Assertion failure: v.hasObjectPayload(), at builtin/JSON.cpp:764
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox112 | --- | fixed |
People
(Reporter: lukas.bernhard, Assigned: jandem)
References
(Blocks 2 open bugs)
Details
Attachments
(1 file)
Steps to reproduce:
On commit 1d6e2f82287c298f77f21ad0f62f1aed6155577c the attached sample crashes with an assertion violation when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js
. Not setting s-s because the debugger API is not exposed to web content.
const v0 = `
const v1 = [v0];
const v2 = v1.keys;
const v4 = [];
v4.sameZoneAs = v4;
with (this.newGlobal(v4).Debugger(v2).getNewestFrame()) {
const v8 = "function f9(a10) { return f9; }";
for (const v13 in eval(v8)) { }
}
const v15 = [v1];
const v17 = {...this};
v17.wrapWithProto(v17, v17).findPath(v15, v15);
`;
JSON.stringify(eval(v0));
#0 0x0000555557642e14 in Str (cx=0x7ffff742f100, v=..., scx=0x7fffffffa510) at js/src/builtin/JSON.cpp:764
#1 0x0000555557688646 in JO (cx=0x7ffff742f100, obj=..., scx=0x7fffffffa510)
at js/src/builtin/JSON.cpp:549
#2 0x000055555764309e in Str (cx=0x7ffff742f100, v=..., scx=0x7fffffffa510) at js/src/builtin/JSON.cpp:792
#3 0x0000555557688646 in JO (cx=0x7ffff742f100, obj=..., scx=0x7fffffffa510)
at js/src/builtin/JSON.cpp:549
#4 0x000055555764309e in Str (cx=0x7ffff742f100, v=..., scx=0x7fffffffa510) at js/src/builtin/JSON.cpp:792
#5 0x00005555576877ca in JA (cx=0x7ffff742f100, obj=..., scx=0x7fffffffa510)
at js/src/builtin/JSON.cpp:680
#6 0x0000555557643055 in Str (cx=0x7ffff742f100, v=..., scx=0x7fffffffa510) at js/src/builtin/JSON.cpp:792
#7 0x0000555557640db5 in js::Stringify (cx=0x7ffff742f100, vp=..., replacer_=0x0, space_=..., sb=...,
stringifyBehavior=js::StringifyBehavior::Normal) at js/src/builtin/JSON.cpp:970
#8 0x0000555557643c6b in json_stringify (cx=0x7ffff742f100, argc=1, vp=0x7ffff4cec090)
at js/src/builtin/JSON.cpp:1342
#9 0x000055555756038e in CallJSNative (cx=0x7ffff742f100, native=0x555557643960 <json_stringify(JSContext*, unsigned int, JS::Value*)>,
reason=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:459
#10 0x000055555755fbcd in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=..., construct=js::NO_CONSTRUCT,
reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:547
#11 0x0000555557560f61 in InternalCall (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:614
#12 0x0000555557560d25 in js::CallFromStack (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:619
#13 0x0000555557551a54 in Interpret (cx=0x7ffff742f100, state=...) at js/src/vm/Interpreter.cpp:3362
#14 0x0000555557543b30 in js::RunScript (cx=0x7ffff742f100, state=...) at js/src/vm/Interpreter.cpp:431
#15 0x0000555557562b1c in js::ExecuteKernel (cx=0x7ffff742f100, script=..., envChainArg=..., evalInFrame=..., result=...)
at js/src/vm/Interpreter.cpp:812
#16 0x00005555575633c5 in js::Execute (cx=0x7ffff742f100, script=..., envChain=..., rval=...)
at js/src/vm/Interpreter.cpp:844
#17 0x0000555557799846 in ExecuteScript (cx=0x7ffff742f100, envChain=..., script=..., rval=...)
at js/src/vm/CompilationAndEvaluation.cpp:472
#18 0x000055555779999d in JS_ExecuteScript (cx=0x7ffff742f100, scriptArg=...)
at js/src/vm/CompilationAndEvaluation.cpp:496
Reporter | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 1•2 years ago
|
||
I was wondering how this was related to the Debugger, and just executed the eval(v0)
part in the interactive JS shell:
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: internal value types shouldn't leak into places wanting source representations), at …/js/src/vm/ToSource.cpp:241
So this would be an unexpected input for JSON.stringify
, or an unexpected output for the debugger.
Maybe some of these API should not be exposed to fuzzers.
Jan, any idea what to do next with this bug?
Updated•2 years ago
|
Assignee | ||
Comment 2•2 years ago
|
||
The issue in the bug is that we were returning a DebugEnvironmentProxy
to JS
through findPath
/UbiNode
, and this object isn't safe to use from arbitrary JS.
This patch also changes findPath
to not define the node
property with --fuzzing-safe
,
to fix similar issues elsewhere. This DebugEnvironmentProxy
case is easy to fix, but
the engine also uses plain objects and arrays internally in some places and the JSClass
checks won't be sufficient for that.
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 5•2 years ago
|
||
bugherder |
Description
•