Closed
Bug 1366096
Opened 7 years ago
Closed 7 years ago
Javascript Hits Hard Assert in SIMD
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: natashenka, Assigned: jolesen)
References
Details
(Keywords: crash)
Crash Data
Attachments
(2 files, 1 obsolete file)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: Loaded the attached html file in the browser Actual results: Firefox crashes due to hitting MOZ_ASSERT. I found this issue during security testing, and I don't think it is a security problem, but I set the security flag because I'm not 100% sure you can't do anything bad before hitting the assert. Expected results: The page works correctly (this is a unit test from ChakraCore).
Comment 1•7 years ago
|
||
Nightly crash report: https://crash-stats.mozilla.com/report/index/9424fe1b-9658-4742-9521-2d4750170519 In a debug build: Hit MOZ_CRASH(unexpected type in visitWasmStoreGlobalVar) at c:/builds/moz2_slave/m-in-w64-d-0000000000000000000/build/src/js/src/jit/shared/CodeGenerator-shared.cpp:1622 INFO: Last good revision: e5f0088f8ca2ebd070812488f4296e81ca111ad2 INFO: First bad revision: c19c99878a6076e928690f45b37403b110cd5482 INFO: Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e5f0088f8ca2ebd070812488f4296e81ca111ad2&tochange=c19c99878a6076e928690f45b37403b110cd5482 INFO: Looks like the following bug has the changes which introduced the regression: https://bugzilla.mozilla.org/show_bug.cgi?id=1136226 Not sure this is s-s since we're hitting an intentional crash. Can you please take a look, Dan?
Blocks: 1136226
Group: firefox-core-security → javascript-core-security
Status: UNCONFIRMED → NEW
Crash Signature: [@ js::jit::CodeGeneratorShared::visitWasmStoreGlobalVar ]
Has Regression Range: --- → yes
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox55:
--- → affected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → affected
tracking-firefox54:
--- → ?
tracking-firefox55:
--- → ?
tracking-firefox-esr52:
--- → ?
Component: Untriaged → JavaScript Engine
Ever confirmed: true
Flags: needinfo?(sunfish)
Keywords: crash
Product: Firefox → Core
Version: Trunk → 49 Branch
Comment 2•7 years ago
|
||
Sorry, phonebook fail. Jakob, maybe you can look :)
Flags: needinfo?(sunfish) → needinfo?(jolesen)
Comment 3•7 years ago
|
||
SIMD is Nightly-only, so this doesn't affect any release branches.
Comment 4•7 years ago
|
||
Crashes for me on release builds going back to 49.
Comment 5•7 years ago
|
||
The constructors are not exposed in 49, but it looks like we're not gating the AOT compilation. The code will never be able run (b/c it will fail instantiation), but the crash happens during compilation.
Assignee | ||
Comment 6•7 years ago
|
||
I don't think there are any security implications of this crash other than the denial of service from crashing a tab. I am surprised you can get this far on a release branch, though. Luke, I'll fix the visitWasmStoreGlobalVar() function which seems to be just an omission. Should we also try to gate SIMD asm.js compilation earlier somehow?
Assignee: nobody → jolesen
Flags: needinfo?(jolesen)
Comment 7•7 years ago
|
||
I think it's probably not necessary at this point unless we think there are more of these.
Assignee | ||
Comment 8•7 years ago
|
||
Add support for asm.js global variables with the following types: Int8x16, Bool8x16, Int16x8, Bool16x8. We already have the needed code generation support, but tests were missing for these types, and so their types were omitted from some critical switches. MozReview-Commit-ID: B4r7VofjlYL
Assignee | ||
Updated•7 years ago
|
Attachment #8869616 -
Flags: review?(bbouvier)
Updated•7 years ago
|
Group: javascript-core-security
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Attachment #8869616 -
Attachment is obsolete: true
Attachment #8869616 -
Flags: review?(bbouvier)
Comment 10•7 years ago
|
||
mozreview-review |
Comment on attachment 8869626 [details] Bug 1366096 - SIMD globals with 8x16 and 16x8 types. https://reviewboard.mozilla.org/r/141208/#review144864 Looks good, thank you for the patch! ::: js/src/wasm/AsmJS.cpp:7512 (Diff revision 1) > { > // Unsigned SIMD types are not allowed in function signatures. > - if (IsVectorObject<Int32x4>(v) || IsVectorObject<Float32x4>(v) || IsVectorObject<Bool32x4>(v)) > + if (IsVectorObject<Int32x4>(v) || IsVectorObject<Int16x8>(v) || IsVectorObject<Int8x16>(v) || > + IsVectorObject<Bool32x4>(v) || IsVectorObject<Bool16x8>(v) || > + IsVectorObject<Bool8x16>(v) || IsVectorObject<Float32x4>(v)) > return true; nit: needs {} now that the if is on several lines
Attachment #8869626 -
Flags: review?(bbouvier) → review+
Comment 11•7 years ago
|
||
Track 54- as the volume of the crash is low and there is no security implication from the crash.
Comment hidden (mozreview-request) |
Assignee | ||
Comment 14•7 years ago
|
||
mozreview-review |
Comment on attachment 8869626 [details] Bug 1366096 - SIMD globals with 8x16 and 16x8 types. https://reviewboard.mozilla.org/r/141208/#review145232 Added braces to multiline conditional.
Attachment #8869626 -
Flags: review+
Comment 15•7 years ago
|
||
Pushed by jolesen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/96d3b13f0835 SIMD globals with 8x16 and 16x8 types. r=bbouvier
Reporter | ||
Comment 16•7 years ago
|
||
I re-ran the Chakra tests, with this fix they all pass now. Yay!
Comment 17•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/96d3b13f0835
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Comment 18•7 years ago
|
||
I don't think we're hitting this crash in the wild at all. Should we just let this ride the trains or did you still want to nominate this for uplift?
Flags: needinfo?(jolesen)
Assignee | ||
Comment 19•7 years ago
|
||
I don't think we need to uplift this. Just let it ride the trains.
Flags: needinfo?(jolesen)
Updated•7 years ago
|
Comment 20•7 years ago
|
||
https://hg.mozilla.org/projects/cedar/rev/96d3b13f0835dfea221d54931a943f519a34bc77 Bug 1366096 - SIMD globals with 8x16 and 16x8 types. r=bbouvier
You need to log in
before you can comment on or make changes to this bug.
Description
•