Closed Bug 1643888 Opened 4 years ago Closed 4 years ago

Assertion failure: Missing guard allowed non-number to hit ensureDoubleRegister, at js/src/jit/MacroAssembler.cpp:1970

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 78+ fixed
firefox77 --- unaffected
firefox78 + verified
firefox79 + verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(5 keywords, Whiteboard: [bugmon:update,bisect])

Attachments

(3 files)

Testcase
204 bytes, text/plain
Details
Bug 1643888 - Support using AutoScratchFloatRegister with ensureDoubleRegister. r?anba!
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
Details | Review
Bug 1643888 - Add a test. r?anba!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200605-dadc7312128e (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --disable-oom-functions --blinterp-warmup-threshold=1):

str = function(s) { try { return s.toString(); } catch(exc) {} }
str(undefined);
str(false);
function g() {
    for (let i = 0; i < 2; -i) {
        var y = this * this;
        str(y >>> y);
    }
}
g();

Backtrace:

received signal SIGTRAP, Trace/breakpoint trap.
0x5da30d7b in ?? ()
#0  0x5da30d7b in ?? ()
#1  0xf685e088 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax	0x7ff80000	2146959360
ebx	0x7ff80000	2146959360
ecx	0x0	0
edx	0x0	0
esi	0x0	0
edi	0xf6875840	-158902208
ebp	0xf6860040	4135977024
esp	0xffffa9e0	4294945248
eip	0x5da30d7b	1570966907
=> 0x5da30d7b:	cvttsd2si %xmm0,%eax
   0x5da30d7f:	cmp    $0x1,%eax

Filing as s-s because this is a JIT assertion. Note that this bug is 32-bit only.

Attached file Testcase 

    
    

    
  
I think this is a regression from bug 1641789. The code looks like this:


  AutoScratchFloatRegister floatReg(this);
  allocator.ensureDoubleRegister(masm, inputId, floatReg);



That's wrong when inputId is Value allocated on the stack, because AutoScratchFloatRegister can push a double on the stack without informing the CacheIR register allocator, resulting in the wrong offset being used.


This is too error-prone, maybe it's finally time to properly support FloatRegisters in CacheIR. I'll investigate.



          status-firefox77:
          --- → unaffected

          status-firefox78:
          --- → affected

          status-firefox-esr68:
          --- → unaffected

          tracking-firefox78:
          --- → ?

          tracking-firefox79:
          --- → ?
Flags: needinfo?(jdemooij)

    
  
Has Regression Range: --- → yes

    
    

    
  
(In reply to Jan de Mooij [:jandem] from comment #2)




This is too error-prone, maybe it's finally time to properly support FloatRegisters in CacheIR. I'll investigate.




I looked into this yesterday. It's doable and does make things nicer, but it also adds some complexity especially for Ion ICs. For now it's probably best to land a spot fix. Post-Warp we can simplify Ion ICs more and that will make it easier to do this properly.


I'll mark this sec-moderate because all code paths in ensureDoubleRegister that load from the stack will either hit the assumeUnreachable on non-number values (a crash even in release builds) or end up converting an int32 value to double.


Keywords: sec-moderate

    
  
Flags: needinfo?(jdemooij)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

    
    

    
  


  
Depends on D78863


Severity: -- → S3
Priority: -- → P2

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2048e8b7abdd


Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago

          status-firefox79:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79

    
    

    
  
Comment on attachment 9155215 [details]

Bug 1643888 - Support using AutoScratchFloatRegister with ensureDoubleRegister. r?anba!


Beta/Release Uplift Approval Request


    

  • User impact if declined: Crashes, potential security issues.
    • 

  • Is this code covered by automated tests?: Yes
    • 

  • Has the fix been verified in Nightly?: Yes
    • 

  • Needs manual test from QE?: No
    • 

  • If yes, steps to reproduce:
    • 

  • List of other uplifts needed: None
    • 

  • Risk to taking this patch: Low
    • 

  • Why is the change risky/not risky? (and alternatives if risky): Pretty local fix, fixes the reported test case.
    • 

  • String changes made/needed: None
    • 




        Attachment #9155215 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 9155215 [details]

Bug 1643888 - Support using AutoScratchFloatRegister with ensureDoubleRegister. r?anba!


approved for 78.0b6



        Attachment #9155215 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Flags: in-testsuite?
Status: RESOLVED → VERIFIED

          status-firefox78:
          fixedverified

          status-firefox79:
          fixedverified
Keywords: bugmon

    
    

    
  
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200611093454-10ad7868f3ca.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: