Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode(), at vm/Interpreter.cpp:416
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox73 | --- | unaffected |
firefox74 | --- | unaffected |
firefox75 | + | fixed |
People
(Reporter: decoder, Assigned: anba)
References
(Regression)
Details
(6 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,bisect][post-critsmash-triage])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20200218-df596657bebc (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager --ion-warmup-threshold=0 test.js):
class current extends(/x/) {
;;
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000558392a49d5f in js::RunScript(JSContext*, js::RunState&) ()
#0 0x0000558392a49d5f in js::RunScript(JSContext*, js::RunState&) ()
#1 0x0000558392a5f483 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#2 0x0000558392a60a60 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#3 0x0000558392bdb329 in js::Call(JSContext*, JS::Handle<JS::Value>, JSObject*, JS::MutableHandle<JS::Value>) ()
#4 0x0000558392f24053 in js::ValueToSource(JSContext*, JS::Handle<JS::Value>) ()
#5 0x0000558392c46343 in js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) ()
#6 0x0000558392d76a7d in js::ReportValueErrorFlags(JSContext*, unsigned int, unsigned int, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, char const*, char const*) ()
#7 0x0000558392a63a41 in js::CheckClassHeritageOperation(JSContext*, JS::Handle<JS::Value>) ()
#8 0x00000a2d15f45b15 in ?? ()
#9 0x0000000000000000 in ?? ()
rax 0x558393fe654f 94023611999567
rbx 0x7f1032c41000 139707547914240
rcx 0x558395093850 94023629486160
rdx 0x0 0
rsi 0x7f1033d2b770 139707565651824
rdi 0x7f1033d2a540 139707565647168
rbp 0x7ffd2a319cf0 140725311347952
rsp 0x7ffd2a319ca0 140725311347872
r8 0x7f1033d2b770 139707565651824
r9 0x7f1034e24d00 139707583450368
r10 0x58 88
r11 0x7f10339d27a0 139707562141600
r12 0x7f1032c27000 139707547807744
r13 0x7ffd2a319df0 140725311348208
r14 0x7ffd2a319d40 140725311348032
r15 0x7ffd2a319d20 140725311348000
rip 0x558392a49d5f <js::RunScript(JSContext*, js::RunState&)+943>
=> 0x558392a49d5f <_ZN2js9RunScriptEP9JSContextRNS_8RunStateE+943>: movl $0x1a0,0x0
0x558392a49d6a <_ZN2js9RunScriptEP9JSContextRNS_8RunStateE+954>: callq 0x55839296747e <abort>
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Updated•5 years ago
|
Comment 2•5 years ago
|
||
NI André because this is likely from the class-related patches.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
CheckClassHeritageOperation
calls ReportIsNotFunction
for non-callable
objects and ReportIsNotFunction
can end up in ValueToSource
, which in turn
can invoke a user-defined toSource
function. That means MCheckClassHeritage
must be treated as an effectful operation.
When bug 1418769 is fixed, it should be possible to revert this change, because
then user-defined toSource
functions are no longer called.
Updated•5 years ago
|
Assignee | ||
Comment 4•5 years ago
|
||
CheckClassHeritageOperation
can invoke a user-defined toSource
function via ValueToSource
, so MCheckClassHeritage
must be treated as an effectful operation - at least until bug 1418769 is fixed. The bug is only reproducible on the shell and in system-code, because toSource
is already today no longer present for non-chrome code (bug 1565170).
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 5•5 years ago
|
||
Comment 6•5 years ago
|
||
Updated•5 years ago
|
Comment 7•5 years ago
|
||
Comment 9•5 years ago
|
||
Bob, can you file a new (security) bug for that? It's a different issue.
Assignee | ||
Comment 10•5 years ago
|
||
This is a generic assertion, it can be triggered by any instruction which can run code, but isn't marked as effectful.
In this case it looks like the issue is tied to MNewArray
. MNewArray is marked as non-effectful, but can also trigger GC (see the attached stacktrace). Unfortunately MNewArray
isn't the only MIR node with is marked as non-effectful, but can also run GC, so I think in this case we may need to prohibit the GC from running its callback, because apparently the callback can run any code.
Updated•5 years ago
|
Updated•4 years ago
|
Description
•