Closed Bug 1888614 Opened 2 years ago Closed 2 years ago

Assertion failure: cx->realm() == oldRealm, at /js/src/vm/Realm.h:819

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- unaffected
firefox125 --- unaffected
firefox126 + verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
3.06 KB, text/plain
Details
Testcase
85 bytes, text/plain
Details
Bug 1888614 - Fix exception handler to restore realm for trampoline native frames too. r?iain!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20240328-1bf9232e1e78 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

function a(b) {
    b.Array.prototype.toSorted.call([2, 3], () => c)
}
a(newGlobal())

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000056108adc6b9d in js::jit::CallTrampolineNativeJitCode(JSContext*, js::jit::TrampolineNative, JS::CallArgs&) ()
#1  0x000056108a170133 in js::array_sort(JSContext*, unsigned int, JS::Value*) ()
#2  0x000056108a122565 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#3  0x000056108a121ad8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#4  0x000056108a1327bb in js::Interpret(JSContext*, js::RunState&) ()
#5  0x000056108a12107f in js::RunScript(JSContext*, js::RunState&) ()
#6  0x000056108a1219f8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#7  0x000056108a1233a3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#8  0x000056108a39d82d in js::fun_call(JSContext*, unsigned int, JS::Value*) ()
#9  0x000056108a122565 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#10 0x000056108a121ad8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
[...]
#20 0x0000561089f530a9 in main ()
rax	0x561088906f23	94629010632483
rbx	0x7fc4b1739100	140482767458560
rcx	0x56108bb01a88	94629063039624
rdx	0x1	1
rsi	0x0	0
rdi	0x7fc4b4aa97d0	140482821396432
rbp	0x7ffd00b747f0	140724615464944
rsp	0x7ffd00b744d0	140724615464144
r8	0x0	0
r9	0x6c	108
r10	0x5610888013bb	94629009560507
r11	0x18	24
r12	0x7fc4b1739100	140482767458560
r13	0x7fc4b05ba200	140482749112832
r14	0x0	0
r15	0xfffa800000000000	-1548112371908608
rip	0x56108adc6b9d <js::jit::CallTrampolineNativeJitCode(JSContext*, js::jit::TrampolineNative, JS::CallArgs&)+1261>
=> 0x56108adc6b9d <_ZN2js3jit27CallTrampolineNativeJitCodeEP9JSContextNS0_16TrampolineNativeERN2JS8CallArgsE+1261>:	movl   $0x333,0x0
   0x56108adc6ba8 <_ZN2js3jit27CallTrampolineNativeJitCodeEP9JSContextNS0_16TrampolineNativeERN2JS8CallArgsE+1272>:	callq  0x561089ff6970 <abort>

S-s until investigated, but possibly a shell-only issue.

Attached file Testcase

Verified bug as reproducible on mozilla-central 20240329091052-4120fb3d12f5.
The bug appears to have been introduced in the following build range:

Start: 7f2993771f48536c575137e4b51984ab6d3de136 (20240327093111)
End: 9c458764557de25f93134811a808f6c5b68b5683 (20240327123927)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7f2993771f48536c575137e4b51984ab6d3de136&tochange=9c458764557de25f93134811a808f6c5b68b5683

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Duplicate of this bug: 1888859
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

Based on comment #3, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:jandem, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(jdemooij)
Severity: -- → S3
Priority: -- → P1
See Also: → 1888746
Flags: needinfo?(jdemooij)
Regressed by: 1884360

Set release status flags based on info from the regressing bug 1884360

status-firefox124: --- → unaffected
status-firefox125: --- → unaffected
status-firefox-esr115: --- → unaffected
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8ba15fb3353f Fix exception handler to restore realm for trampoline native frames too. r=iain
Keywords: sec-high

https://hg.mozilla.org/mozilla-central/rev/8ba15fb3353f

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox126: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch

Verified bug as fixed on rev mozilla-central 20240404034404-1d9c4672f9f5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox126: fixedverified
Keywords: bugmon
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: