Closed Bug 1797255 Opened 2 years ago Closed 2 years ago

Various assertion failures related to Debugger findObjects API

Categories

(Core :: JavaScript Engine, defect, P3)

defect

Tracking

()

RESOLVED FIXED
108 Branch
Tracking Status
firefox108 --- fixed

People

(Reporter: saelo, Assigned: jandem)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

During fuzzing I found a number of somewhat similar assertion failures that all seem to be related to the Debugger API. Here are three samples that trigger different assertions:

Sample 1:

function main() {
function* v0(v1,v2,v3) {
    function v5(v6,v7) {
    }
    const v9 = {"defineProperty":isNaN,"get":isNaN};
    const v11 = "join";
    const v12 = new Proxy(Proxy,v9);
    const v13 = `tQ2WqQssbq`;
    for (const v15 in this) {
        function v16(v17,v18) {
            const v20 = Float32Array.from(Float32Array);
        }
        const v22 = new Promise(v16);
    }
    const v25 = {"defineProperty":isNaN,"get":isNaN};
    const v27 = new Proxy(Proxy,v25);
    const v29 = this.newGlobal(v27);
    const v30 = v29.Debugger;
    const v31 = v30(isNaN);
    const v32 = v31.findObjects();
    const v33 = v32[541];
    const v34 = v33.call();
    const v35 = this.newGlobal(v12);
    const v36 = v35.Debugger;
    const v37 = v36(v5);
    const v38 = v37.getNewestFrame();
    const v40 = new WeakMap();
    const v41 = v40.delete;
    function v42(v43,v44) {
    }
    const v46 = new Promise(v41);
    const v47 = v46.catch(v42);
    const v48 = v38.eval("arguments");
}
const v49 = v0();
const v50 = v49.next();
gc();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: args_[0].isObject(), at /home/builder/firefox/js/src/jit/CacheIR.cpp:8818
// #01: ???[./spidermonkey/js +0x280909e]
// #02: ???[./spidermonkey/js +0x2807ce6]
// #03: ???[./spidermonkey/js +0x2811e58]
// #04: ???[./spidermonkey/js +0x281389f]
// #05: ???[./spidermonkey/js +0x28146ab]
// #06: ???[./spidermonkey/js +0x24a94a7]
// #07: ??? (???:???)

Sample 2:

function main() {
const v0 = [];
function v1(v2,v3) {
    const v5 = {"defineProperty":isNaN,"get":isNaN};
    const v7 = new Proxy(Proxy,v5);
    const v9 = this.newGlobal(v7);
    const v10 = v9.Debugger;
    const v11 = v10(Proxy);
    const v12 = v10(Proxy);
    function v13(v14,v15) {
    }
    const v17 = new Promise(Promise);
    const v18 = v17.catch(v13);
    const v19 = v10.constructor;
    const v20 = v19();
    const v21 = v10(isNaN);
    const v22 = gc;
    const v27 = /\W/ugy;
    const v28 = {"__proto__":v27,"a":`__proto__`,"b":1,"toString":100,...100,...RegExp};
    const v29 = v21.findObjects();
    const v30 = v29[541];
    const v31 = v30.call();
    const v32 = arguments;
    function v33(v34,v35) {
    }
    function v36(v37,v38) {
    }
    function v39(v40,v41) {
    }
}
const v43 = new Promise(v1);
const v45 = eval();
gc();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: args.length() == 3, at /home/builder/firefox/js/src/vm/SelfHosting.cpp:1702
// #01: ???[./spidermonkey/js +0x1cf0cad]
// #02: ???[./spidermonkey/js +0x18088ba]
// #03: ???[./spidermonkey/js +0x1807cf1]
// #04: ???[./spidermonkey/js +0x1809be2]
// #05: ???[./spidermonkey/js +0x21056a4]
// #06: ???[./spidermonkey/js +0x2104cb0]
// #07: ???[./spidermonkey/js +0x212148a]
// #08: ???[./spidermonkey/js +0x18088ba]
// #09: ???[./spidermonkey/js +0x1807cf1]
// #10: ???[./spidermonkey/js +0x1809be2]
// #11: js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[./spidermonkey/js +0x201c099]
// #12: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[./spidermonkey/js +0x1ff17d2]
// #13: ???[./spidermonkey/js +0x200802f]
// #14: ???[./spidermonkey/js +0x18080d0]
// #15: ???[./spidermonkey/js +0x17fad56]
// #16: ???[./spidermonkey/js +0x17edcb3]
// #17: ???[./spidermonkey/js +0x1807bb2]
// #18: ???[./spidermonkey/js +0x1809be2]
// #19: ???[./spidermonkey/js +0x1bdd6f6]
// #20: ???[./spidermonkey/js +0x1c1948e]
// #21: ???[./spidermonkey/js +0x18088ba]
// #22: ???[./spidermonkey/js +0x181eee0]
// #23: ???[./spidermonkey/js +0x180a699]
// #24: ???[./spidermonkey/js +0x17fabd7]
// #25: ???[./spidermonkey/js +0x17edcb3]
// #26: ???[./spidermonkey/js +0x180bb05]
// #27: ???[./spidermonkey/js +0x180c1c1]
// #28: ???[./spidermonkey/js +0x19afd36]
// #29: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[./spidermonkey/js +0x19b0013]
// #30: ???[./spidermonkey/js +0x16e5109]
// #31: ???[./spidermonkey/js +0x16de654]
// #32: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
// #33: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
// #34: ???[./spidermonkey/js +0x16a8629]
// #35: ??? (???:???)

Sample 3:

function main() {
let v1 = 128;
do {
    const v2 = {};
    const v3 = [v2];
    const v4 = v1++;
    let {"__proto__":v6,"constructor":v7,"length":v8,} = `tQ2WqQssbq`;
    const v9 = -v8;
    const v11 = 1000 != 54740;
    const v13 = {"defineProperty":isNaN,"get":isNaN};
    const v15 = new Proxy(Proxy,v13);
    const v17 = this.newGlobal(v15);
    const v18 = v17.currentgc();
    const v19 = v17.Debugger;
    const v20 = v19(isNaN);
    const v21 = v20.findObjects();
    const v22 = v21[541];
    const v23 = v22.call();
    const v24 = v7.fromCharCode(v1,v4);
    const v25 = v24.repeat(v8,1000);
    const v26 = v25[10];
    const v27 = v25.toLowerCase();
    function v28(v29,v30) {
    }
    const v32 = 4 << 4;
    const v33 = v27[7];
} while (v1 < 1000);
gc();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: i < argc_, at /home/builder/firefox/obj-fuzzbuild/dist/include/js/CallArgs.h:211
// #01: ???[./spidermonkey/js +0x1d00382]
// #02: ???[./spidermonkey/js +0x18088ba]
// #03: ???[./spidermonkey/js +0x1807cf1]
// #04: ???[./spidermonkey/js +0x1809be2]
// #05: ???[./spidermonkey/js +0x21056a4]
// #06: ???[./spidermonkey/js +0x2104cb0]
// #07: ???[./spidermonkey/js +0x212148a]
// #08: ???[./spidermonkey/js +0x18088ba]
// #09: ???[./spidermonkey/js +0x1807cf1]
// #10: ???[./spidermonkey/js +0x1809be2]
// #11: js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[./spidermonkey/js +0x201c099]
// #12: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[./spidermonkey/js +0x1ff17d2]
// #13: ???[./spidermonkey/js +0x200802f]
// #14: ???[./spidermonkey/js +0x18080d0]
// #15: ???[./spidermonkey/js +0x17fad56]
// #16: ???[./spidermonkey/js +0x17edcb3]
// #17: ???[./spidermonkey/js +0x180bb05]
// #18: ???[./spidermonkey/js +0x180c1c1]
// #19: ???[./spidermonkey/js +0x19afd36]
// #20: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[./spidermonkey/js +0x19b0013]
// #21: ???[./spidermonkey/js +0x16e5109]
// #22: ???[./spidermonkey/js +0x16de654]
// #23: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
// #24: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
// #25: ???[./spidermonkey/js +0x16a8629]
// #26: ??? (???:???)

As these all seem to be related to the Debugger API, which, if I understand correctly, is not exposed to web content, these issues probably have low (if any) security impact.

Group: core-security → javascript-core-security

Jan maybe you would get a better idea than me one what might be going on with these issues?
I am a bit worried by the CrossCompartmentWrapper which are appearing on the call stacks.

Blocks: sm-runtime
Severity: -- → S4
Type: task → defect
Flags: needinfo?(jdemooij)
Priority: -- → P2

All of these are caused by the Debugger's findObjects API. It can return self-hosting intrinsics and these are invalid to call from arbitrary JS. There are likely other internal objects as well so I think we should fix findObjects to return an empty array when fuzzing.

Group: javascript-core-security
Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)
Priority: P2 → P3
Summary: Various assertion failures related to Debugger API → Various assertion failures related to Debugger findObjects API
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f2f3b76b6c0c Return an empty array from Debugger.findObjects with --fuzzing-safe. r=decoder
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: