Closed Bug 1846131 Opened 2 years ago Closed 2 years ago

MOZ_CRASH(*** Compartment mismatch 7f1b63d035b0 vs. 7f1b63d03b30 at argument 0)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ddme, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

poc.js
99 bytes, application/x-javascript
Details

I don't know whether it is same reason with https://bugzilla.mozilla.org/show_bug.cgi?id=1810573

Flags: sec-bounty?

build with

ac_add_options --enable-application=js
ac_add_options --enable-optimize
ac_add_options --enable-debug
ac_add_options --disable-shared-js
ac_add_options --enable-js-fuzzilli
ac_add_options --enable-fuzzing
ac_add_options --enable-gczeal

and run with

 --baseline-warmup-threshold=10 --ion-warmup-threshold=100 --ion-check-range-analysis --ion-extra-checks --disable-oom-functions --small-function-length=128 --inlining-entry-threshold=1024 --gc-zeal=16 --ion-scalar-replacement=on --ion-pruning=on --ion-range-analysis=on --ion-inlining=on --ion-gvn=on --ion-osr=on --ion-edgecase-analysis=on --nursery-size=8 --nursery-strings=off --nursery-bigints=on --spectre-mitigations=off --ion-optimize-shapeguards=on --ion-licm=on --ion-instruction-reordering=on --cache-ir-stubs=on --no-ssse3 --enable-watchtower --ion-sink=off

then watch the output

Hit MOZ_CRASH(*** Compartment mismatch 7f1b63d035b0 vs. 7f1b63d03b30 at argument 0) at /home/builder/firefox/js/src/vm/JSContext-inl.h:55
[...  ...]
#0 0x556e1c29eaae in MOZ_Crash(char const*, int, char const*) /home/builder/firefox/obj-fuzzbuild/dist/include/mozilla/Assertions.h:281:3
    #1 0x556e1c29eaae in js::ContextChecks::fail(JS::Compartment*, JS::Compartment*, int) /home/builder/firefox/js/src/vm/JSContext-inl.h:54:5
    #2 0x556e1c29eaae in js::ContextChecks::check(JS::Compartment*, int) /home/builder/firefox/js/src/vm/JSContext-inl.h:70:7
    #3 0x556e1c29eaae in js::ContextChecks::check(JSObject*, int) /home/builder/firefox/js/src/vm/JSContext-inl.h:83:7
    #4 0x556e1c2b1fb6 in void JSContext::checkImpl<JS::MutableHandle<JS::Value> >(JS::MutableHandle<JS::Value> const&) /home/builder/firefox/js/src/vm/JSContext-inl.h:206:33
    #5 0x556e1c2b1fb6 in void JSContext::check<JS::MutableHandle<JS::Value> >(JS::MutableHandle<JS::Value> const&) /home/builder/firefox/js/src/vm/JSContext-inl.h:213:5
    #6 0x556e1c2b1fb6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/builder/firefox/js/src/vm/Interpreter.cpp:488:9
    #7 0x556e1c2b114a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/builder/firefox/js/src/vm/Interpreter.cpp:580:12
    #8 0x556e1c2b31d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/builder/firefox/js/src/vm/Interpreter.cpp:679:8
    #9 0x556e1cb890ae in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/builder/firefox/js/src/proxy/Wrapper.cpp:168:10
    #10 0x556e1cb5e2f7 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/builder/firefox/js/src/proxy/CrossCompartmentWrapper.cpp:229:19
    #11 0x556e1cb7413e in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/builder/firefox/js/src/proxy/Proxy.cpp:705:19
    #12 0x556e1c2b17b1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/builder/firefox/js/src/vm/Interpreter.cpp:560:14

and the poc.js in attachments

Attached file poc.js

I have not analysis it, feel free to close it.

update, to reproduce this bug need not any flag, just run this poc like

/path/to/js ./poc

my local version

commit ddff4872b8220fae71155e39fd30ac3b760a4741 (grafted, HEAD -> master, origin/master, origin/HEAD)
Author: Jason Prickett <prickettjw@gmail.com>
Date: Sat Jul 29 03:42:06 2023 +0000

Group: firefox-core-security → core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security

Thanks for the report. However, similarly to bug 1846133, this uses a testing function that is not safe to fuzz (in this case getInnerMostEnvironmentObject). Please use --fuzzing-safe when fuzzing SpiderMonkey.

Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Duplicate of this bug: 1846139
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: