Closed Bug 1879166 Opened 10 months ago Closed 9 months ago

Assertion failure: !cx->isExceptionPending(), at vm/Interpreter.cpp:483

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- fixed

People

(Reporter: gkw, Assigned: tschuster)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(1 file)

Bug 1879166 - Don't ignore exception from Runtime::getLocale. r?jandem
48 bytes, text/x-phabricator-request
Details | Review 
let x = [];
x.keepFailing = [];
oomTest(function () {
  new Date(x).toString();
}, x);

(gdb) bt
#0  CallJSNative (cx=cx@entry=0x7ffff6b2e100, native=native@entry=0x55555790f240 <date_toString(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...)
    at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:483
#1  0x000055555726dbdb in js::InternalCallOrConstruct (cx=0x7ffff6b2e100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:574
#2  0x000055555726eb4d in InternalCall (cx=0x7ffff7beea60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6b2e100, args=..., reason=1489431728, reason@entry=js::CallReason::Call)
    at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:641
#3  0x000055555726eab7 in js::CallFromStack (cx=0x7ffff7beea60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6b2e100, args=..., reason=4156479267, reason@entry=js::CallReason::Call)
    at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:646
#4  0x0000555557e5c47c in js::jit::DoCallFallback (cx=0x7ffff6b2e100, frame=0x7fffffffc0c8, stub=0x7ffff6928290, argc=0, vp=0x7fffffffc088, res=...)
    at /home/skymainubu/trees/mozilla-central/js/src/jit/BaselineIC.cpp:1659
#5  0x00001ca0f8ca8a5f in ?? ()
#6  0xfff9800000000000 in ?? ()
#7  0x0000000000000067 in ?? ()
#8  0x00007fffffffc0a0 in ?? ()
#9  0x00001ca0f8ccd6e4 in ?? ()
#10 0x0000000000000002 in ?? ()
#11 0x00007fffffffc0c8 in ?? ()
#12 0x00007ffff6928290 in ?? ()
#13 0x0000000000000000 in ?? ()
(gdb)

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 612d82d4c66a.

Setting s-s to be safe.

Flags: sec-bounty?
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8e6c7b85d0db
user:        Tom Schuster
date:        Fri Sep 08 19:24:44 2023 +0000
summary:     Bug 1846224 - Add a JavaScript per-realm locale override. r=jandem

Tom, is bug 1846224 a likely regressor?

Flags: needinfo?(evilpies)
Keywords: regression
Regressed by: 1846224

Set release status flags based on info from the regressing bug 1846224

status-firefox122: --- → affected
status-firefox123: --- → affected
status-firefox-esr115: --- → unaffected
Group: core-security → javascript-core-security
Flags: needinfo?(evilpies)

:tschuster, since you are the author of the regressor, bug 1846224, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(tschuster)
Assignee: nobody → tschuster
Flags: needinfo?(tschuster)

The problem is that JSRuntime::getDefaultLocale can fail due to OOM and set an exception, but later in FormatDateHelper we just returned early for invalid dates, so we don't realize we should throw.

I am not sure if this is really a security issue.

JSRuntime::getDefaultLocale should only return nullptr when throwing on
OOM. Otherwise the locale "und" is used.

(In reply to Tom Schuster (MoCo) from comment #4)

The problem is that JSRuntime::getDefaultLocale can fail due to OOM and set an exception, but later in FormatDateHelper we just returned early for invalid dates, so we don't realize we should throw.

I am not sure if this is really a security issue.

Yeah this isn't a security bug.

Group: javascript-core-security
Blocks: sm-runtime
Severity: -- → S4
Priority: -- → P3
Status: NEW → ASSIGNED
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8334f344bff3 Don't ignore exception from Runtime::getLocale. r=jandem

Backed out for causing SM bustages on date-getLocale-oom

Backout link

Push with failures

Failure log // Failure log 2

Flags: needinfo?(tschuster)
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f797af17797a Don't ignore exception from Runtime::getLocale. r=jandem

https://hg.mozilla.org/mozilla-central/rev/f797af17797a

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch
Flags: needinfo?(tschuster)
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: