Closed Bug 1983221 Opened 1 month ago Closed 1 month ago

Assertion failure: generator->isQueueLengthOne(), at vm/AsyncIteration.cpp:1042

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
144 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox-esr140 --- unaffected
firefox141 --- unaffected
firefox142 --- unaffected
firefox143 --- wontfix
firefox144 --- fixed

People

(Reporter: gkw, Assigned: arai)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

debug stack
4.28 KB, text/plain
Details
Bug 1983221 - Mark async generator with completed and with-requests as invalid. r?mgaudet!
48 bytes, text/x-phabricator-request
Details | Review
Attached file debug stack 
var x = newGlobal({ newCompartment: true });
x.eval("async function *f(){}");
var y = Debugger();
y.addDebuggee(x);
y.onEnterFrame = function(a) {
  a.onPop = function(b) {
    b.return.unsafeDereference().throw();
    return b;
  };
};
x.f().return();

(gdb) bt
#0  0x00005555573d72e4 in MOZ_CrashSequence (aAddress=0x0, aLine=1042) at /home/msf2/shell-cache/js-dbg-64-linux-x86_64-5cc1a7909a4e-582522/objdir-js/dist/include/mozilla/Assertions.h:248
#1  js::AsyncGeneratorReturn (cx=cx@entry=0x7ffff5e3c200, argc=<optimized out>, vp=<optimized out>) at /home/msf2/trees/firefox/js/src/vm/AsyncIteration.cpp:1042
#2  0x00005555572f1be5 in CallJSNative (cx=cx@entry=0x7ffff5e3c200, native=0x5555573d7060 <js::AsyncGeneratorReturn(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>,
    args=...) at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:501
#3  0x00005555572cdfa6 in js::InternalCallOrConstruct (cx=0x7ffff5e3c200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:597
#4  0x00005555572ced08 in InternalCall (cx=<optimized out>, args=..., reason=1042, reason@entry=js::CallReason::Call) at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:664
#5  0x00005555572cef24 in js::Call (cx=cx@entry=0x7ffff5e3c200, fval=fval@entry=..., thisv=..., args=..., rval=..., reason=reason@entry=js::CallReason::Call)
    at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:696
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ce5019292a43
user:        Tooru Fujisawa
date:        Thu Jul 24 05:06:31 2025 +0000
summary:     Bug 1978510 - Part 16: Update the [[AsyncGeneratorState]] variants. r=mgaudet

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ~/trees/firefox/js/src/configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on gh rev 5cc1a7909a4e.

Arai-san, is bug 1978510 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(arai.unmht)

Set release status flags based on info from the regressing bug 1978510

status-firefox141: --- → unaffected
status-firefox142: --- → unaffected
status-firefox-esr128: --- → unaffected
status-firefox-esr140: --- → unaffected

Thanks!
Yeah, the change there introduced another invalid state which can happen with debugger interaction, and which should be filtered out by AsyncGeneratorMethodSanityCheck.

Flags: needinfo?(arai.unmht)
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Group: core-security → javascript-core-security
status-firefox-esr115: --- → unaffected

This issue happens only with Debugger API, which is not available to web content.
The DevTools Debugger can trigger similar situation.

Then, even if the situation happens, it just result in the order of the request being skipped/swapped,
as the logic there expects the request just queued is the first request dequeued, but that becomes the 2nd one.
It results in somewhat unexpected result, but it doesn't result in crash, and also this is unspec-ed behavior.
Thus, this is not exploitable.

Group: javascript-core-security
Attachment #9507313 - Attachment description: (secure) → Bug 1983221 - Mark async generator with completed and with-requests as invalid. r?mgaudet!

Set release status flags based on info from the regressing bug 1978510

status-firefox144: --- → affected
Severity: -- → S3
Priority: -- → P2
Pushed by arai_a@mac.com: https://github.com/mozilla-firefox/firefox/commit/54c08a4ee268 https://hg.mozilla.org/integration/autoland/rev/777d9e861b57 Mark async generator with completed and with-requests as invalid. r=bthrall

https://hg.mozilla.org/mozilla-central/rev/777d9e861b57

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
status-firefox144: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 144 Branch
Flags: sec-bounty? → sec-bounty-
QA Whiteboard: [qa-triage-done-c145/b144]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: