Closed Bug 1674979 Opened 4 years ago Closed 4 years ago

Assertion failure: ToSimdFloatRegister(rhs) != lhs && ToSimdFloatRegister(rhs) != tmp1 && ToSimdFloatRegister(rhs) != tmp2, at js/src/jit/x86-shared/MacroAssembler-x86-shared-SIMD.cpp:288

Categories

(Core :: JavaScript: WebAssembly, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED DUPLICATE of bug 1674641
Tracking Status
firefox84 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

The attached testcase crashes on mozilla-central revision 20201103-0ec69f07cdc9 (debug build, run with --no-threads --fuzzing-safe --baseline-warmup-threshold=0 --disable-oom-functions test.js).

Backtrace:

==31826==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x564ca8c49515 bp 0x7ffce77ed8a0 sp 0x7ffce77ed850 T31826)
    #0 0x564ca8c49515 in js::jit::MacroAssemblerX86Shared::unsignedCompareInt8x16(js::jit::FloatRegister, js::jit::Operand, js::jit::AssemblerX86Shared::Condition, js::jit::FloatRegister, js::jit::FloatRegister, js::jit::FloatRegister) js/src/jit/x86-shared/MacroAssembler-x86-shared-SIMD.cpp:285:3
    #1 0x564ca8c30678 in js::jit::MacroAssembler::unsignedCompareInt8x16(js::jit::AssemblerX86Shared::Condition, js::jit::FloatRegister, js::jit::FloatRegister, js::jit::FloatRegister, js::jit::FloatRegister) js/src/jit/x86-shared/MacroAssembler-x86-shared-inl.h:1821:28
    #2 0x564ca8d73463 in js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:7328:9
    #3 0x564ca8dab2f1 in js::jit::CodeGenerator::generateWasm(js::wasm::FuncTypeIdDesc, js::wasm::BytecodeOffset, js::wasm::ArgTypeVector const&, js::jit::MachineState const&, unsigned long, js::wasm::FuncOffsets*, js::wasm::StackMaps*) js/src/jit/CodeGenerator.cpp:11436:8
    #4 0x564ca913fa08 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmIonCompile.cpp:5459:20
    #5 0x564ca91032de in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:760:16
    #6 0x564ca9104e9b in locallyCompileCurrentTask js/src/wasm/WasmGenerator.cpp:822:8
    #7 0x564ca9104e9b in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:960:24
    #8 0x564ca9056a5a in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:569:13
    #9 0x564ca9056438 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:592:8
    #10 0x564ca9154c46 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1631:25
    #11 0x564ca811b8c1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:507:13
    [...]

Marking s-s for now because this is a macro assembler assertion and I don't know if it has any security impact.

Attached file Testcase

Over-eager assertion.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: