Closed Bug 1884706 Opened 1 years ago Closed 1 years ago

Assertion failure: count < PropCountLimit, at vm/Iteration.h:487

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 --- fixed

People

(Reporter: lukas.bernhard, Assigned: iain)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1884706: Fix prop count limit r=jandem
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

On git commit a3d5a112ddb2d665b0c7ac2919b6f4fc6c97366c the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fast-warmup --fuzzing-safe crash.js. Bisecting the issue points to commit 27296912bcc0bb879956fe27b8fbee894c69113b related to bug 1799025.

const v20 = new ArrayBuffer(536870912); // 536870912 * 8 = 2**32
const v21 = new Float64Array(v20);
for (const v25 in v21) {
}

#0  0x0000555557d7983c in js::NativeIterator::initialFlagsAndCount (count=67108864)
    at js/src/vm/Iteration.h:487
#1  0x0000555557d676ff in js::NativeIterator::NativeIterator (this=0x7fff74800000, cx=0x7ffff763d200,
    propIter=..., objBeingIterated=..., props=..., supportsIndices=false, indices=0x0, numShapes=0,
    hadError=0x7fffffffa15f) at js/src/vm/Iteration.cpp:898
#2  0x0000555557d6b434 in CreatePropertyIterator (cx=0x7ffff763d200, objBeingIterated=..., props=...,
    supportsIndices=false, indices=0x0, cacheableProtoChainLength=0)
    at js/src/vm/Iteration.cpp:861
#3  0x0000555557d68967 in GetIteratorImpl<false> (cx=0x7ffff763d200, obj=...)
    at js/src/vm/Iteration.cpp:1275
#4  0x0000555557d683c2 in js::GetIterator (cx=0x7ffff763d200, obj=...)
    at js/src/vm/Iteration.cpp:1306
#5  0x0000555557d6b5da in js::ValueToIterator (cx=0x7ffff763d200, vp=...)
    at js/src/vm/Iteration.cpp:1638
#6  0x0000555557a92481 in js::Interpret (cx=0x7ffff763d200, state=...)
    at js/src/vm/Interpreter.cpp:2189
#7  0x0000555557a8b1d5 in MaybeEnterInterpreterTrampoline (cx=0x7ffff763d200, state=...)
    at js/src/vm/Interpreter.cpp:393
#8  0x0000555557a8ae81 in js::RunScript (cx=0x7ffff763d200, state=...)
    at js/src/vm/Interpreter.cpp:451
#9  0x0000555557a8d3c1 in js::ExecuteKernel (cx=0x7ffff763d200, script=..., envChainArg=..., evalInFrame=...,
    result=...) at js/src/vm/Interpreter.cpp:838
#10 0x0000555557a8d73c in js::Execute (cx=0x7ffff763d200, script=..., envChain=..., rval=...)
    at js/src/vm/Interpreter.cpp:870
#11 0x0000555557c8af9f in ExecuteScript (cx=0x7ffff763d200, envChain=..., script=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:494
#12 0x0000555557c8b0c5 in JS_ExecuteScript (cx=0x7ffff763d200, scriptArg=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#13 0x00005555578eb6ff in RunFile (cx=0x7ffff763d200,
    filename=0x7ffff769a900 "crash_2024_03_11_2.js", file=0x7ffff7769f20,
    compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=false)
    at js/src/shell/js.cpp:1200
#14 0x00005555578eafcc in Process (cx=0x7ffff763d200,
    filename=0x7ffff769a900 "crash_2024_03_11_2.js", forceTTY=false,
    kind=FileScript) at js/src/shell/js.cpp:1780
#15 0x00005555578c4511 in ProcessArgs (cx=0x7ffff763d200, op=0x7fffffffdd10)
    at js/src/shell/js.cpp:10991
#16 0x00005555578b2f63 in Shell (cx=0x7ffff763d200, op=0x7fffffffdd10)
    at js/src/shell/js.cpp:11250
#17 0x00005555578addc4 in main (argc=4, argv=0x7fffffffdf78)
    at js/src/shell/js.cpp:11758
Blocks: l11d-js-fuzzing
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine: JIT
Product: Firefox → Core
Group: core-security → javascript-core-security

This is an off-by-one error in this line of code. As a result, we can create a NativeIterator with 67108864 properties but an initialPropertyCount of 0.

Luckily, we don't actually use initialPropertyCount for much. The only non-assertion use is in NativeIterator::allocationSize, which in turn is only used when freeing the native iterator to update our heap size tracking. I don't think that's security sensitive.

Instead, we track the end of the properties array with a dedicated pointer, which is independent of this limit.

Group: javascript-core-security

(In reply to lukas.bernhard from comment #0)

Bisecting the issue points to commit 27296912bcc0bb879956fe27b8fbee894c69113b related to bug 1799025.

This maps to m-c rev 5a34d12bfb67 (Jan 2023) for bug 1799025.

Keywords: regression
Regressed by: 1799025

Set release status flags based on info from the regressing bug 1799025

status-firefox123: --- → affected
status-firefox124: --- → affected
status-firefox125: --- → affected
status-firefox-esr115: --- → affected
Assignee: nobody → iireland
Status: NEW → ASSIGNED
Blocks: sm-jits
Severity: -- → S4
Priority: -- → P2

https://hg.mozilla.org/mozilla-central/rev/7843f9bb373a

Status: ASSIGNED → RESOLVED
Closed: 1 years ago
status-firefox125: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: