Closed
Bug 2008675
Opened 2 months ago
Closed 2 months ago
Assertion failure: numDebuggeeRealms_ <= numRealms, at vm/Runtime.cpp:796
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
148 Branch
| Tracking | Status | |
|---|---|---|
| firefox148 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: reporter-external, testcase)
Attachments
(2 files)
var x = Debugger();
var y = newGlobal({ newCompartment: true });
x.onEnterFrame = String.toString = function () {
x.removeDebuggee(y);
x.addDebuggee(y);
};
function f() {
var x = String;
x = x - 1;
oomTest(f);
}
f();
(gdb) bt
#0 0x000055555836217a in MOZ_CrashSequence (aAddress=0x0, aLine=796)
at /home/msf2/shell-cache/js-dbg-64-linux-x86_64-b62e07429bc9-602209/objdir-js/dist/include/mozilla/Assertions.h:237
#1 JSRuntime::incrementNumDebuggeeRealms (this=0x7ffff5e2e000) at /home/msf2/trees/firefox/js/src/vm/Runtime.cpp:796
#2 0x000055555761a82b in js::Debugger::addDebuggeeGlobal (this=0x7ffff5b98000, cx=0x7ffff5e39e00, global=...)
at /home/msf2/trees/firefox/js/src/debugger/Debugger.cpp:5085
#3 0x0000555557619f49 in js::Debugger::CallData::addDebuggee (this=this@entry=0x7fffffffb790)
at /home/msf2/trees/firefox/js/src/debugger/Debugger.cpp:4728
#4 0x00005555576501a7 in js::Debugger::CallData::ToNative<&js::Debugger::CallData::addDebuggee> (cx=cx@entry=0x7ffff5e39e00, argc=<optimized out>,
vp=<optimized out>) at /home/msf2/trees/firefox/js/src/debugger/Debugger.cpp:4318
#5 0x00005555582c1725 in CallJSNative (cx=cx@entry=0x7ffff5e39e00,
native=0x555557650110 <js::Debugger::CallData::ToNative<&js::Debugger::CallData::addDebuggee>(JSContext*, unsigned int, JS::Value*)>,
reason=<optimized out>, args=...) at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:490
/snip
This seems to go as far back as gh rev: https://github.com/mozilla-firefox/firefox/commit/564a36e5a3ae
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ~/trees/firefox/js/src/configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on gh rev b62e07429bc900cd3b964834255d9282910bbc39.
Might this be related to bug 1546620? Jan, any thoughts?
Flags: sec-bounty?
Flags: needinfo?(jdemooij)
|
||
Updated•2 months ago
|
Group: core-security → javascript-core-security
|
||
Comment 1•2 months ago
|
||
At a glance it doesn't look like numDebuggeeRealms_ is used for anything security sensitive. Basically it is only used to toggleDebuggerInstrumentation on or off.
|
Assignee | |
Updated•2 months ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
||
Updated•2 months ago
|
Severity: -- → S3
Priority: -- → P1
|
|
Assignee | |
Comment 2•2 months ago
|
||
An OOM handling issue in the debugger code.
Group: javascript-core-security
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 3•2 months ago
|
||
Pushed by jdemooij@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/48897b0f83d4
https://hg.mozilla.org/integration/autoland/rev/0b46c24048bf
Call unsetIsDebuggee if needed when handling OOM in AutoRestoreRealmDebugMode. r=jonco
|
||
Comment 5•2 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 148 Branch
|
||
Updated•2 months ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•2 months ago
|
QA Whiteboard: [qa-triage-done-c149/b148]
You need to log in
before you can comment on or make changes to this bug.
Description
•