Assertion failure: script, at js/src/builtin/ShadowRealm.cpp:437
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | disabled |
| firefox129 | --- | disabled |
| firefox130 | --- | disabled |
| firefox131 | --- | disabled |
People
(Reporter: sm-bugs, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: reporter-external)
Attachments
(1 file)
|
201 bytes,
application/text-plain
|
Details |
Steps to reproduce:
Checkout commit ef4ef8198add3192d1e49157fb3f377ea7e60009 and invoke the js shell as follows:
js --fuzzing-safe --enable-shadow-realms <test-case>
Actual results:
Assertion failure: script, at js/src/builtin/ShadowRealm.cpp:437
|
||
Updated•7 months ago
|
|
||
Comment 1•7 months ago
|
||
Please add a stack for the assertion, either as a comment or an attachment, to make it easier to triage.
|
|
||
Updated•7 months ago
|
==2298478==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55a2ddbab084 bp 0x7ffe07c79d40 sp 0x7ffe07c79b70 T2298478)
==2298478==The signal is caused by a WRITE memory access.
==2298478==Hint: address points to the zero page.
#0 0x55a2ddbab084 in ShadowRealmImportValue(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>, JS::Realm*, JS::Realm*) spidermonkey/src/js/src/builtin/ShadowRealm.cpp:436:5
#1 0x55a2ddbab084 in ShadowRealm_importValue(JSContext*, unsigned int, JS::Value*) spidermonkey/src/js/src/builtin/ShadowRealm.cpp:648:19
#2 0x55a2dd69867e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) spidermonkey/src/js/src/vm/Interpreter.cpp:489:13
#3 0x55a2dd6978df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) spidermonkey/src/js/src/vm/Interpreter.cpp:583:12
#4 0x55a2dd6ade61 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) spidermonkey/src/js/src/vm/Interpreter.cpp:655:10
#5 0x55a2dd6ade61 in js::Interpret(JSContext*, js::RunState&) spidermonkey/src/js/src/vm/Interpreter.cpp:3357:16
#6 0x55a2dd6968e1 in js::RunScript(JSContext*, js::RunState&) spidermonkey/src/js/src/vm/Interpreter.cpp:461:13
#7 0x55a2dd69bac1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) spidermonkey/src/js/src/vm/Interpreter.cpp:848:13
#8 0x55a2dd69c2cc in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) spidermonkey/src/js/src/vm/Interpreter.cpp:880:10
#9 0x55a2dd8e8969 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) spidermonkey/src/js/src/vm/CompilationAndEvaluation.cpp:495:10
#10 0x55a2dd8e8be7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) spidermonkey/src/js/src/vm/CompilationAndEvaluation.cpp:519:10
#11 0x55a2dd5d274e in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) spidermonkey/src/js/src/shell/js.cpp:1205:10
#12 0x55a2dd5d1ab5 in Process(JSContext*, char const*, bool, FileKind) spidermonkey/src/js/src/shell/js.cpp
#13 0x55a2dd58c7ae in ProcessArgs(JSContext*, js::cli::OptionParser*) spidermonkey/src/js/src/shell/js.cpp:11284:10
#14 0x55a2dd58c7ae in Shell(JSContext*, js::cli::OptionParser*) spidermonkey/src/js/src/shell/js.cpp:11536:12
#15 0x55a2dd5843c0 in main spidermonkey/src/js/src/shell/js.cpp:12068:12
#16 0x7ffa5e1fdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7ffa5e1fde3f in __libc_start_main csu/../csu/libc-start.c:392:3
#18 0x55a2dd54dd38 in _start (spidermonkey/src/reproducebuild/dist/bin/js+0x1c25d38) (BuildId: 35d8a8a3c389066dde8dc90be8c5997d)
|
||
Comment 3•7 months ago
|
||
Here's a cut down version.
let g = newGlobal({principal: 0});
let shadow = new g.ShadowRealm();
shadow.importValue("a", "b");
We create a shadow realm in a global with a more restrictive principal than the main global. Then we try importing a value. In PerformShadowRealmEval, we call DescribeScriptedCallerForCompilation, which walks the stack to find the script of the code that called us. However, because the only frames on the stack are in the original global, which is not subsumed by the shadow realm's global, we don't get a script back.
We either need to use a different mechanism to find the calling script, or to add some error handling in this case. Need-infoing our ShadowRealms expert to figure out which one.
Shadow realms aren't shipping any time soon, and I'm not convinced it's possible to trigger this outside of the shell, so this probably isn't security sensitive, but I'll leave the final determination up to Matt.
|
|
||
Updated•7 months ago
|
|
|
||
Updated•6 months ago
|
|
||
Comment 4•6 months ago
|
||
The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.
|
||
Comment 5•6 months ago
|
||
My understanding of principles is weaker than I'd like; but if I do have a basic understanding, it does seem possible that this can be triggered from outside the shell with the addition of something like a web extension.
Given that this isn't shipping any time soon and is currently all prefed off, I think we could un-hide this.
I think the only sensible choice here will be to throw, but I've only given it a bit of thought based on Iain's diagnosis.
|
|
||
Updated•6 months ago
|
Description
•