Crash [@ JSAutoRealm::JSAutoRealm(JSContext*, JSObject*)] with transplantableObject
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: decoder, Assigned: iain)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20230912-3cf19f416a7b (opt build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments test-indirect.js):
a = newGlobal()
let {
transplant
} = transplantableObject()
transplant(a)
nukeAllCCWs()
b = this
transplant(b)
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000557eb3e103f2 in JSAutoRealm::JSAutoRealm(JSContext*, JSObject*) ()
#1 0x0000557eb3814530 in JS_CopyOwnPropertiesAndPrivateFields(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) ()
#2 0x0000557eb415a5b7 in TransplantObject(JSContext*, unsigned int, JS::Value*) ()
[...]
#8 0x0000557eb41408b1 in Process(JSContext*, char const*, bool, FileKind) ()
#9 0x0000557eb4132d06 in main ()
rax 0x7fc3d6890700 140479094654720
rbx 0x7ffdf036fdd0 140728633589200
rcx 0x7ffdf036fda8 140728633589160
rdx 0x6800000000004 1829587348619268
rsi 0x7fc3d6825900 140479094216960
rdi 0x7ffdf036fbd8 140728633588696
rbp 0x7ffdf036fba0 140728633588640
rsp 0x7ffdf036fba0 140728633588640
r8 0x7fc3d6825900 140479094216960
r9 0x557eb5b08080 94002702483584
r10 0x7ffdf036fd08 140728633589000
r11 0x0 0
r12 0xfffe000000000000 -562949953421312
r13 0x0 0
r14 0x7fc3d5653090 140479075528848
r15 0x7fc3d6825900 140479094216960
rip 0x557eb3e103f2 <JSAutoRealm::JSAutoRealm(JSContext*, JSObject*)+18>
=> 0x557eb3e103f2 <_ZN11JSAutoRealmC2EP9JSContextP8JSObject+18>: mov (%rdx),%rax
0x557eb3e103f5 <_ZN11JSAutoRealmC2EP9JSContextP8JSObject+21>: testb $0x30,0x8(%rax)
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230914041524-8f5a11c1eb0b.
Unable to bisect testcase (Unable to launch the start build!):
Start: 378f4792151d5697909fe1654f7e3f321a72ea96 (20220915040947)
End: 3cf19f416a7b367605d44901ca40b9d43809a57b (20230912041249)
BuildFlags: BuildFlags(asan=None, tsan=None, debug=True, fuzzing=None, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)
|
Assignee | |
Comment 4•2 years ago
|
||
This seems straightforward enough:
- We create a transplantable object in our compartment.
- We transplant it into another compartment, replacing the original value with a CCW.
- We nuke the CCW.
- We call
transplantagain to transplant it back into the original global, but the shell implementation of TransplantObject doesn't expect a dead wrapper. In a debug build, we fail an assert that it's a DOM object. In a non-debug build, we get into some sort of messy situation. I don't think it's security-sensitive, though, because this code is shell-only.
It seems like we should be able to fix this by just checking for dead wrappers in the code I linked above. I don't think the corresponding code in Gecko should have this problem, because it's an artifact of how the transplantableObject() testing function stashes away an object in a private slot of transplant and doesn't expect its class to change.
All that being said, brain transplants are scary, so maybe it's best to keep this hidden until Jan has a chance to look at my patch and see if I'm missing something important.
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
Opening this up, because it's shell-only.
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
|
||
Updated•2 years ago
|
|
|
||
Comment 9•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20230916091445-10a16ed7ab96.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•