Closed Bug 1797032 Opened 3 years ago Closed 3 years ago

Assertion failure: inited == hasPrototype(key), at js/src/vm/GlobalObject.h:416

Categories

(Core :: JavaScript Engine, task)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1219128

People

(Reporter: saelo, Unassigned)

Details

The following sample triggers a debug assertion failure on Spidermonkey built from latest HEAD in debug configuration:

function main() {
const v1 = this.newGlobal();
function v2(v3,v4) {
    for (let v8 = 0; v8 < 100; v8++) {
        try {
            const v10 = this.oomAtAllocation(v8);
            const v13 = this.parseModule("apply");
            const v14 = {};
            const v15 = v14.size;
            const v17 = Uint16Array !== v15;
            const v18 = v17 && Uint16Array;
            const v20 = this.objectGlobal(v18);
            const v21 = v20.newGlobal();
            const v24 = this.resumeProfilers();
            const v25 = v24 && v21;
            const v26 = v25.evalInWorker("9007199254740991");
            function v27(v28,v29) {
            }
            const v31 = new Promise(v27);
            const v33 = this.getModuleEnvironmentNames(v13);
        } catch(v34) {
        } finally {
        }
    }
}
const v36 = new Promise(v2);
const v37 = v1.Debugger;
const v38 = v37();
const v39 = v38.findAllGlobals();
const v40 = v39.pop();
const v41 = v40.getOwnPropertyDescriptor(v37);
gc();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: inited == hasPrototype(key), at /home/builder/firefox/js/src/vm/GlobalObject.h:416
// #01: ???[./spidermonkey/js +0x17e3221]
// #02: ???[./spidermonkey/js +0x17e2df9]
// #03: JS_ResolveStandardClass(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*)[./spidermonkey/js +0x1f81b2c]
// #04: ???[./spidermonkey/js +0x1b8ba09]
// #05: ???[./spidermonkey/js +0x1b93069]
// #06: ???[./spidermonkey/js +0x2102a52]
// #07: ???[./spidermonkey/js +0x2102806]
// #08: ???[./spidermonkey/js +0x21200ca]
// #09: ???[./spidermonkey/js +0x18088ba]
// #10: ???[./spidermonkey/js +0x1807cf1]
// #11: ???[./spidermonkey/js +0x17fad56]
// #12: ???[./spidermonkey/js +0x17edcb3]
// #13: ???[./spidermonkey/js +0x180bb05]
// #14: ???[./spidermonkey/js +0x180c1c1]
// #15: ???[./spidermonkey/js +0x19afd36]
// #16: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[./spidermonkey/js +0x19b0013]
// #17: ???[./spidermonkey/js +0x16e5109]
// #18: ???[./spidermonkey/js +0x16de654]
// #19: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
// #20: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
// #21: ???[./spidermonkey/js +0x16a8629]
// #22: ??? (???:???)
// STDOUT:
// ARGS: ./spidermonkey/js --baseline-warmup-threshold=10 --ion-warmup-threshold=100 --ion-check-range-analysis --ion-extra-checks --fuzzing-safe --reprl

Here is the stacktrace from gdb:

#0  0x0000555557542696 in js::GlobalObject::classIsInitialized (this=0x1e43a363eb30, key=JSProto_Object) at js/src/vm/GlobalObject.h:416
#1  0x00005555575524e0 in js::GlobalObject::functionObjectClassesInitialized (this=0x1e43a363eb30) at js/src/vm/GlobalObject.h:422
#2  0x000055555755238e in js::GlobalObject::getOrCreateObjectPrototype (cx=0x7ffff662a100, global=...) at js/src/vm/GlobalObject.h:481
#3  0x0000555557cd5d85 in JS_ResolveStandardClass (cx=0x7ffff662a100, obj=..., id=..., resolved=0x7fffffff957f) at js/src/jsapi.cpp:955
#4  0x0000555557386bea in global_resolve (cx=0x7ffff662a100, obj=..., id=..., resolvedp=0x7fffffff957f) at js/src/shell/js.cpp:9804
#5  0x000055555791e42d in js::CallResolveOp (cx=0x7ffff662a100, obj=..., id=..., propp=0x7fffffff9898) at js/src/vm/NativeObject-inl.h:627
#6  0x000055555790b479 in js::NativeLookupOwnPropertyInline<(js::AllowGC)1, (js::LookupResolveMode)1> (cx=0x7ffff662a100, obj=..., id=..., propp=0x7fffffff9898) at js/src/vm/NativeObject-inl.h:739
#7  0x000055555792181a in js::NativeLookupOwnProperty<(js::AllowGC)1> (cx=0x7ffff662a100, obj=..., id=..., propp=0x7fffffff9898) at js/src/vm/NativeObject.cpp:1066
#8  0x0000555557910107 in js::NativeGetOwnPropertyDescriptor (cx=0x7ffff662a100, obj=..., id=..., desc=...) at js/src/vm/NativeObject.cpp:1958
#9  0x00005555578582ad in js::GetOwnPropertyDescriptor (cx=0x7ffff662a100, obj=..., id=..., desc=...) at js/src/vm/JSObject.cpp:2066
#10 0x0000555557ea0312 in js::DebuggerObject::getOwnPropertyDescriptor (cx=0x7ffff662a100, object=..., id=..., desc_=...) at js/src/debugger/Object.cpp:2096
#11 0x0000555557ea00ac in js::DebuggerObject::CallData::getOwnPropertyDescriptorMethod (this=0x7fffffff9c60) at js/src/debugger/Object.cpp:831
#12 0x0000555557ebbe14 in js::DebuggerObject::CallData::ToNative<&js::DebuggerObject::CallData::getOwnPropertyDescriptorMethod> (cx=0x7ffff662a100, argc=1, vp=0x7ffff54f5168) at js/src/debugger/Object.cpp:239
#13 0x000055555757d85c in CallJSNative (cx=0x7ffff662a100, native=0x555557ebbc60 <js::DebuggerObject::CallData::ToNative<&js::DebuggerObject::CallData::getOwnPropertyDescriptorMethod>(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:459
#14 0x000055555756b513 in js::InternalCallOrConstruct (cx=0x7ffff662a100, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:547
#15 0x000055555756bc99 in InternalCall (cx=0x7ffff662a100, args=..., reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:614
#16 0x000055555756bad3 in js::CallFromStack (cx=0x7ffff662a100, args=..., reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:619
#17 0x000055555755fa7d in Interpret (cx=0x7ffff662a100, state=...) at js/src/vm/Interpreter.cpp:3375
#18 0x00005555575542e1 in js::RunScript (cx=0x7ffff662a100, state=...) at js/src/vm/Interpreter.cpp:431
#19 0x000055555756d1a1 in js::ExecuteKernel (cx=0x7ffff662a100, script=..., envChainArg=..., evalInFrame=..., result=...) at js/src/vm/Interpreter.cpp:825
#20 0x000055555756d514 in js::Execute (cx=0x7ffff662a100, script=..., envChain=..., rval=...) at js/src/vm/Interpreter.cpp:857
#21 0x000055555770c59e in ExecuteScript (cx=0x7ffff662a100, envChain=..., script=..., rval=...) at js/src/vm/CompilationAndEvaluation.cpp:467
#22 0x000055555770c6bb in JS_ExecuteScript (cx=0x7ffff662a100, scriptArg=...) at js/src/vm/CompilationAndEvaluation.cpp:491
#23 0x00005555573ac467 in RunFile (cx=0x7ffff662a100, filename=0x7fffffffdd06 "crashes/program_20221023124641_7BA8A3B4-5497-4222-8CCD-B63186B76DD6_flaky.js", file=0x7ffff7767100, compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=false) at js/src/shell/js.cpp:1055
#24 0x00005555573abd35 in Process (cx=0x7ffff662a100, filename=0x7fffffffdd06 "crashes/program_20221023124641_7BA8A3B4-5497-4222-8CCD-B63186B76DD6_flaky.js", forceTTY=false, kind=FileScript) at js/src/shell/js.cpp:1653
#25 0x0000555557385cb9 in ProcessArgs (cx=0x7ffff662a100, op=0x7fffffffd708) at js/src/shell/js.cpp:10541
#26 0x0000555557377cbb in Shell (cx=0x7ffff662a100, op=0x7fffffffd708) at js/src/shell/js.cpp:11220
#27 0x00005555573728ab in main (argc=2, argv=0x7fffffffd9c8) at js/src/shell/js.cpp:12321

I'm not sure if this assertion has any security implications, and this issue may also be a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1219128, but I'm still reporting it as a security issue as a precaution.

Group: core-security → javascript-core-security

I double checked, the patch from Bug 1219128 seems to fix this issue.

On the other hand, I am not highly confident whether this is true as oomAtAllocation might show different behavior based on configure options, or from the fact that Bug 1219128 latest patch might change the allocation ordering.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.