Closed Bug 1888746 Opened 1 year ago Closed 1 year ago

Assertion failure: !frames->empty(), at src/vm/SavedStacks.cpp:143

Tracking

()

Status:

RESOLVED FIXED

Milestone:

126 Branch

Tracking Flags:

Tracking

Status

firefox-esr115

---

unaffected

firefox124

---

unaffected

firefox125

---

unaffected

firefox126

fixed

People

(Reporter: lukas.bernhard, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [keep hidden while 1888614 is])

Attachments

(1 file)

Bug 1888746 - Store frame descriptor before each comparator call. r?iain! 1 year ago Jan de Mooij [:jandem] 48 bytes, text/x-phabricator-request		Details \| Review

lukas.bernhard

Reporter

Description

•

1 year ago

Steps to reproduce:

On git commit 28cc363411d2029aed04c969c8f98785cae110db the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

const v1 = new Uint32Array(Uint32Array);
function f2() {
    Object.defineProperty(v1, "b", { writable: true, set: f2 });
    return f2;
}

const v3 = `
var arr = [];
for (let i = 0; i < 10; i++) {
    var o = {y: 1};
    arr.push(o);
}
arr`;
const o6 = {
    "global": newGlobal(),
};
const x = evaluate(v3, o6)
print(x);
x.sort(f2);

#0  js::AssertRealmUnchanged::~AssertRealmUnchanged (this=<optimized out>)
    at js/src/vm/Realm.h:819
#1  js::jit::CallTrampolineNativeJitCode (cx=cx@entry=0x7ffff6041300,
    native=native@entry=js::jit::TrampolineNative::ArraySort, args=...)
    at js/src/jit/TrampolineNatives.cpp:265
#2  0x00005555572d1eed in js::array_sort (cx=cx@entry=0x7ffff6041300, argc=1, vp=<optimized out>)
    at js/src/builtin/Array.cpp:2597
#3  0x00005555572693b7 in CallJSNative (cx=cx@entry=0x7ffff6041300,
    native=native@entry=0x5555572d1da0 <js::array_sort(JSContext*, unsigned int, JS::Value*)>,
    reason=reason@entry=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:479
#4  0x00005555572685d2 in js::InternalCallOrConstruct (cx=0x7ffff6041300, args=...,
    construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:573
#5  0x000055555726a326 in InternalCall (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=...,
    reason=1505770368) at js/src/vm/Interpreter.cpp:640
#6  0x000055555727e5b1 in js::CallFromStack (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=...,
    reason=<optimized out>) at js/src/vm/Interpreter.cpp:645
#7  js::Interpret (cx=0x7ffff6041300, state=...)
    at js/src/vm/Interpreter.cpp:3060
#8  0x0000555557267b27 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>,
    cx@entry=0x7ffff6041300, state=...) at js/src/vm/Interpreter.cpp:393
#9  0x000055555726781a in js::RunScript (cx=cx@entry=0x7ffff6041300, state=...)
    at js/src/vm/Interpreter.cpp:451
#10 0x000055555726c7f2 in js::ExecuteKernel (cx=cx@entry=0x7ffff6041300, script=script@entry=...,
    envChainArg=envChainArg@entry=..., evalInFrame=evalInFrame@entry=..., result=result@entry=...)
    at js/src/vm/Interpreter.cpp:838
#11 0x000055555726cffd in js::Execute (cx=cx@entry=0x7ffff6041300, script=script@entry=...,
    envChain=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:870
#12 0x00005555574b819a in ExecuteScript (cx=cx@entry=0x7ffff6041300, envChain=..., script=...,
    rval=rval@entry=...) at js/src/vm/CompilationAndEvaluation.cpp:494
#13 0x00005555574b8418 in JS_ExecuteScript (cx=cx@entry=0x7ffff6041300, scriptArg=scriptArg@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#14 0x00005555571a4f68 in RunFile (cx=0x7ffff6041300, filename=<optimized out>, file=<optimized out>,
    compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=<optimized out>)
    at js/src/shell/js.cpp:1196
#15 0x00005555571a442e in Process (cx=cx@entry=0x7ffff6041300, filename=0x0, forceTTY=<optimized out>,
    kind=kind@entry=FileScript) at js/src/shell/js.cpp:1775
#16 0x0000555557160463 in ProcessArgs (cx=0x7ffff6041300, op=0x7fffffffdd08)
    at js/src/shell/js.cpp:11124
#17 Shell (cx=0x7ffff6041300, op=op@entry=0x7fffffffdd08)
    at js/src/shell/js.cpp:11383
#18 0x0000555557158b19 in main (argc=<optimized out>, argv=0x7fffffffdf98)
    at js/src/shell/js.cpp:11891

lukas.bernhard

Reporter

Updated

•

1 year ago

Group: firefox-core-security → core-security

Component: Untriaged → JavaScript Engine

Product: Firefox → Core

lukas.bernhard

Reporter

Comment 1

•

1 year ago

Bisecting points to git commit a64040ade2d68f43a9677317b5cb01fbed9cdfd8 related to bug 1884360

Blocks: l11d-js-fuzzing

Ryan VanderMeulen [:RyanVM]

Updated

•

1 year ago

Group: core-security → javascript-core-security

Keywords: regression

Regressed by: 1884360

BugBot [:suhaib / :marco/ :calixte]

Comment 2

•

1 year ago

Set release status flags based on info from the regressing bug 1884360

:jandem, since you are the author of the regressor, bug 1884360, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox124: --- → unaffected

status-firefox125: --- → unaffected

status-firefox126: --- → affected

status-firefox-esr115: --- → unaffected

Flags: needinfo?(jdemooij)

lukas.bernhard

Reporter

Comment 3

•

1 year ago

Another sample bisecting to the same commit, asserting with: Assertion failure: !frames->empty(), at src/vm/SavedStacks.cpp:143 when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fast-warmup --fuzzing-safe crash.js

function f0(a1) {
    function f2() {
        saveStack();
        return f2;
    }
    f2.valueOf = f0;
    f2();
    return f2;
}
for (let v6 = 0; v6 < 5; v6++) {
    ([173,173,173]).sort(f0);
}

Jan de Mooij [:jandem]

Assignee

Comment 4

•

1 year ago

The test in comment 0 is a duplicate of bug 1888614. Comment 3 is a separate issue.

Summary: Assertion failure: cx->realm() == oldRealm, at vm/Realm.h:819 → Assertion failure: !frames->empty(), at src/vm/SavedStacks.cpp:143

Jan de Mooij [:jandem]

Assignee

Updated

•

1 year ago

Duplicate of this bug: 1889035

Jan de Mooij [:jandem]

Assignee

Comment 6

•

1 year ago

Attached file Bug 1888746 - Store frame descriptor before each comparator call. r?iain! — Details

Phabricator Automation

Updated

•

1 year ago

Assignee: nobody → jdemooij

Status: NEW → ASSIGNED

Jan de Mooij [:jandem]

Assignee

Comment 7

•

1 year ago

I think this isn't actually security sensitive because the !frames->empty() assertion in LiveSavedFrameCache::find is a release assertion.

We should leave this closed for now though because the test in comment 0 is more serious but that one is fixed in bug 1888614.

Flags: needinfo?(jdemooij)

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

1 year ago

Severity: -- → S3

Priority: -- → P1

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Comment 8

•

1 year ago

Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9b0c09ca03c5 Store frame descriptor before each comparator call. r=iain

Donal Meehan [:dmeehan]

Updated

•

1 year ago

tracking-firefox126: --- → +

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Keywords: keep-hidden, sec-other

Whiteboard: [keep hidden while 1888614 is]

Ryan VanderMeulen [:RyanVM]

Comment 9

•

1 year ago

https://hg.mozilla.org/mozilla-central/rev/9b0c09ca03c5

Group: javascript-core-security → core-security-release

Status: ASSIGNED → RESOLVED

Closed: 1 year ago

status-firefox126: affected → fixed

Flags: in-testsuite+

Resolution: --- → FIXED

Target Milestone: --- → 126 Branch

Andrei Vaida [:avaida]

Updated

•

11 months ago

QA Whiteboard: [post-critsmash-triage]

Flags: qe-verify-

Daniel Veditz [:dveditz]

Comment 10

•

10 months ago

Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons

Keywords: reporter-external

Daniel Veditz [:dveditz]

Updated

•

6 months ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.