Closed Bug 1878511 Opened 1 year ago Closed 1 year ago

MOZ_CRASH(If all our globals are dead, why is someone expecting a global?) at vm/Compartment.cpp:593

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

debug stack
4.47 KB, text/plain
Details
Bug 1878511 - Skip realms without an initialized global in addAllGlobalsAsDebuggees. r?jonco!
48 bytes, text/x-phabricator-request
Details | Review
Attached file debug stack 
oomTest(function () {
    newGlobal().Debugger.call().addAllGlobalsAsDebuggees();
});

(gdb) bt
#0  JS::Compartment::firstGlobal (this=<optimized out>) at /home/ubumain/trees/mozilla-central/js/src/vm/Compartment.cpp:593
#1  0x0000555557881f02 in JS::Compartment::globalForNewCCW (this=0x7ffff7a1ca60 <_IO_stdfile_2_lock>) at /home/ubumain/trees/mozilla-central/js/src/vm/Compartment.h:325
#2  js::Wrapper::New (cx=cx@entry=0x7ffff662e100, obj=0x24d1abf036e0, handler=0x555558adf3d0 <js::CrossCompartmentWrapper::singleton>, options=...) at /home/ubumain/trees/mozilla-central/js/src/proxy/Wrapper.cpp:278
#3  0x0000555557882fe7 in js::TransparentObjectWrapper (cx=0x7ffff662e100, existing=..., obj=...) at /home/ubumain/trees/mozilla-central/js/src/proxy/Wrapper.cpp:433
#4  0x0000555557326643 in JS::Compartment::getOrCreateWrapper (this=this@entry=0x7ffff6603d40, cx=cx@entry=0x7ffff662e100, existing=..., obj=obj@entry=...) at /home/ubumain/trees/mozilla-central/js/src/vm/Compartment.cpp:312
#5  0x0000555557326bec in JS::Compartment::wrap (this=0x7ffff6603d40, cx=0x7ffff662e100, obj=...) at /home/ubumain/trees/mozilla-central/js/src/vm/Compartment.cpp:384
#6  0x00005555578ef784 in js::Debugger::addDebuggeeGlobal (this=0x7ffff5ef9000, cx=0x7ffff662e100, global=...) at /home/ubumain/trees/mozilla-central/js/src/debugger/Debugger.cpp:4922
#7  0x00005555578f01c3 in js::Debugger::CallData::addAllGlobalsAsDebuggees (this=this@entry=0x7fffffffbad0) at /home/ubumain/trees/mozilla-central/js/src/debugger/Debugger.cpp:4638
#8  0x000055555791eeb7 in js::Debugger::CallData::ToNative<&js::Debugger::CallData::addAllGlobalsAsDebuggees> (cx=cx@entry=0x7ffff662e100, argc=<optimized out>, vp=<optimized out>) at /home/ubumain/trees/mozilla-central/js/src/debugger/Debugger.cpp:4230
#9  0x00005555571c0d25 in CallJSNative (cx=cx@entry=0x7ffff662e100, native=native@entry=0x55555791ee20 <js::Debugger::CallData::ToNative<&js::Debugger::CallData::addAllGlobalsAsDebuggees>(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at /home/ubumain/trees/mozilla-central/js/src/vm/Interpreter.cpp:480
#10 0x0000555557197e2b in js::InternalCallOrConstruct (cx=0x7ffff662e100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/ubumain/trees/mozilla-central/js/src/vm/Interpreter.cpp:574
#11 0x0000555557198d9d in InternalCall (cx=0x7ffff7a1ca60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff662e100, args=..., reason=1488292112, reason@entry=js::CallReason::Call) at /home/ubumain/trees/mozilla-central/js/src/vm/Interpreter.cpp:641
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8ccf33e282b4
user:        Nicolas B. Pierron
date:        Tue Nov 29 18:30:30 2022 +0000
summary:     Bug 1219128 - Initialize Object and Function constructors when creating globals. r=jandem

Run with --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev f8d442e9495d.

Setting s-s to be safe. Nicolas, is bug 1219128 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(nicolas.b.pierron)

Set release status flags based on info from the regressing bug 1219128

status-firefox122: --- → affected
status-firefox123: --- → affected
status-firefox-esr115: --- → affected
Group: core-security → javascript-core-security

This doesn't really look like a security bug. We're looking for a global but we don't find one and we MOZ_CRASH.

Group: javascript-core-security
Flags: needinfo?(jdemooij)
Severity: -- → S3
Priority: -- → P2

If allocating the global failed due to OOM, we shouldn't try to add it as debuggee.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2ea0fda6ec6e Skip realms without an initialized global in addAllGlobalsAsDebuggees. r=jonco

https://hg.mozilla.org/mozilla-central/rev/2ea0fda6ec6e

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: