Closed Bug 1846128 Opened 2 years ago Closed 2 years ago

Assertion failure: isBoolean()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ddme, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

poc.js
1.20 KB, application/x-javascript
Details
Attached file poc.js

this bug not stable, need run multi time, I will try to upload backtrace

download the newest Firefox and build with

ac_add_options --enable-application=js
ac_add_options --enable-optimize
ac_add_options --enable-debug
ac_add_options --disable-shared-js
ac_add_options --enable-js-fuzzilli
ac_add_options --enable-fuzzing
ac_add_options --enable-gczeal

and run with

--baseline-warmup-threshold=10 --ion-warmup-threshold=100 --ion-check-range-analysis --ion-extra-checks --disable-oom-functions --reprl --small-function-length=128 --inlining-entry-threshold=1024 --gc-zeal=16 --ion-scalar-replacement=on --ion-pruning=on --ion-range-analysis=on --ion-inlining=on --ion-gvn=on --ion-osr=on --ion-edgecase-analysis=on --nursery-size=8 --nursery-strings=off --nursery-bigints=on --spectre-mitigations=off --ion-optimize-shapeguards=on --ion-licm=on --ion-instruction-reordering=on --cache-ir-stubs=on --no-ssse3 --enable-watchtower --ion-sink=off

Assertion failure: isBoolean(), at /home/builder/firefox/obj-fuzzbuild/dist/include/js/Value.h:997

Flags: sec-bounty?

remove --reprl from flag, thanks : )

Hi all, today I new more than three bug. If I make some mistake like these type memory corruption cann't be security bug, please close it, thank you

commit ddff4872b8220fae71155e39fd30ac3b760a4741 (grafted, HEAD -> master, origin/master, origin/HEAD)
Author: Jason Prickett <prickettjw@gmail.com>
Date: Sat Jul 29 03:42:06 2023 +0000

(In reply to ret2ddme from comment #3)

commit ddff4872b8220fae71155e39fd30ac3b760a4741 (grafted, HEAD -> master, origin/master, origin/HEAD)
Author: Jason Prickett <prickettjw@gmail.com>
Date: Sat Jul 29 03:42:06 2023 +0000

this is my local version

Group: firefox-core-security → core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security

Thanks for the report.

I ran this 100+ times locally on a build of the latest mozilla-central with the specified flags without seeing a crash. Can you confirm that the flags and the testcase you've posted are correct? What OS/architecture are you using? What is the crash rate for you locally?

Flags: needinfo?(ret2ddme)

I can only reproduce it with fuzzilli, and I can not reproduce it by manual run, I will try to upload the backtrace

Flags: needinfo?(ret2ddme)

Does it reproduce if you pass --fuzzing-safe to the JS shell?

for (const v3 of Object.getOwnPropertyNames(this)) {
    this.assertRecoveredOnBailout(v3, v3);
}

this is stable version POC
but with --fuzzing-safe, it can not be reproduce

Thanks! That explains it because we inline assertRecoveredOnBailout here with this code:

  // (Fuzzing unsafe) testing function which must be called with a constant
  // boolean as its second argument.
  bool mustBeRecovered = args_[1].toBoolean();

So we assume the second argument to this function is a boolean and else we fail this assertion.

Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: