Closed Bug 1901410 Opened 4 months ago Closed 4 months ago

Assertion failure: prop.isNativeProperty() && prop.propertyInfo().isDataProperty() && prop.propertyInfo().writable(), at /root/src/js/src/jit/VMFunctions.cpp:2058

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox129 --- fixed

People

(Reporter: nils.bars, Assigned: jandem)

References

(Blocks 3 open bugs)

Details

Attachments

(2 files)

bug.js
525 bytes, application/x-javascript
Details
Bug 1901410 - Invalidate megamorphic set-property cache when freezing prototype objects. r?iain!
48 bytes, text/x-phabricator-request
Details | Review
Attached file bug.js

Steps to reproduce:

This bug is flaky and must be executed multiple times in order to trigger the assert.

Checkout commit 15778b8c32f8535624fff2af36fc669e65a9af3 and invoke the js shell as follows:

/root/js-spidermonkey-shell  --fast-warmup  --fuzzing-safe  --gc-zeal=22,98 <testcase>

Actual results:

Assertion failure: prop.isNativeProperty() && prop.propertyInfo().isDataProperty() && prop.propertyInfo().writable(), at /root/src/js/src/jit/VMFunctions.cpp:2058
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security

The bug here seems to be that freezing/sealing a (prototype) object does not invalidate the megamorphic set-prop cache by bumping its generation counter.

We need to invalidate this cache because of a JS quirk: attempts to shadow a non-writable property on the proto chain must throw. This probably isn't security sensitive but just a correctness issue - the same thing can be achieved with a defineProperty which is allowed to shadow properties on the proto chain.

Flags: needinfo?(jdemooij)

Freezing an object will mark all data properties non-writable. These properties
then can't be shadowed anymore so we need to ensure add-property cache entries are
invalidated.

Assignee: nobody → jdemooij
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Group: javascript-core-security
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e943519aa384 Invalidate megamorphic set-property cache when freezing prototype objects. r=iain
Blocks: sm-security, sm-jits
Severity: -- → S3
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/e943519aa384

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox129: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
Blocks: 1903968
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: