Closed Bug 1894586 Opened 1 year ago Closed 1 year ago

Assertion failure: js::gc::IsCellPointerValid(str), at dist/include/js/Value.h:615

Categories

(Core :: JavaScript: WebAssembly, defect, P3)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox125 --- wontfix
firefox126 --- wontfix
firefox127 --- fixed

People

(Reporter: gkw, Assigned: yury)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(1 file)

Bug 1894586 - Add OOM check at WasmDumpIon. r?jpages
48 bytes, text/x-phabricator-request
Details | Review 
function f() {
  wasmDumpIon(
    wasmTextToBinary(
      "(type $x (struct))(global $g (ref null $x) ref.null $x)(func $h)"
    )
  );
  oomTest(f);
}
f();

(gdb) bt
#0  JS::Value::setString (this=0x7fffffffc318, str=0x0) at /home/ubumain/shell-cache/js-dbg-64-linux-x86_64-0c09216614e4/objdir-js/dist/include/js/Value.h:615
#1  0x0000555557874d25 in JS::StringValue (str=0x55555576b596) at /home/ubumain/shell-cache/js-dbg-64-linux-x86_64-0c09216614e4/objdir-js/dist/include/js/Value.h:1187
#2  WasmDumpIon (cx=0x7ffff7639100, argc=<optimized out>, vp=<optimized out>) at /home/ubumain/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:2124
#3  0x0000166a9739d533 in ?? ()
#4  0x0000000000000000 in ?? ()
(gdb)

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 0c09216614e4.

Bisection seems to point to some time in March 2024, but it's still running.

Setting s-s as a start, although if this is like bug 1891658, it may be benign, but I'll let Yury confirm.

Flags: sec-bounty?
Flags: needinfo?(ydelendik)
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/013c01e9b424
user:        Ryan Hunt
date:        Tue Mar 12 20:31:33 2024 +0000
summary:     Bug 1869365 - wasm: Add shell function to dump MIR/LIR of wasm function. r=jseward
Keywords: regression
Regressed by: 1869365

Set release status flags based on info from the regressing bug 1869365

status-firefox125: --- → affected
status-firefox126: --- → affected
status-firefox-esr115: --- → unaffected
Group: core-security → javascript-core-security

Setting s-s as a start, although if this is like bug 1891658, it may be benign, but I'll let Yury confirm.

Yep. That's exactly like bug 1891658. The author of the code forgot to check output of the StringValue during: args.rval().set(StringValue(out.release(cx)));. The WasmDumpIon is internal test function and will not be called from content code.

Severity: -- → S4
Flags: needinfo?(ydelendik)
Priority: -- → P3

:rhunt, since you are the author of the regressor, bug 1869365, could you take a look?

For more information, please visit BugBot documentation.

Flags: needinfo?(rhunt)

Ryan is on leave.

Flags: needinfo?(rhunt) → needinfo?(ydelendik)
Group: javascript-core-security
Assignee: nobody → ydelendik
Status: NEW → ASSIGNED
Flags: needinfo?(ydelendik)
Pushed by ydelendik@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/93a32d491333 Add OOM check at WasmDumpIon. r=jpages

https://hg.mozilla.org/mozilla-central/rev/93a32d491333

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox127: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: