Closed Bug 1813565 Opened 2 years ago Closed 2 years ago

Assertion failure: whyMagic() == why, at dist/include/js/Value.h:863

Categories

(Core :: JavaScript Engine, task, P2)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1812979

People

(Reporter: saelo, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

program_20230122010834_1BFE7704-D67D-473E-B239-A23576660167_deterministic.js
(deleted), text/javascript
Details

The attached sample triggers an assertion failure in Spidermonkey debug builds from current HEAD. Here is the backtrace from gdb:

#0  0x000055555752a638 in JS::Value::isMagic (this=0x7fffffff9e28, why=JS_ION_ERROR) at obj-debug/dist/include/js/Value.h:863
#1  0x000055555775a453 in js::WrappedPtrOperations<JS::Value, JS::Rooted<JS::Value>, void>::isMagic (this=0x7fffffff9e18, why=JS_ION_ERROR) at obj-debug/dist/include/js/Value.h:1332
#2  0x000055555852bfdf in EnterBaseline (cx=0x7ffff772f100, data=...) at js/src/jit/BaselineJIT.cpp:160
#3  0x000055555852b89a in js::jit::EnterBaselineInterpreterAtBranch (cx=0x7ffff772f100, fp=0x7ffff5675020, pc=0x7ffff5628d3b "\224\t") at js/src/jit/BaselineJIT.cpp:198
#4  0x00005555576c2fbb in Interpret (cx=0x7ffff772f100, state=...) at js/src/vm/Interpreter.cpp:2219
#5  0x00005555576c1f71 in js::RunScript (cx=0x7ffff772f100, state=...) at js/src/vm/Interpreter.cpp:431
#6  0x00005555576dae51 in js::ExecuteKernel (cx=0x7ffff772f100, script=..., envChainArg=..., evalInFrame=..., result=...) at js/src/vm/Interpreter.cpp:812
#7  0x00005555576db1c4 in js::Execute (cx=0x7ffff772f100, script=..., envChain=..., rval=...) at js/src/vm/Interpreter.cpp:844
#8  0x000055555787f03e in ExecuteScript (cx=0x7ffff772f100, envChain=..., script=..., rval=...) at js/src/vm/CompilationAndEvaluation.cpp:473
#9  0x000055555787f165 in JS_ExecuteScript (cx=0x7ffff772f100, scriptArg=...) at js/src/vm/CompilationAndEvaluation.cpp:497
#10 0x000055555751e42f in RunFile (cx=0x7ffff772f100, filename=0x7fffffffdc0b "crashes/program_20230122010834_1BFE7704-D67D-473E-B239-A23576660167_deterministic.js", file=0x7ffff7862020, compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=false) at js/src/shell/js.cpp:1059
#11 0x000055555751dd05 in Process (cx=0x7ffff772f100, filename=0x7fffffffdc0b "crashes/program_20230122010834_1BFE7704-D67D-473E-B239-A23576660167_deterministic.js", forceTTY=false, kind=FileScript) at js/src/shell/js.cpp:1657
#12 0x00005555574f831b in ProcessArgs (cx=0x7ffff772f100, op=0x7fffffffd5e8) at js/src/shell/js.cpp:10616
#13 0x00005555574ea54b in Shell (cx=0x7ffff772f100, op=0x7fffffffd5e8) at js/src/shell/js.cpp:11323
#14 0x00005555574e5153 in main (argc=3, argv=0x7fffffffd8a8) at js/src/shell/js.cpp:12452

The sample could unfortunately not be properly minimized by Fuzzilli as it crashed during "exploration": https://github.com/googleprojectzero/fuzzilli/blob/main/Sources/Fuzzilli/Mutators/ExplorationMutator.swift the "real" testcase is at the bottom of the file (starting at function f3(a4, a5) {), the part above it is the exploration logic.
The crash may be related to the Debugger API which is (afaik) not exposed to web content. I'm still filing this as a security issue as a precaution.

Group: core-security → javascript-core-security

Not sure about the security rating at the moment.
Iain, can you reduce the test case and figure out what is the issue here, and the severity of it?

Blocks: sm-opt-jits
Severity: -- → S4
Flags: needinfo?(iireland)
Priority: -- → P2

This is a duplicate of bug 1812979. Looks like the fix landed a few hours after this bug was opened.

Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1812979
Flags: needinfo?(iireland)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: