Closed Bug 1684085 Opened 5 years ago Closed 5 years ago

Incorrect truncation for Math.ceil(a/b) | 0

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox84 --- unaffected
firefox85 --- unaffected
firefox86 --- fixed

People

(Reporter: iain, Assigned: anba)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1684085: Add indirect truncate for Math.{ceil,floor,round} with int32 inputs. r=iain!
48 bytes, text/x-phabricator-request
Details | Review

Found this while trying to figure out how one of my bailout changesets was breaking the cgc build, only to realize that I was just changing the timing of GC invalidations and exposing a pre-existing bug introduced by bug 1679121. A much simpler version of the testcase (run with --fast-warmup --no-threads):

with ({}) {}

function ceil(a, b) {
    return Math.ceil(a / b) | 0;
}

for (var i = 0; i < 50; i++) {
    ceil(5,5);
}

print(ceil(5,3));

It's a bit of a mess where several individually valid optimizations interact badly.

In tryAttachMathCeil, we have a fast-path if we only see int32 inputs, which generates a GuardToInt32. When the loop triggers a warp compilation of ceil, the transpiler will see that the MDiv feeding into the GuardToInt32 has type int32, and elide it. Later on, though, RangeAnalysis will look at the uses of the MDiv to determine whether it is safe to truncate the results. Because the only consumer is an MBitOr, we decide it's safe to truncate. But this means we don't generate a guard to verify that the division has no remainder, and print 1 instead of the correct result, 2.

I'm conservatively marking this s-s. I think it's probably just a correctness issue, but we're unlikely to land a patch before the new year, so if it's exploitable somehow, there's no sense advertising the bug.

Set release status flags based on info from the regressing bug 1679121

status-firefox84: --- → unaffected
status-firefox85: --- → unaffected
status-firefox86: --- → affected
status-firefox-esr78: --- → unaffected

Use indirect truncations to fix the Warp equivalent of bug 1000605.

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Group: javascript-core-security
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a511fb0c9fe1 Add indirect truncate for Math.{ceil,floor,round} with int32 inputs. r=iain
Backout by cbrindusan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/705fe2bb012c Backed out changeset a511fb0c9fe1 for SM build bustage at math-indirect-truncate.js. CLOSED TREE
Flags: needinfo?(andrebargull)
Pushed by cbrindusan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ae3cd38c893e Add indirect truncate for Math.{ceil,floor,round} with int32 inputs. r=iain

https://hg.mozilla.org/mozilla-central/rev/ae3cd38c893e

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox86: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: