Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode(), at vm/Interpreter.cpp:407
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox145 | --- | unaffected |
| firefox146 | --- | unaffected |
| firefox147 | --- | fixed |
People
(Reporter: gkw, Assigned: alexical)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords)
Attachments
(2 files)
for (var i = 0 ; i < 99 ; i++) {
[].__proto__.__proto__ = new Proxy(Object, Object);
Object.keys([]);
}
(gdb) bt
#0 0x0000555557370638 in MOZ_CrashSequence (aAddress=0x0, aLine=407)
at /home/msf2/shell-cache/js-dbg-64-linux-x86_64-256e8bad1a52-598750/objdir-js/dist/include/mozilla/Assertions.h:237
#1 js::RunScript (cx=cx@entry=0x7ffff5e3c200, state=...) at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:406
#2 0x00005555573710fc in js::InternalCallOrConstruct (cx=0x7ffff5e3c200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=<optimized out>)
at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:618
#3 0x0000555557371da8 in InternalCall (cx=<optimized out>, args=..., reason=407, reason@entry=js::CallReason::Call)
at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:653
#4 0x0000555557371fbd in js::Call (cx=<optimized out>, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=...,
reason=reason@entry=js::CallReason::Call) at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:685
#5 0x00005555574399a7 in js::Call (cx=0x7ffff5e3c200, fval=..., thisObj=<optimized out>, arg0=..., arg1=..., rval=...)
at /home/msf2/trees/firefox/js/src/vm/Interpreter.h:145
/snip
7c0e78c0e457-597167
7c0e78c0e4575dda295abed143b32888ac5a8f5d is the first interesting commit
commit 7c0e78c0e4575dda295abed143b32888ac5a8f5d
Author: Alex Thayer
Date: Wed Nov 19 21:05:46 2025 +0000
Bug 1995077 - Integrate with existing iterator indices optimizations r=iain
Run with --fuzzing-safe --no-threads --ion-eager, compile with AR=ar sh ~/trees/firefox/js/src/configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on gh rev 256e8bad1a52af07e29574baf4aaf02f05b39d93.
Note that a previous similar-looking bug 1853180 was marked sec-moderate.
Alex/Iain, is bug 1995077 a likely regressor?
Updated•7 months ago
|
Comment 1•7 months ago
|
||
Set release status flags based on info from the regressing bug 1995077
| Assignee | ||
Updated•6 months ago
|
| Assignee | ||
Comment 2•6 months ago
|
||
Comment 3•6 months ago
|
||
Our fuzzers are hitting this multiple times a day, also. See bug 1897240. Could be a different triggering issue, especially since yours was a more recent regression.
Updated•6 months ago
|
Comment 4•6 months ago
|
||
10 bugs on this assertion, with at least 7 different fixes
https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20sum%3A%22Assertion%20failure%3A%20!cx-%3Eruntime()-%3EjitRuntime()-%3EdisallowArbitraryCode()%22
Comment 5•6 months ago
|
||
This is a fairly general assertion that can catch a variety of problems. Bug 1897240 is a case where it is likely too picky, but it's hard to be completely sure. This is a real bug, though, and probably exploitable.
| Reporter | ||
Comment 6•6 months ago
|
||
(In reply to Iain Ireland [:iain] from comment #5)
This is a real bug, though, and probably exploitable.
Just checking, sec-moderate is still the most appropriate here, in case it's a different problem?
Comment 8•6 months ago
|
||
Updated•6 months ago
|
Comment 9•6 months ago
|
||
This is a more significant bug than bug 1897240. It's probably exploitable. Consider a case where we're indexing into an array twice at the same index with an Object.keys in between. We think that we can reuse the bounds check, but in fact the Object.keys triggers a proxy handler that shrinks the array. Suddenly we have an OOB access.
Sec-high seems reasonable to me.
| Reporter | ||
Comment 10•6 months ago
|
||
Just checking, sec-moderate is still the most appropriate here, in case it's a different problem?
Sec-high seems reasonable to me.
Forwarding to Dan.
Updated•6 months ago
|
Comment 11•6 months ago
|
||
Not sure how much it matters, but I think this is probably csectype-jit. (Although I don't know the exact definitions of the various categories. Are they written down anywhere?)
Updated•6 months ago
|
Updated•6 months ago
|
Updated•1 month ago
|
Description
•