Open
Bug 1822965
Opened 2 years ago
Updated 2 years ago
Gecko failure at: JSObject::maybeUnwrapAs
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
NEW
People
(Reporter: phambao1340, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Run following javascript code
const o1 = {
"newCompartment": true,
};
const v3 = newGlobal(o1);
const v6 = Debugger().addDebuggee(v3);
const o9 = {
"value": 2,
};
const o10 = {
"p": o9,
};
let v11 = undefined;
v3.eval(("obj = (" + "Object.create(null, {p: {value: 1}})") + ");");
const v19 = v6.getOwnPropertyDescriptor("obj").value;
try {
v19.defineProperties(o10);
} catch(e21) {
v11 = e21;
nukeAllCCWs();
}
v11.stack;
gc();
Gecko fail
/*
// Hit MOZ_CRASH(Invalid object. Dead wrapper?) at /home/builder/firefox/js/src/vm/JSObject.h:636
// #01: ???[/home/s/sm/js +0x1de56bb]
// #02: ???[/home/s/sm/js +0x1de5451]
// #03: JS::BuildStackString(JSContext*, JSPrincipals*, JS::Handle<JSObject*>, JS::MutableHandle<JSString*>, unsigned long, js::StackFormat)[/home/s/sm/js +0x1de8866]
// #04: ???[/home/s/sm/js +0x1b4a6dc]
// #05: ???[/home/s/sm/js +0x1b4a047]
// #06: ???[/home/s/sm/js +0x1955984]
// #07: ???[/home/s/sm/js +0x1954dce]
// #08: ???[/home/s/sm/js +0x1956ca2]
// #09: ???[/home/s/sm/js +0x1958380]
// #10: ???[/home/s/sm/js +0x1cbd5ff]
// #11: ???[/home/s/sm/js +0x1cbe1fc]
// #12: ???[/home/s/sm/js +0x189b19f]
// #13: ???[/home/s/sm/js +0x195cc62]
// #14: ???[/home/s/sm/js +0x1943eb8]
// #15: ???[/home/s/sm/js +0x193b445]
// #16: ???[/home/s/sm/js +0x1958b12]
// #17: ???[/home/s/sm/js +0x19591c1]
// #18: ???[/home/s/sm/js +0x1afebe6]
// #19: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/s/sm/js +0x1afeec0]
// #20: ???[/home/s/sm/js +0x1834eb4]
// #21: ???[/home/s/sm/js +0x182e4f0]
// #22: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x24083]
// #23: ???[/home/s/sm/js +0x17f8a49]
// #24: ??? (???:???)
Backtrace
#0 JSObject::maybeUnwrapAs<js::SavedFrame> (this=<optimized out>) at /home/s/gecko-dev/js/src/vm/JSObject.h:643
#1 0x0000555557340ef1 in js::UnwrapSavedFrame (cx=cx@entry=0x7ffff6630100, principals=principals@entry=0x0, obj=obj@entry=..., selfHosted=selfHosted@entry=JS::SavedFrameSelfHosted::Exclude, skippedAsync=@0x7fffffffc91f: 170) at /home/s/gecko-dev/js/src/vm/SavedStacks.cpp:736
#2 0x0000555557344306 in JS::BuildStackString (cx=cx@entry=0x7ffff6630100, principals=principals@entry=0x0, stack=stack@entry=..., stringp=stringp@entry=..., indent=indent@entry=0, format=js::StackFormat::SpiderMonkey, format@entry=js::StackFormat::Default) at /home/s/gecko-dev/js/src/vm/SavedStacks.cpp:1038
#3 0x00005555570a7c1c in js::ErrorObject::getStack_impl (cx=cx@entry=0x7ffff6630100, args=...) at /home/s/gecko-dev/js/src/vm/ErrorObject.cpp:673
#4 0x00005555570a7587 in JS::CallNonGenericMethod<&(IsObject(JS::Handle<JS::Value>)), &js::ErrorObject::getStack_impl> (cx=0x7ffff6630100, args=...) at /home/s/gecko-dev/obj-fuzzbuild/dist/include/js/CallNonGenericMethod.h:103
#5 js::ErrorObject::getStack (cx=cx@entry=0x7ffff6630100, argc=0, vp=<optimized out>) at /home/s/gecko-dev/js/src/vm/ErrorObject.cpp:650
#6 0x0000555556ead9f4 in CallJSNative (cx=cx@entry=0x7ffff6630100, native=native@entry=0x5555570a74b0 <js::ErrorObject::getStack(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Getter, args=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:459
#7 0x0000555556eacdbe in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6630100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Getter, reason@entry=4294954304) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:553
#8 0x0000555556eaeb26 in InternalCall (cx=0x7ffff7c30a60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6630100, args=..., reason=1497838384, reason@entry=js::CallReason::Getter) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:620
#9 0x0000555556eaed12 in js::Call (cx=cx@entry=0x7ffff6630100, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=..., reason=reason@entry=js::CallReason::Getter) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:652
#10 0x0000555556eb03f0 in js::CallGetter (cx=0x7ffff6630100, thisv=thisv@entry=..., getter=getter@entry=..., rval=rval@entry=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:774
#11 0x0000555557248e5f in CallGetter (cx=0x7ffff7c30a60 <_IO_stdfile_2_lock>, obj=..., receiver=..., id=..., prop=..., vp=...) at /home/s/gecko-dev/js/src/vm/NativeObject.cpp:2020
#12 GetExistingProperty<(js::AllowGC)1> (cx=cx@entry=0x7ffff6630100, receiver=receiver@entry=..., obj=obj@entry=..., id=id@entry=..., prop=..., vp=...) at /home/s/gecko-dev/js/src/vm/NativeObject.cpp:2048
#13 0x0000555557249a5c in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff6630100, cx@entry=0x7fffffffcf08, obj=obj@entry=..., receiver=..., receiver@entry=..., id=..., id@entry=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at /home/s/gecko-dev/js/src/vm/NativeObject.cpp:2196
#14 0x00005555572496f1 in js::NativeGetProperty (cx=0x7ffff7c30a60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6630100, obj=..., obj@entry=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at /home/s/gecko-dev/js/src/vm/NativeObject.cpp:2227
#15 0x0000555556df30af in js::GetProperty (cx=0x7ffff6630100, obj=..., receiver=..., vp=..., id=...) at /home/s/gecko-dev/js/src/vm/ObjectOperations-inl.h:118
#16 js::GetProperty (cx=<optimized out>, obj=..., receiver=..., name=<optimized out>, vp=...) at /home/s/gecko-dev/js/src/vm/ObjectOperations-inl.h:125
#17 0x0000555556eb4cd2 in js::GetProperty (cx=cx@entry=0x7ffff6630100, v=..., name=name@entry=..., vp=vp@entry=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:4726
#18 0x0000555556e9bea8 in GetPropertyOperation (cx=0x7ffff6630100, vp=..., name=..., lval=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:245
#19 Interpret (cx=cx@entry=0x7ffff6630100, state=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:3023
#20 0x0000555556e93435 in js::RunScript (cx=cx@entry=0x7ffff6630100, state=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:431
#21 0x0000555556eb0b82 in js::ExecuteKernel (cx=cx@entry=0x7ffff6630100, script=script@entry=..., envChainArg=envChainArg@entry=..., evalInFrame=evalInFrame@entry=..., result=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:818
#22 0x0000555556eb1231 in js::Execute (cx=cx@entry=0x7ffff6630100, script=script@entry=..., envChain=..., rval=rval@entry=...) at /home/s/gecko-dev/js/src/vm/Interpreter.cpp:850
#23 0x000055555705ef46 in ExecuteScript (cx=cx@entry=0x7ffff6630100, envChain=..., script=..., rval=rval@entry=...) at /home/s/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:472
#24 0x000055555705f220 in JS_ExecuteScript (cx=cx@entry=0x7ffff6630100, scriptArg=scriptArg@entry=...) at /home/s/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:496
#25 0x0000555556dc9550 in RunFile (cx=0x7ffff6630100, filename=0x7fffffffe345 "ee.js", file=<optimized out>, compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=<optimized out>) at /home/s/gecko-dev/js/src/shell/js.cpp:1098
#26 0x0000555556dc89f5 in Process (cx=cx@entry=0x7ffff6630100, filename=0x0, forceTTY=false, kind=kind@entry=FileScript) at /home/s/gecko-dev/js/src/shell/js.cpp:1697
#27 0x0000555556d8a53f in ProcessArgs (cx=0x7ffff6630100, op=0x7fffffffdd18) at /home/s/gecko-dev/js/src/shell/js.cpp:10584
#28 Shell (cx=0x7ffff6630100, op=op@entry=0x7fffffffdd18) at /home/s/gecko-dev/js/src/shell/js.cpp:10808
#29 0x0000555556d84027 in main (argc=argc@entry=8, argv=argv@entry=0x7fffffffdfa8) at /home/s/gecko-dev/js/src/shell/js.cpp:11240
#30 0x00007ffff7a3ed90 in __libc_start_call_main (main=main@entry=0x555556d83810 <main(int, char**)>, argc=argc@entry=8, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58
#31 0x00007ffff7a3ee40 in __libc_start_main_impl (main=0x555556d83810 <main(int, char**)>, argc=8, argv=0x7fffffffdfa8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392
#32 0x0000555556d50a89 in _start ()
*/
Flags: sec-bounty?
Updated•2 years ago
|
Group: firefox-core-security → javascript-core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
Comment 1•2 years ago
|
||
We get a DeadObjectProxy
in maybeUnwrapAs
under js::UnwrapSavedFrame
.
Probably not security sensitive because we always MOZ_CRASH
.
Updated•2 years ago
|
Updated•2 years ago
|
Group: javascript-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in
before you can comment on or make changes to this bug.
Description
•