Closed Bug 1917312 Opened 1 year ago Closed 1 year ago

Crash in [@ js::ContextChecks::fail | JSContext::check | JS_CallFunctionValue | mozilla::dom::(anonymous namespace)::DebuggerImmediateRunnable::WorkerRun]

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1904059

People

(Reporter: mayankleoboy1, Unassigned)

References

(
URL
)

Details

(Keywords: crash, reporter-external)

Crash Data

Attachments

(1 file)

about:support
45.23 KB, text/plain
Details

Crash report: https://crash-stats.mozilla.org/report/index/063d88c0-acb3-4c15-9bc3-9d35d0240906

MOZ_CRASH Reason: *** Compartment mismatch 2c5bc3d23a0 vs. 2c5bd8ed1f0 at argument 1

Top 10 frames:

0  xul.dll  MOZ_Crash(char const*, int, char const*)  mfbt/Assertions.h:317
0  xul.dll  js::ContextChecks::fail(JS::Compartment*, JS::Compartment*, int)  js/src/vm/JSContext-inl.h:55
0  xul.dll  js::ContextChecks::check(JS::Compartment*, int)  js/src/vm/JSContext-inl.h:71
0  xul.dll  js::ContextChecks::check(JSObject*, int)  js/src/vm/JSContext-inl.h:84
0  xul.dll  js::ContextChecks::check(JS::Value const&, int)  js/src/vm/JSContext-inl.h:125
1  xul.dll  JSContext::checkImpl(JS::Handle<JSObject*> const&, JS::Handle<JS::Value> cons...  js/src/vm/JSContext-inl.h:207
1  xul.dll  JSContext::check(JS::Handle<JSObject*> const&, JS::Handle<JS::Value> const&, ...  js/src/vm/JSContext-inl.h:214
1  xul.dll  JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>...  js/src/vm/CallAndConstruct.cpp:47
2  xul.dll  mozilla::dom::(anonymous namespace)::DebuggerImmediateRunnable::WorkerRun(JSC...  dom/workers/WorkerPrivate.cpp:671
3  xul.dll  mozilla::dom::WorkerThreadRunnable::Run()  dom/workers/WorkerRunnable.cpp:443

I was trying to repro the crash in bug 1777931.

I had opened the URL in a private window. The page has some issues due to which it takes a long time to load. I had also maybe hard reloaded the page a few times.
I had then opened the developer tools, and was just randomly clikcin on different tabs and stuff.
Suddenly, boom.

No idea what the correct component is. I am copying folks who work on the debugger and service workers.

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine

Please see the STR in https://bugzilla.mozilla.org/show_bug.cgi?id=1777931#c19.

The STR for this bug are pretty much the same, except maybe switch to the "console" or "debugger" tab of teh dev toolbar before going to the URL.

Sometimes you get this crash, sometimes you will get teh crash from bug 1777931.

See Also: → 1777931
Attached file about:support
Component: JavaScript Engine → DOM: Service Workers
Group: dom-core-security
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1904059
Resolution: --- → DUPLICATE

Andrew, can this bug be tagged for the bug bounty program?

Even though bug 1904059 was technically filed earlier, this bug gave some concrete STR.

Flags: needinfo?(continuation)
Flags: needinfo?(continuation) → sec-bounty?

I'm not sure how that exactly works from a bounty consideration perspective, but sure I can flag it so that it is considered. Thanks for filing the bug.

While I want to emphasize how helpful and appreciated the bug reports Mayank files are, I don't think this bug can be eligible since bug 1904059 /this bug are strictly a sec-mod and the guidance at https://www.mozilla.org/en-US/security/client-bug-bounty/ says:

Typically, the security rating given by the Bounty Committee for a bug must be rated a "sec-high" or "sec-critical" in order for it to be eligible for a bounty.

There's a book-keeping mismatch here that happens strictly in response to user action (not site action), and where the compartment mismatch payload is strictly under the control of devtools and passing to a debugger global which, in the event of the wrong compartment being used, would err on the side of having reduced privileges. I always appreciate STRs, but It was obvious from the stack in https://bugzilla.mozilla.org/show_bug.cgi?id=1904059#c0 what was happening. (My comment at https://bugzilla.mozilla.org/show_bug.cgi?id=1904059#c4 was just memorializing discussion from a team meeting because the Google Docs notes are not particularly accessible.)

Fair enough.

this bug [is] a sec-mod and the guidance at https://www.mozilla.org/en-US/security/client-bug-bounty/ says:

Typically, the security rating given by the Bounty Committee for a bug must be rated a "sec-high" or "sec-critical" in order for it to be eligible for a bounty.

We need to work on that wording. Further down there's a chart showing how much we "typically" award for different kinds of moderate bugs 😀

In this bug though, the bounty committee felt the non-deterministic STR was not enough to outweigh the fact that the basic issue was already known.

Flags: sec-bounty? → sec-bounty-
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: