Closed Bug 1904642 Opened 9 months ago Closed 9 months ago

Assertion failure: cx->realm() == state.script()->realm(), at js/src/vm/Interpreter.cpp:422

Tracking

()

Status:

RESOLVED FIXED

Milestone:

129 Branch

Tracking Flags:

Tracking

Status

firefox129

---

fixed

People

(Reporter: sm-bugs, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external)

Attachments

(2 files)

bug.js 9 months ago Nils Bars 236 bytes, application/x-javascript		Details
Bug 1904642 - Check module realm in shell registerModule function r?jandem 9 months ago Jon Coppeard (:jonco) 48 bytes, text/x-phabricator-request		Details \| Review

Nils Bars

Reporter

Description

•

9 months ago

Attached file bug.js — Details

Steps to reproduce:

Checkout commit 9fcc11127fbfbdc88cbf37489dac90542e141c77 and invoke the js shell as follows:

js --fuzzing-safe <test-case>

Actual results:

Assertion failure: cx->realm() == state.script()->realm(), at js/src/vm/Interpreter.cpp:422

Nils Bars

Reporter

Updated

•

9 months ago

Blocks: 1903968

Group: firefox-core-security → core-security

Component: Untriaged → JavaScript Engine

Product: Firefox → Core

Daniel Veditz [:dveditz]

Updated

•

9 months ago

Group: core-security → javascript-core-security

Keywords: reporter-external

Jan de Mooij [:jandem]

Comment 1

•

9 months ago

Reduced test below. It looks like we create a module object with a script from a different realm and this confuses ModuleObject::execute when it tries to execute it.

Jon, can this case happen in the browser or are we just missing a check for this in the shell's testing function?

var mod = parseModule("a");
d = newGlobal().registerModule("c", mod);
moduleLink(d);
moduleEvaluate(d);

Flags: needinfo?(jcoppeard)

Jon Coppeard (:jonco)

Assignee

Comment 2

•

9 months ago

The problem is in the shell function registerModule(). This can't happen in the browser.

Assignee: nobody → jcoppeard

Flags: needinfo?(jcoppeard)

Jan de Mooij [:jandem]

Updated

•

9 months ago

Group: javascript-core-security

Jon Coppeard (:jonco)

Assignee

Comment 3

•

9 months ago

Attached file Bug 1904642 - Check module realm in shell registerModule function r?jandem — Details

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

9 months ago

Severity: -- → S3

Priority: -- → P3

Pulsebot

Comment 4

•

9 months ago

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3e39867430df Check module realm in shell registerModule function r=jandem

Sandor Molnar[:smolnar]

Comment 5

•

9 months ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/3e39867430df

Status: UNCONFIRMED → RESOLVED

Closed: 9 months ago

status-firefox129: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 129 Branch

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Assertion failure: cx->realm() == state.script()->realm(), at js/src/vm/Interpreter.cpp:422

Categories

(Core :: JavaScript Engine, defect, P3)

Tracking

()

People

(Reporter: sm-bugs, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Updated

Updated

Comment 1

Comment 2

Updated

Comment 3

Updated

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type