Closed Bug 1977598 Opened 17 days ago Closed 14 days ago

Assertion failure: !js::UninlinedIsCrossCompartmentWrapper(this), at js/src/vm/JSObject.h:432

Categories

(Core :: JavaScript Engine, defect, P3)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
142 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox-esr140 --- unaffected
firefox140 --- unaffected
firefox141 --- unaffected
firefox142 --- verified

People

(Reporter: decoder, Assigned: rhunt)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 20250715-ca1cc5350282 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

Int8Array.sameZoneAs = /wp(?:a?)+/umi;
for (let [i13, i14] = (() => { return [0, 9]; })(); i14; i14--) {}
this.newGlobal(Int8Array).setTimeout(Int8Array);
for (let [i34, i35] = (() => {})(); i35; i35--) {}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556ee2194 in RunShellJobs(JSContext*) ()
#1  0x0000555556ebfbe9 in Shell(JSContext*, js::cli::OptionParser*) ()
#2  0x0000555556eb6916 in main ()
rax	0x0	0
rbx	0x7ffff462e800	140737293510656
rcx	0x1b0	432
rdx	0x1	1
rsi	0x0	0
rdi	0x7ffff7bee7d0	140737349871568
rbp	0x7fffffffce20	140737488342560
rsp	0x7fffffffcd10	140737488342288
r8	0x0	0
r9	0x3	3
r10	0x0	0
r11	0x0	0
r12	0x7ffff34f5600	140737275450880
r13	0x1ef81604d120	34050870137120
r14	0x0	0
r15	0x1ef81604d120	34050870137120
rip	0x555556ee2194 <RunShellJobs(JSContext*)+1556>
=> 0x555556ee2194 <_ZL12RunShellJobsP9JSContext+1556>:	mov    %rcx,(%rax)
   0x555556ee2197 <_ZL12RunShellJobsP9JSContext+1559>:	callq  0x555556f522b0 <abort>
Attached file Testcase

Likely a minor issue with the new setTimeout shell function.

Verified bug as reproducible on mozilla-central 20250716155217-9fbcc2cbd9ed.
The bug appears to have been introduced in the following build range:

Start: 8f2d398bb165f03bd1cd5e2d845276c61549daac (20250714165337)
End: ff06d99dccf260210ecd2a923db70de4f7cb96f6 (20250714210124)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8f2d398bb165f03bd1cd5e2d845276c61549daac&tochange=ff06d99dccf260210ecd2a923db70de4f7cb96f6

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

The shell job runner would need an update to support these. It seems
simplest to just not allow them right now.

Assignee: nobody → rhunt
Status: NEW → ASSIGNED

The existing shell job runner for finalizers didn't support CCWs and that probably wasn't an issue until the basic setTimeout support was added to the shell. This is JS shell only, so not security sensitive.

Group: javascript-core-security
Severity: -- → S4
Priority: -- → P3
Attachment #9501046 - Attachment description: (secure) → Bug 1977598 - Don't allow CCW callbacks in shell setTimeout. r?jandem
Status: ASSIGNED → RESOLVED
Closed: 14 days ago
Resolution: --- → FIXED
Target Milestone: --- → 142 Branch

Verified bug as fixed on rev mozilla-central 20250718214328-23ff9b5bff9f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: