Closed Bug 1933039 Opened 9 months ago Closed 8 months ago

Assertion failure: hasCyclicModuleFields(), at js/src/builtin/ModuleObject.cpp:921

Tracking

()

Status:

RESOLVED FIXED

Milestone:

135 Branch

Tracking Flags:

Tracking

Status

firefox-esr115

---

unaffected

firefox-esr128

---

unaffected

firefox133

---

wontfix

firefox134

---

wontfix

firefox135

fixed

People

(Reporter: sm-bugs, Assigned: allstars.chh)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, reporter-external, sec-other, Whiteboard: [adv-main135-])

Attachments

(1 file)

Bug 1933039 - Throw when processing synthetic modules in GetModuleEnvironmentNames,Value. 8 months ago Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi] 48 bytes, text/x-phabricator-request		Details \| Review

Nils Bars

Reporter

Description

•

9 months ago

•

Edited

Steps to reproduce:

I guess this is related to bug 1929623.

Version: ee42ec590725439d33792bc8657d60f080786b2e
Args: js --fuzzing-safe <test-case>
Test case:

getModuleEnvironmentNames(parseModule("{}", "", "json"))

Actual results:

#0 0x5595d1062421 in js::ModuleObject::cyclicModuleFields() s/src/builtin/ModuleObject.cpp:921:3
#1 0x5595d10659bc in js::ModuleObject::cyclicModuleFields() const s/src/builtin/ModuleObject.cpp:927:43
#2 0x5595d10659bc in js::ModuleObject::hadEvaluationError() const s/src/builtin/ModuleObject.cpp:1320:29
#3 0x5595d0b2ad1b in GetModuleEnvironmentNames(JSContext*, unsigned int, JS::Value*) s/src/shell/js.cpp:5989:15
#4 0x5595d0bf721e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) s/src/vm/Interpreter.cpp:532:13
#5 0x5595d0bf647f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) s/src/vm/Interpreter.cpp:628:12
#6 0x5595d0c10a1c in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) s/src/vm/Interpreter.cpp:700:10
#7 0x5595d0c10a1c in js::Interpret(JSContext*, js::RunState&) s/src/vm/Interpreter.cpp:3329:16
#8 0x5595d0bf52b3 in js::RunScript(JSContext*, js::RunState&) s/src/vm/Interpreter.cpp:502:13
#9 0x5595d0bfa661 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) s/src/vm/Interpreter.cpp:893:13
#10 0x5595d0bfae6c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) s/src/vm/Interpreter.cpp:926:10
#11 0x5595d0df5a79 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) s/src/vm/CompilationAndEvaluation.cpp:496:10
#12 0x5595d0df5cf7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) s/src/vm/CompilationAndEvaluation.cpp:520:10
#13 0x5595d0b531ce in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) s/src/shell/js.cpp:1324:10
#14 0x5595d0b52275 in Process(JSContext*, char const*, bool, FileKind) s/src/shell/js.cpp
#15 0x5595d0b0b2c9 in ProcessArgs(JSContext*, js::cli::OptionParser*) s/src/shell/js.cpp:11801:10
#16 0x5595d0b0b2c9 in Shell(JSContext*, js::cli::OptionParser*) s/src/shell/js.cpp:12069:12
#17 0x5595d0b01ecd in main s/src/shell/js.cpp:12495:12
#18 0x7f39aadc43b7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#19 0x7f39aadc447a in __libc_start_main csu/../csu/libc-start.c:360:3
#20 0x5595d0acb398 in _start (bin/js+0x1bed398) (BuildId: 8c078c7b81363595dd2ca0b88818a732)

Nils Bars

Reporter

Updated

•

9 months ago

Blocks: 1903968

Group: firefox-core-security → core-security

Component: Untriaged → JavaScript Engine

Product: Firefox → Core

Version: Firefox 132 → Trunk

Ryan VanderMeulen [:RyanVM]

Updated

•

9 months ago

Group: core-security → javascript-core-security

Daniel Veditz [:dveditz]

Updated

•

9 months ago

Keywords: reporter-external

Jan de Mooij [:jandem]

Updated

•

9 months ago

Flags: needinfo?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Updated

•

9 months ago

Assignee: nobody → allstars.chh

Flags: needinfo?(allstars.chh)

Nicolas B. Pierron [:nbp]

Comment 1

•

9 months ago

Jon or Arai might have some ideas on what is going on, and whether or not this can affect the rest of the browser.

Blocks: sm-runtime, sm-shell

Severity: -- → S4

Flags: needinfo?(arai.unmht)

Priority: -- → P2

Tooru Fujisawa [:arai]

Comment 2

•

9 months ago

I don't have access to bug 1929623, but this specific issue comes from bug 1918053, which adds the 3rd parameter to the parseModule testing function, which results in wrapping the JSON module in ShellModuleObjectWrapper object, and allowing passing it to other testing functions that accepts ShellModuleObjectWrapper.
Some module-related testing function, such as getModuleEnvironmentNames doesn't expect the JSON module being passed.
So, unless there's other way to pass JSON module to the module function internal, this is JS-shell-only issue, and those testing functions should be updated to reject JSON modules.

Flags: needinfo?(arai.unmht)

Keywords: regression

Regressed by: 1918053

BugBot [:suhaib / :marco/ :calixte]

Comment 3

•

9 months ago

Set release status flags based on info from the regressing bug 1918053

status-firefox133: --- → affected

status-firefox134: --- → affected

status-firefox135: --- → affected

status-firefox-esr128: --- → unaffected

Nicolas B. Pierron [:nbp]

Updated

•

9 months ago

No longer blocks: sm-runtime

Donal Meehan [:dmeehan]

Updated

•

9 months ago

status-firefox-esr115: --- → unaffected

Daniel Veditz [:dveditz]

Updated

•

9 months ago

Keywords: sec-other

Donal Meehan [:dmeehan]

Updated

•

8 months ago

status-firefox133: affected → wontfix

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Comment 4

•

8 months ago

Attached file Bug 1933039 - Throw when processing synthetic modules in GetModuleEnvironmentNames,Value. — Details

Phabricator Automation

Updated

•

8 months ago

Attachment #9441483 - Attachment description: Bug 1933039 - Handle synthetic modules in GetModuleEnvironmentNames,Value. → Bug 1933039 - Throw when processing synthetic modules in GetModuleEnvironmentNames,Value.

Pulsebot

Comment 5

•

8 months ago

Pushed by allstars.chh@gmail.com: https://hg.mozilla.org/integration/autoland/rev/84c4074147ad Throw when processing synthetic modules in GetModuleEnvironmentNames,Value. r=jonco

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 6

•

8 months ago

https://hg.mozilla.org/mozilla-central/rev/84c4074147ad

Group: javascript-core-security → core-security-release

Status: NEW → RESOLVED

Closed: 8 months ago

status-firefox135: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 135 Branch

Donal Meehan [:dmeehan]

Updated

•

8 months ago

tracking-firefox134: --- → +

tracking-firefox135: --- → +

BugBot [:suhaib / :marco/ :calixte]

Comment 7

•

8 months ago

The patch landed in nightly and beta is affected.
:allstars.chh, is this bug important enough to require an uplift?

If yes, please nominate the patch for beta approval.
If no, please set status-firefox134 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Comment 8

•

8 months ago

This is a shell-only function for testing, I'll mark this as won'tfix for 134.

status-firefox134: affected → wontfix

Flags: needinfo?(allstars.chh)

Ryan VanderMeulen [:RyanVM]

Updated

•

8 months ago

tracking-firefox134: + → ---

Flags: in-testsuite+

Andrei Vaida [:avaida]

Updated

•

7 months ago

QA Whiteboard: [post-critsmash-triage]

Flags: qe-verify-

Tyson Smith [:tsmith]

Updated

•

6 months ago

Whiteboard: [adv-main135+]

Tyson Smith [:tsmith]

Updated

•

6 months ago

Whiteboard: [adv-main135+] → [adv-main135-]

Daniel Veditz [:dveditz]

Updated

•

2 months ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.