Closed Bug 1713581 Opened 4 years ago Closed 4 years ago

Assertion failure: mir->type() == MIRType::Value, at jit/shared/Lowering-shared-inl.h:730 or Crash [@ js::jit::LIRGenerator::visitInstructionDispatch] with WebAssembly

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
91 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox88 --- unaffected
firefox89 --- unaffected
firefox90 + fixed
firefox91 + verified

People

(Reporter: decoder, Assigned: caroline)

References

(Regression)

Details

(5 keywords, Whiteboard: [bugmon:update,bisected,confirmed][sec-survey])

Crash Data

Attachments

(3 files)

Testcase
475 bytes, text/plain
Details
Bug 1713581 - Fix WasmBoxValue type policy. r?iain!
48 bytes, text/x-phabricator-request
dveditz
: approval-mozilla-beta+
dveditz
: sec-approval+
Details | Review
Bug 1713581 - Add testcase. r?iain!
48 bytes, text/x-phabricator-request
dveditz
: sec-approval+
Details | Review

The following testcase crashes on mozilla-central revision 20210530-1514fcbf80a0 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager --ion-warmup-threshold=0):

function wasmEvalText(str, imports, options) {
    let binary = wasmTextToBinary(str);
    m = new WebAssembly.Module(binary, options);
    return new WebAssembly.Instance(m, imports);
}
function testTableFill(tbl_type, val_type, obj) {
  let ins = wasmEvalText(`
    (module
      (func (export "fill0") (param $i i32) (param $r ${val_type}) (param $n i32))
    )
  `);
  ins.exports.fill0()
  for (let i53 = 0; i53 < 10; i53++) {}
}
testTableFill('externref', 'externref');

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555576f801a in js::jit::LIRGeneratorShared::useBox(js::jit::MDefinition*, js::jit::LUse::Policy, bool) ()
#1  0x00005555579e94a1 in js::jit::LIRGenerator::visitWasmBoxValue(js::jit::MWasmBoxValue*) ()
#2  0x0000555557a1a48c in js::jit::LIRGenerator::visitInstruction(js::jit::MInstruction*) ()
#3  0x0000555557a1ad6f in js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) ()
#4  0x0000555557a1b1b5 in js::jit::LIRGenerator::generate() ()
#5  0x00005555578e9a8f in js::jit::GenerateLIR(js::jit::MIRGenerator*) ()
#6  0x00005555578eac68 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7  0x00005555578ec4a8 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#8  0x00005555578ecd99 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#9  0x00005555578ed56a in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#10 0x00001a20fe20ba77 in ?? ()
#11 0x0000000000000000 in ?? ()
rax	0x555555710e29	93824994053673
rbx	0x7ffff60ee0d8	140737321558232
rcx	0x555558047558	93825037268312
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffff9d70	140737488330096
rsp	0x7fffffff9d40	140737488330048
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffff9e90	140737488330384
r13	0x7ffff60e16b0	140737321506480
r14	0x7ffff60e3838	140737321515064
r15	0x7fffffff9e90	140737488330384
rip	0x5555576f801a <js::jit::LIRGeneratorShared::useBox(js::jit::MDefinition*, js::jit::LUse::Policy, bool)+218>
=> 0x5555576f801a <_ZN2js3jit18LIRGeneratorShared6useBoxEPNS0_11MDefinitionENS0_4LUse6PolicyEb+218>:	movl   $0x2da,0x0
   0x5555576f8025 <_ZN2js3jit18LIRGeneratorShared6useBoxEPNS0_11MDefinitionENS0_4LUse6PolicyEb+229>:	callq  0x555556a86d7a <abort>

This is a known security-related JIT assertion, marking s-s.

Severity: -- → S2
Attached file Testcase

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210531115711-fafcc4a3b16a.
The bug appears to have been introduced in the following build range:

Start: c585c7b7daeb276918c8a0d958fda4fd1e382d4e (20210527232726)
End: cbebfcacd93414b39d78401f00e12ad1e5a1025d (20210527232828)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c585c7b7daeb276918c8a0d958fda4fd1e382d4e&tochange=cbebfcacd93414b39d78401f00e12ad1e5a1025d

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
status-firefox88: --- → unaffected
status-firefox89: --- → unaffected
status-firefox91: --- → affected
status-firefox-esr78: --- → unaffected
Flags: needinfo?(cullen.caroline)
Regressed by: 1699271
Has Regression Range: --- → yes
Flags: needinfo?(cullen.caroline) → needinfo?(ccullen)
Flags: needinfo?(ccullen)
Priority: -- → P1
Assignee: nobody → ccullen

Depends on D116499

Comment on attachment 9224490 [details]
Bug 1713581 - Fix WasmBoxValue type policy. r?iain!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Could fairly easily be used for an information leak, this could leak an address as a double.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: Beta
  • If not all supported branches, which bug introduced the flaw?: Bug 1699271
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: It applies cleanly to beta.
  • How likely is this patch to cause regressions; how much testing does it need?: Not likely, has a fussing testcase attached.
Attachment #9224490 - Flags: sec-approval?
Keywords: sec-high
tracking-firefox90: --- → +
tracking-firefox91: --- → +
Flags: in-testsuite?

Comment on attachment 9224490 [details]
Bug 1713581 - Fix WasmBoxValue type policy. r?iain!

sec-approval+

Since we're barely into Beta and this doesn't affect Release, please go ahead and check in the testcase along with the patch. When you do that set the in-testsuite flag to +

a=dveditz for landing on beta

Attachment #9224490 - Flags: sec-approval?
Attachment #9224490 - Flags: sec-approval+
Attachment #9224490 - Flags: approval-mozilla-beta+
Attachment #9224553 - Flags: sec-approval+

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210604154219-963df76dc655.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox91: fixedverified
Keywords: bugmon

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(ccullen)
Whiteboard: [bugmon:update,bisected,confirmed] → [bugmon:update,bisected,confirmed][sec-survey]
Flags: needinfo?(ccullen)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: