Closed Bug 1366096 Opened 8 years ago Closed 8 years ago

Javascript Hits Hard Assert in SIMD

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
49 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 - wontfix
firefox55 - fixed

People

(Reporter: natashenka, Assigned: jolesen)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 1 obsolete file)

ff_crash.html
7.11 KB, text/html
Details
Bug 1366096 - SIMD globals with 8x16 and 16x8 types.
59 bytes, text/x-review-board-request
bbouvier
: review+
jolesen
: review+
Details
Attached file ff_crash.html
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: Loaded the attached html file in the browser Actual results: Firefox crashes due to hitting MOZ_ASSERT. I found this issue during security testing, and I don't think it is a security problem, but I set the security flag because I'm not 100% sure you can't do anything bad before hitting the assert. Expected results: The page works correctly (this is a unit test from ChakraCore).
Nightly crash report: https://crash-stats.mozilla.com/report/index/9424fe1b-9658-4742-9521-2d4750170519 In a debug build: Hit MOZ_CRASH(unexpected type in visitWasmStoreGlobalVar) at c:/builds/moz2_slave/m-in-w64-d-0000000000000000000/build/src/js/src/jit/shared/CodeGenerator-shared.cpp:1622 INFO: Last good revision: e5f0088f8ca2ebd070812488f4296e81ca111ad2 INFO: First bad revision: c19c99878a6076e928690f45b37403b110cd5482 INFO: Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e5f0088f8ca2ebd070812488f4296e81ca111ad2&tochange=c19c99878a6076e928690f45b37403b110cd5482 INFO: Looks like the following bug has the changes which introduced the regression: https://bugzilla.mozilla.org/show_bug.cgi?id=1136226 Not sure this is s-s since we're hitting an intentional crash. Can you please take a look, Dan?
Blocks: 1136226
Group: firefox-core-security → javascript-core-security
Status: UNCONFIRMED → NEW
Crash Signature: [@ js::jit::CodeGeneratorShared::visitWasmStoreGlobalVar ]
Has Regression Range: --- → yes
status-firefox53: --- → wontfix
status-firefox54: --- → affected
status-firefox55: --- → affected
status-firefox-esr45: --- → unaffected
status-firefox-esr52: --- → affected
tracking-firefox54: --- → ?
tracking-firefox55: --- → ?
tracking-firefox-esr52: --- → ?
Component: Untriaged → JavaScript Engine
Ever confirmed: true
Flags: needinfo?(sunfish)
Keywords: crash
Product: Firefox → Core
Version: Trunk → 49 Branch
Sorry, phonebook fail. Jakob, maybe you can look :)
Flags: needinfo?(sunfish) → needinfo?(jolesen)
SIMD is Nightly-only, so this doesn't affect any release branches.
Crashes for me on release builds going back to 49.
The constructors are not exposed in 49, but it looks like we're not gating the AOT compilation. The code will never be able run (b/c it will fail instantiation), but the crash happens during compilation.
I don't think there are any security implications of this crash other than the denial of service from crashing a tab. I am surprised you can get this far on a release branch, though. Luke, I'll fix the visitWasmStoreGlobalVar() function which seems to be just an omission. Should we also try to gate SIMD asm.js compilation earlier somehow?
Assignee: nobody → jolesen
Flags: needinfo?(jolesen)
I think it's probably not necessary at this point unless we think there are more of these.
Add support for asm.js global variables with the following types: Int8x16, Bool8x16, Int16x8, Bool16x8. We already have the needed code generation support, but tests were missing for these types, and so their types were omitted from some critical switches. MozReview-Commit-ID: B4r7VofjlYL
Attachment #8869616 - Flags: review?(bbouvier)
Group: javascript-core-security
Attachment #8869616 - Attachment is obsolete: true
Attachment #8869616 - Flags: review?(bbouvier)
Comment on attachment 8869626 [details] Bug 1366096 - SIMD globals with 8x16 and 16x8 types. https://reviewboard.mozilla.org/r/141208/#review144864 Looks good, thank you for the patch! ::: js/src/wasm/AsmJS.cpp:7512 (Diff revision 1) > { > // Unsigned SIMD types are not allowed in function signatures. > - if (IsVectorObject<Int32x4>(v) || IsVectorObject<Float32x4>(v) || IsVectorObject<Bool32x4>(v)) > + if (IsVectorObject<Int32x4>(v) || IsVectorObject<Int16x8>(v) || IsVectorObject<Int8x16>(v) || > + IsVectorObject<Bool32x4>(v) || IsVectorObject<Bool16x8>(v) || > + IsVectorObject<Bool8x16>(v) || IsVectorObject<Float32x4>(v)) > return true; nit: needs {} now that the if is on several lines
Attachment #8869626 - Flags: review?(bbouvier) → review+
Track 54- as the volume of the crash is low and there is no security implication from the crash.
tracking-firefox54: ?-
Likewise for 55, I guess.
tracking-firefox55: ?-
Comment on attachment 8869626 [details] Bug 1366096 - SIMD globals with 8x16 and 16x8 types. https://reviewboard.mozilla.org/r/141208/#review145232 Added braces to multiline conditional.
Attachment #8869626 - Flags: review+
Pushed by jolesen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/96d3b13f0835 SIMD globals with 8x16 and 16x8 types. r=bbouvier
I re-ran the Chakra tests, with this fix they all pass now. Yay!
https://hg.mozilla.org/mozilla-central/rev/96d3b13f0835
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
I don't think we're hitting this crash in the wild at all. Should we just let this ride the trains or did you still want to nominate this for uplift?
Flags: needinfo?(jolesen)
I don't think we need to uplift this. Just let it ride the trains.
Flags: needinfo?(jolesen)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: