Closed Bug 1667685 (CVE-2020-26952) Opened 4 years ago Closed 4 years ago

[warp] Assertion failure: !icScript_->hasInlinedChild(entry.pcOffset()), at jit/TrialInlining.cpp:358 with gc

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
All
defect

Tracking

()

RESOLVED FIXED
83 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- wontfix
firefox83 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Regression)

Details

(Keywords: regression, sec-high, testcase, Whiteboard: [sec-survey][post-critsmash-triage][adv-main83+])

Attachments

(2 files, 1 obsolete file)

Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
gc();
oomTest(Function.call.bind);
(gdb) bt
#0  js::jit::TrialInliner::maybeInlineCall (this=0x7fffffffab70, entry=..., loc=...)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/TrialInlining.cpp:358
#1  0x0000555557dc18ca in js::jit::TrialInliner::tryInlining (this=0x7fffffffab70) at /home/skygentoo/trees/mozilla-central/js/src/jit/TrialInlining.cpp:413
#2  0x0000555557dc15fb in js::jit::DoTrialInlining (cx=0x7ffff6927000, frame=0x7fffffffac40)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/TrialInlining.cpp:62
#3  0x00003d28197eac35 in ?? ()
#4  0x0000000000002043 in ?? ()
#5  0x00007fffffffac00 in ?? ()
#6  0x0000555558d3da10 in js::jit::vmFunctions ()
#7  0x00003d2819860b11 in ?? ()
#8  0x0000000000007821 in ?? ()
#9  0x00007fffffffac40 in ?? ()
#10 0xfff9800000000000 in ?? ()
#11 0xfff9800000000000 in ?? ()
#12 0xfff9800000000000 in ?? ()
#13 0xfff9800000000000 in ?? ()
#14 0x0000007aba99d0b0 in ?? ()
#15 0x00007ffff63fa0a3 in ?? ()
#16 0x0000000000000000 in ?? ()
(gdb)
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cfb6ef22174c
user:        Jan de Mooij
date:        Wed Sep 16 11:15:38 2020 +0000
summary:     Bug 1664786 part 4 - Set initial warm-up threshold for trial-inlined scripts. r=iain

Run with --fuzzing-safe --baseline-warmup-threshold=0 --ion-warmup-threshold=0 --cpu-count=2 --fast-warmup --warp, compile with AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev cb8232ebe212.

I doubt this is s-s since oomTest is here, but gc is involved, so I'll let Jan/other devs make the decision.

Flags: sec-bounty?
Flags: needinfo?(jdemooij)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

This one is probably sec-high: on OOM we can leave a bogus entry in the ICScript's inlinedChildren_ Vector. If later on we do a second trial-inlining and that succeeds, we could confuse the Warp bailout code.

Flags: needinfo?(jdemooij)
Keywords: sec-high
No longer regressed by: 1664786
Severity: -- → S3
Priority: -- → P1
Group: core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch
Flags: sec-bounty? → sec-bounty+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(jdemooij)
Whiteboard: [sec-survey]
Flags: qe-verify-
Whiteboard: [sec-survey] → [sec-survey][post-critsmash-triage]
Flags: in-testsuite+
Regressed by: 1646378
Has Regression Range: --- → yes
Whiteboard: [sec-survey][post-critsmash-triage] → [sec-survey][post-critsmash-triage][adv-main83+]
Attached file advisory.txt
Attachment #9187094 - Attachment is obsolete: true
Alias: CVE-2020-26952
Group: core-security-release
Flags: needinfo?(jdemooij)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: