Closed Bug 1616535 Opened 5 years ago Closed 5 years ago

Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode(), at vm/Interpreter.cpp:416

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox73 --- unaffected
firefox74 --- unaffected
firefox75 + fixed

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(6 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,bisect][post-critsmash-triage])

Attachments

(3 files)

Testcase
(deleted), text/plain
Details
Bug 1616535: MCheckClassHeritage can be effectful because the error case can invoke toSource. r=jandem!
(deleted), text/x-phabricator-request
Details
Fedora stack
(deleted), text/plain
Details

The following testcase crashes on mozilla-central revision 20200218-df596657bebc (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager --ion-warmup-threshold=0 test.js):

class current extends(/x/) {
    ;;
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000558392a49d5f in js::RunScript(JSContext*, js::RunState&) ()
#0  0x0000558392a49d5f in js::RunScript(JSContext*, js::RunState&) ()
#1  0x0000558392a5f483 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#2  0x0000558392a60a60 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#3  0x0000558392bdb329 in js::Call(JSContext*, JS::Handle<JS::Value>, JSObject*, JS::MutableHandle<JS::Value>) ()
#4  0x0000558392f24053 in js::ValueToSource(JSContext*, JS::Handle<JS::Value>) ()
#5  0x0000558392c46343 in js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) ()
#6  0x0000558392d76a7d in js::ReportValueErrorFlags(JSContext*, unsigned int, unsigned int, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, char const*, char const*) ()
#7  0x0000558392a63a41 in js::CheckClassHeritageOperation(JSContext*, JS::Handle<JS::Value>) ()
#8  0x00000a2d15f45b15 in ?? ()
#9  0x0000000000000000 in ?? ()
rax	0x558393fe654f	94023611999567
rbx	0x7f1032c41000	139707547914240
rcx	0x558395093850	94023629486160
rdx	0x0	0
rsi	0x7f1033d2b770	139707565651824
rdi	0x7f1033d2a540	139707565647168
rbp	0x7ffd2a319cf0	140725311347952
rsp	0x7ffd2a319ca0	140725311347872
r8	0x7f1033d2b770	139707565651824
r9	0x7f1034e24d00	139707583450368
r10	0x58	88
r11	0x7f10339d27a0	139707562141600
r12	0x7f1032c27000	139707547807744
r13	0x7ffd2a319df0	140725311348208
r14	0x7ffd2a319d40	140725311348032
r15	0x7ffd2a319d20	140725311348000
rip	0x558392a49d5f <js::RunScript(JSContext*, js::RunState&)+943>
=> 0x558392a49d5f <_ZN2js9RunScriptEP9JSContextRNS_8RunStateE+943>:	movl   $0x1a0,0x0
   0x558392a49d6a <_ZN2js9RunScriptEP9JSContextRNS_8RunStateE+954>:	callq  0x55839296747e <abort>
Attached file Testcase (deleted) —
Keywords: crash
Whiteboard: [jsbugmon:update,bisect] → [fuzzblocker] [jsbugmon:update,bisect]

NI André because this is likely from the class-related patches.

Flags: needinfo?(andrebargull)
Priority: -- → P1
Regressed by: 1167472
Regressed by: 1378189
No longer regressed by: 1167472
Has Regression Range: --- → yes

CheckClassHeritageOperation calls ReportIsNotFunction for non-callable
objects and ReportIsNotFunction can end up in ValueToSource, which in turn
can invoke a user-defined toSource function. That means MCheckClassHeritage
must be treated as an effectful operation.

When bug 1418769 is fixed, it should be possible to revert this change, because
then user-defined toSource functions are no longer called.

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED

CheckClassHeritageOperation can invoke a user-defined toSource function via ValueToSource, so MCheckClassHeritage must be treated as an effectful operation - at least until bug 1418769 is fixed. The bug is only reproducible on the shell and in system-code, because toSource is already today no longer present for non-chrome code (bug 1565170).

Flags: needinfo?(andrebargull)

https://hg.mozilla.org/mozilla-central/rev/f17d1129403e

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox75: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Flags: qe-verify+
Whiteboard: [fuzzblocker] [jsbugmon:update,bisect] → [fuzzblocker] [jsbugmon:update,bisect][post-critsmash-triage]
Attached file Fedora stack (deleted) —
I don't think this is completely fixed. Bughunter has seen this 3 times on 2020-02-28 around 11 AM PT with builds on Linux from Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode(), at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:416 mozversion INFO | application_buildid: 20200228161940 mozversion INFO | application_changeset: fc9d28ae4655254a6ef8a57ac6577545b2a42ca7 with url https://news.google.com/?hl=es-419&gl=MX&ceid=MX:es-419

see comment 7

Flags: needinfo?(andrebargull)

Bob, can you file a new (security) bug for that? It's a different issue.

Flags: needinfo?(andrebargull) → needinfo?(bob)

This is a generic assertion, it can be triggered by any instruction which can run code, but isn't marked as effectful.

In this case it looks like the issue is tied to MNewArray. MNewArray is marked as non-effectful, but can also trigger GC (see the attached stacktrace). Unfortunately MNewArray isn't the only MIR node with is marked as non-effectful, but can also run GC, so I think in this case we may need to prohibit the GC from running its callback, because apparently the callback can run any code.

Flags: needinfo?(bob)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: