Various assertion failures related to Debugger findObjects API
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox108 | --- | fixed |
People
(Reporter: saelo, Assigned: jandem)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
During fuzzing I found a number of somewhat similar assertion failures that all seem to be related to the Debugger API. Here are three samples that trigger different assertions:
Sample 1:
function main() {
function* v0(v1,v2,v3) {
function v5(v6,v7) {
}
const v9 = {"defineProperty":isNaN,"get":isNaN};
const v11 = "join";
const v12 = new Proxy(Proxy,v9);
const v13 = `tQ2WqQssbq`;
for (const v15 in this) {
function v16(v17,v18) {
const v20 = Float32Array.from(Float32Array);
}
const v22 = new Promise(v16);
}
const v25 = {"defineProperty":isNaN,"get":isNaN};
const v27 = new Proxy(Proxy,v25);
const v29 = this.newGlobal(v27);
const v30 = v29.Debugger;
const v31 = v30(isNaN);
const v32 = v31.findObjects();
const v33 = v32[541];
const v34 = v33.call();
const v35 = this.newGlobal(v12);
const v36 = v35.Debugger;
const v37 = v36(v5);
const v38 = v37.getNewestFrame();
const v40 = new WeakMap();
const v41 = v40.delete;
function v42(v43,v44) {
}
const v46 = new Promise(v41);
const v47 = v46.catch(v42);
const v48 = v38.eval("arguments");
}
const v49 = v0();
const v50 = v49.next();
gc();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: args_[0].isObject(), at /home/builder/firefox/js/src/jit/CacheIR.cpp:8818
// #01: ???[./spidermonkey/js +0x280909e]
// #02: ???[./spidermonkey/js +0x2807ce6]
// #03: ???[./spidermonkey/js +0x2811e58]
// #04: ???[./spidermonkey/js +0x281389f]
// #05: ???[./spidermonkey/js +0x28146ab]
// #06: ???[./spidermonkey/js +0x24a94a7]
// #07: ??? (???:???)
Sample 2:
function main() {
const v0 = [];
function v1(v2,v3) {
const v5 = {"defineProperty":isNaN,"get":isNaN};
const v7 = new Proxy(Proxy,v5);
const v9 = this.newGlobal(v7);
const v10 = v9.Debugger;
const v11 = v10(Proxy);
const v12 = v10(Proxy);
function v13(v14,v15) {
}
const v17 = new Promise(Promise);
const v18 = v17.catch(v13);
const v19 = v10.constructor;
const v20 = v19();
const v21 = v10(isNaN);
const v22 = gc;
const v27 = /\W/ugy;
const v28 = {"__proto__":v27,"a":`__proto__`,"b":1,"toString":100,...100,...RegExp};
const v29 = v21.findObjects();
const v30 = v29[541];
const v31 = v30.call();
const v32 = arguments;
function v33(v34,v35) {
}
function v36(v37,v38) {
}
function v39(v40,v41) {
}
}
const v43 = new Promise(v1);
const v45 = eval();
gc();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: args.length() == 3, at /home/builder/firefox/js/src/vm/SelfHosting.cpp:1702
// #01: ???[./spidermonkey/js +0x1cf0cad]
// #02: ???[./spidermonkey/js +0x18088ba]
// #03: ???[./spidermonkey/js +0x1807cf1]
// #04: ???[./spidermonkey/js +0x1809be2]
// #05: ???[./spidermonkey/js +0x21056a4]
// #06: ???[./spidermonkey/js +0x2104cb0]
// #07: ???[./spidermonkey/js +0x212148a]
// #08: ???[./spidermonkey/js +0x18088ba]
// #09: ???[./spidermonkey/js +0x1807cf1]
// #10: ???[./spidermonkey/js +0x1809be2]
// #11: js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[./spidermonkey/js +0x201c099]
// #12: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[./spidermonkey/js +0x1ff17d2]
// #13: ???[./spidermonkey/js +0x200802f]
// #14: ???[./spidermonkey/js +0x18080d0]
// #15: ???[./spidermonkey/js +0x17fad56]
// #16: ???[./spidermonkey/js +0x17edcb3]
// #17: ???[./spidermonkey/js +0x1807bb2]
// #18: ???[./spidermonkey/js +0x1809be2]
// #19: ???[./spidermonkey/js +0x1bdd6f6]
// #20: ???[./spidermonkey/js +0x1c1948e]
// #21: ???[./spidermonkey/js +0x18088ba]
// #22: ???[./spidermonkey/js +0x181eee0]
// #23: ???[./spidermonkey/js +0x180a699]
// #24: ???[./spidermonkey/js +0x17fabd7]
// #25: ???[./spidermonkey/js +0x17edcb3]
// #26: ???[./spidermonkey/js +0x180bb05]
// #27: ???[./spidermonkey/js +0x180c1c1]
// #28: ???[./spidermonkey/js +0x19afd36]
// #29: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[./spidermonkey/js +0x19b0013]
// #30: ???[./spidermonkey/js +0x16e5109]
// #31: ???[./spidermonkey/js +0x16de654]
// #32: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
// #33: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
// #34: ???[./spidermonkey/js +0x16a8629]
// #35: ??? (???:???)
Sample 3:
function main() {
let v1 = 128;
do {
const v2 = {};
const v3 = [v2];
const v4 = v1++;
let {"__proto__":v6,"constructor":v7,"length":v8,} = `tQ2WqQssbq`;
const v9 = -v8;
const v11 = 1000 != 54740;
const v13 = {"defineProperty":isNaN,"get":isNaN};
const v15 = new Proxy(Proxy,v13);
const v17 = this.newGlobal(v15);
const v18 = v17.currentgc();
const v19 = v17.Debugger;
const v20 = v19(isNaN);
const v21 = v20.findObjects();
const v22 = v21[541];
const v23 = v22.call();
const v24 = v7.fromCharCode(v1,v4);
const v25 = v24.repeat(v8,1000);
const v26 = v25[10];
const v27 = v25.toLowerCase();
function v28(v29,v30) {
}
const v32 = 4 << 4;
const v33 = v27[7];
} while (v1 < 1000);
gc();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: i < argc_, at /home/builder/firefox/obj-fuzzbuild/dist/include/js/CallArgs.h:211
// #01: ???[./spidermonkey/js +0x1d00382]
// #02: ???[./spidermonkey/js +0x18088ba]
// #03: ???[./spidermonkey/js +0x1807cf1]
// #04: ???[./spidermonkey/js +0x1809be2]
// #05: ???[./spidermonkey/js +0x21056a4]
// #06: ???[./spidermonkey/js +0x2104cb0]
// #07: ???[./spidermonkey/js +0x212148a]
// #08: ???[./spidermonkey/js +0x18088ba]
// #09: ???[./spidermonkey/js +0x1807cf1]
// #10: ???[./spidermonkey/js +0x1809be2]
// #11: js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[./spidermonkey/js +0x201c099]
// #12: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[./spidermonkey/js +0x1ff17d2]
// #13: ???[./spidermonkey/js +0x200802f]
// #14: ???[./spidermonkey/js +0x18080d0]
// #15: ???[./spidermonkey/js +0x17fad56]
// #16: ???[./spidermonkey/js +0x17edcb3]
// #17: ???[./spidermonkey/js +0x180bb05]
// #18: ???[./spidermonkey/js +0x180c1c1]
// #19: ???[./spidermonkey/js +0x19afd36]
// #20: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[./spidermonkey/js +0x19b0013]
// #21: ???[./spidermonkey/js +0x16e5109]
// #22: ???[./spidermonkey/js +0x16de654]
// #23: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
// #24: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
// #25: ???[./spidermonkey/js +0x16a8629]
// #26: ??? (???:???)
As these all seem to be related to the Debugger API, which, if I understand correctly, is not exposed to web content, these issues probably have low (if any) security impact.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 1•2 years ago
|
||
Jan maybe you would get a better idea than me one what might be going on with these issues?
I am a bit worried by the CrossCompartmentWrapper
which are appearing on the call stacks.
Assignee | ||
Comment 2•2 years ago
|
||
All of these are caused by the Debugger's findObjects
API. It can return self-hosting intrinsics and these are invalid to call from arbitrary JS. There are likely other internal objects as well so I think we should fix findObjects
to return an empty array when fuzzing.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 3•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 5•2 years ago
|
||
bugherder |
Description
•