Closed Bug 1894883 Opened 1 year ago Closed 1 year ago

Assertion failure: shape_ != later.shape_, at builtin/TestingFunctions.cpp:6262

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox127 --- fixed

People

(Reporter: lukas.bernhard, Assigned: iain)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1894883: Fix assertion in ShapeSnapshot.check r=jandem
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

On git commit 38377227b8f96fda8f418db614e6a8aa67d01c31 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js
Bisecting did not identify a recent regressor, commits from 2022 are affected already.

const v3 = this.createShapeSnapshot(gc);
function f5() {
    const o8 = {
        "sameZoneAs": this,
    };
    newGlobal(o8).Object.freeze(gc);
}
newGlobal.toString = f5;
const t9 = newGlobal.constructor;
t9(newGlobal);
newGlobal().checkShapeSnapshot(v3, fullcompartmentchecks);

#0  ShapeSnapshot::check (this=this@entry=0x7ffff74e9e40, cx=cx@entry=0x7ffff7440600, later=...)
    at js/src/builtin/TestingFunctions.cpp:6262
#1  0x0000555557aa3b5c in CheckShapeSnapshot (cx=cx@entry=0x7ffff7440600, argc=<optimised out>, vp=<optimised out>)
    at js/src/builtin/TestingFunctions.cpp:6380
#2  0x0000555557275267 in CallJSNative (cx=cx@entry=0x7ffff7440600, 
    native=native@entry=0x555557aa38a0 <CheckShapeSnapshot(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:480
#3  0x0000555557274485 in js::InternalCallOrConstruct (cx=0x7ffff7440600, args=..., construct=construct@entry=js::NO_CONSTRUCT, 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:574
#4  0x00005555572761d6 in InternalCall (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., reason=1506067712)
    at js/src/vm/Interpreter.cpp:641
#5  0x000055555728a4dc in js::CallFromStack (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., reason=<optimised out>)
    at js/src/vm/Interpreter.cpp:646
#6  js::Interpret (cx=0x7ffff7440600, state=...) at js/src/vm/Interpreter.cpp:3071
#7  0x00005555572739d7 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff7440600, state=...)
    at js/src/vm/Interpreter.cpp:394
#8  0x00005555572736ca in js::RunScript (cx=cx@entry=0x7ffff7440600, state=...) at js/src/vm/Interpreter.cpp:452
#9  0x00005555572786a2 in js::ExecuteKernel (cx=cx@entry=0x7ffff7440600, script=script@entry=..., envChainArg=envChainArg@entry=..., 
    evalInFrame=evalInFrame@entry=..., result=result@entry=...) at js/src/vm/Interpreter.cpp:839
#10 0x0000555557278ead in js::Execute (cx=cx@entry=0x7ffff7440600, script=script@entry=..., envChain=..., rval=rval@entry=...)
    at js/src/vm/Interpreter.cpp:871
#11 0x00005555574c6e5a in ExecuteScript (cx=cx@entry=0x7ffff7440600, envChain=..., script=..., rval=rval@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:494
#12 0x00005555574c70d8 in JS_ExecuteScript (cx=cx@entry=0x7ffff7440600, scriptArg=scriptArg@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#13 0x00005555571b0db8 in RunFile (cx=0x7ffff7440600, filename=<optimised out>, file=<optimised out>, compileMethod=CompileUtf8::DontInflate, 
    compileOnly=false, fullParse=<optimised out>) at js/src/shell/js.cpp:1196
#14 0x00005555571b027e in Process (cx=cx@entry=0x7ffff7440600, filename=0x0, forceTTY=<optimised out>, kind=kind@entry=FileScript)
    at js/src/shell/js.cpp:1782
#15 0x000055555716c103 in ProcessArgs (cx=0x7ffff7440600, op=0x7fffffffe638) at js/src/shell/js.cpp:11146
#16 Shell (cx=0x7ffff7440600, op=op@entry=0x7fffffffe638) at js/src/shell/js.cpp:11405
#17 0x00005555571644f9 in main (argc=<optimised out>, argv=0x7fffffffe8c8) at js/src/shell/js.cpp:11918
Blocks: l11d-js-fuzzing
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security

Probably an issue with the testing function...

Flags: needinfo?(jdemooij)

Took a quick look. This definitely looks like a problem with the testing function. Here's a cleaner testcase:

function makeObj() { return { x: 1, y: 2 }; }

var o1 = makeObj();
var o2 = makeObj();

var snapshot = createShapeSnapshot(o1);
delete o1.x; // Convert o1 to dictionary mode
checkShapeSnapshot(snapshot, o2);

The problem is with this code. When we check the snapshot of o1 against o2, we check whether the current shape of o1 is in dictionary mode, but then assert that the original shape of o1 (from the snapshot) is not shared with o2. The original shape was not a dictionary shape, so there's no reason not to share it.

Group: javascript-core-security
Flags: needinfo?(jdemooij)
Assignee: nobody → iireland
Status: NEW → ASSIGNED
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/38a28a8e3a0b Fix assertion in ShapeSnapshot.check r=jandem

https://hg.mozilla.org/mozilla-central/rev/38a28a8e3a0b

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox127: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: