Closed Bug 1939971 Opened 1 months ago Closed 13 days ago

Assertion failure: cx->realm()->creationOptions().getSharedMemoryAndAtomicsEnabled(), at src/js/src/shell/js.cpp:8047

Categories

(Core :: JavaScript Engine, defect, P3)

defect

Tracking

()

RESOLVED FIXED
137 Branch
Tracking Status
firefox137 --- fixed

People

(Reporter: sm-bugs, Assigned: rhunt)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external)

Attachments

(1 file)

Steps to reproduce:

Version: 4f2372638478a8b66ba467867d764ad6cdb16a5d
Args: --fuzzing-safe --shared-memory=off <test-case>
Test case:

try {
  a = wasmTextToBinary(`(module)`)
  b = WebAssembly.Module
  c = new b(a)
  setSharedArrayBuffer(c)
  getSharedObject()
} catch {
}

Actual results:

Assertion failure: cx->realm()->creationOptions().getSharedMemoryAndAtomicsEnabled(), at src/js/src/shell/js.cpp:8047

#0 0x559fe6bd7640 in GetSharedObject(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:8046:9
#1 0x559fe6ca7fae in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:532:13
#2 0x559fe6ca727c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:628:12
#3 0x559fe6cc0db4 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:700:10
#4 0x559fe6cc0db4 in js::Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3338:16
#5 0x559fe6ca60d9 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:502:13
#6 0x559fe6cab5e1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:893:13
#7 0x559fe6cabdec in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:926:10
#8 0x559fe6ea3a49 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) js/src/vm/CompilationAndEvaluation.cpp:601:10
#9 0x559fe6ea3cc7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:625:10
#10 0x559fe6c03199 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) js/src/shell/js.cpp:1326:10
#11 0x559fe6c022a0 in Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp
#12 0x559fe6bbc371 in ProcessArgs(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:11793:10
#13 0x559fe6bbc371 in Shell(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:12061:12
#14 0x559fe6bb2e0d in main js/src/shell/js.cpp:12487:12
#15 0x7f1e8f73d3b7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#16 0x7f1e8f73d47a in __libc_start_main csu/../csu/libc-start.c:360:3
#17 0x559fe6b79dc8 in _start (reproducebuild/dist/bin/js+0x1c59dc8) (BuildId: d25b0a0cd5451c944e4f8e945b2c5fbf)

Blocks: 1903968
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 133 → Trunk
Group: core-security → javascript-core-security

Because wasm, randomly choosing Ben to take a peek

Flags: needinfo?(bvisness)

I peeked at this yesterday and the assertion for MailboxTag::WasmModule in the getSharedObject shell function here might just be invalid? I think that assertion makes sense for the SAB case and not for this one?

Severity: -- → S4
Priority: -- → P3
Flags: needinfo?(rhunt)

Yeah this shell function is just broken. This is not security sensitive because it's just in our shell testing code.

Assignee: nobody → rhunt
Group: javascript-core-security
Flags: needinfo?(rhunt)
Flags: needinfo?(bvisness)

The shell has some builtins to emulate post message for testing.

The WasmModule support for this copy-pasted an assertion from
the SAB sharing code that is not relevant. It's possible to
share a wasm module across threads without shared memory.

Pushed by rhunt@eqrion.net: https://hg.mozilla.org/integration/autoland/rev/60cae1a051b3 wasm: Remove copied assertion from GetSharedObject. r=bvisness
Status: NEW → RESOLVED
Closed: 13 days ago
Resolution: --- → FIXED
Target Milestone: --- → 137 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: