0	0
r11	0x0	0
r12	0x7ffff572a100	140737311318272
r13	0x7ffffffc06b0	140737488094896
r14	0x7ffffffc05c0	140737488094656
r15	0xfff8800000000000	-2111062325329920
rip	0x555556d2562c <js::RunScript(JSContext*, js::RunState&)+700>
=> 0x555556d2562c <_ZN2js9RunScriptEP9JSContextRNS_8RunStateE+700>:	movl   $0x15b,0x0
   0x555556d25637 <_ZN2js9RunScriptEP9JSContextRNS_8RunStateE+711>:	callq  0x555556c28070 <abort>

Marking s-s because this assert was originally added to find security bugs.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220801153341-bc1d41e88ae3.
The bug appears to have been introduced in the following build range:

Start: dd643f695943a4285476f93e279d4ad8870ddf4b (20220128125906)
End: 6b946c5f5eb8e91395cd70da43319cb7b1bd2cc7 (20220128130720)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dd643f695943a4285476f93e279d4ad8870ddf4b&tochange=6b946c5f5eb8e91395cd70da43319cb7b1bd2cc7

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Setting regressed_by field after analyzing regression range found by bugmon.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1750962

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

:jandem, since you are the author of the regressor, bug 1750962, could you take a look?
For more information, please visit auto_nag documentation.

Comment 7

[Daniel Veditz [:dveditz]]

So is it a false alarm from the watchtower feature, or is it a bug in the watchtower feature?

Is the watchtower feature, or the functionality in shapes that it does, exposed to normal content?

Comment 8

[Daniel Veditz [:dveditz]]

rating based on worst-case assertion, but this could just be an jsshell-only bug in the end

Comment 9

[Jan de Mooij [:jandem]]

This is just a problem with the testing function. I probably have to rewrite it to be log-based instead of using a callback...

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1750962

Comment 11

[Jan de Mooij [:jandem]]

This doesn't affect the browser.

Comment 13

[Jan de Mooij [:jandem]]

Attachment: Bug 1782495 - Replace watchtower testing callback with a log-based mechanism. r?iain!

The ability to run arbitrary JS can cause various problems. This replaces the callback
with a different mechanism to avoid this.

Comment 14

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/34e9636740a5
Replace watchtower testing callback with a log-based mechanism. r=iain

Comment 15

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/34e9636740a5

Comment 16

[BugBot [:suhaib / :marco/ :calixte]]

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit auto_nag documentation.

Comment 17

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221018213916-b6e04e02b4f8.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.