Closed Bug 1743774 Opened 3 years ago Closed 3 years ago

Assertion failure: type() == MIRType::Int32, at jit/MIR.cpp:3159

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1743715
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox94 --- unaffected
firefox95 --- unaffected
firefox96 --- affected

People

(Reporter: gkw, Assigned: gkw)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

stack
6.08 KB, text/plain
Details
possible fix
606 bytes, patch
Details | Diff | Splinter Review 
new WebAssembly.Module(wasmTextToBinary(`
(module
 (global $global$0 (mut i32) (i32.const 1))
 (memory $0 0)
 (func $0
  (global.set $global$0
   (i32.const 1)
  )
  (loop $label$1
   (if
    (global.get $global$0)
    (br_if $label$1
     (i64.eqz
      (i64.xor
       (i64.const -1)
       (if (result i64)
        (i32.const 1)
        (i64.load
         (i32.const 1)
        )
        (i64.const 1)
       )
      )
     )
    )
   )
  )
 )
)
`))

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7d2f50ffa706
user:        Julian Seward
date:        Fri Nov 26 18:41:12 2021 +0000
summary:     Bug 1741392 - Remove redundant xor64 with all-ones input for wasm-via-Ion.  r=lth,nbp.

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-bootstrap --disable-tests, tested on m-c rev 58d2fbdb6b4a.

Flags: sec-bounty?
Flags: needinfo?(jseward)

Bug 1743715 is a real world equivalent issue of this (without a testcase as per bug 1743715 comment 4).

Attached patch possible fixSplinter Review
Assignee: nobody → nth10sd

Comment on attachment 9253185 [details] [diff] [review]
possible fix

Tested on m-c rev a36723a06c6e.

Possible cause analysis:

The code in MBitNot::foldsTo is specifically only for Int32. Now, bug 1741392 added support for allowing MBitNot to support Int64, so this assertion now fails. The fix should be to return early when it is Int64, similar to the way it is done in MBitNot::computeRange for that patch, and also prior to m-c rev 5b653e25e757, which was the rev that made MBitNot specific to Int32.

i.e. in https://hg.mozilla.org/mozilla-central/rev/5b653e25e757#l4.20 one can see that we return this if the type/specialization is not Int32.

Attachment #9253185 - Flags: feedback?(jseward)

Set release status flags based on info from the regressing bug 1741392

status-firefox94: --- → unaffected
status-firefox95: --- → unaffected
status-firefox-esr91: --- → unaffected
Group: core-security → javascript-core-security

Fix landed in the open as part of a previously reported (open) bug.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

This problem was initially reported (in bug 1743715) within the 4 day "regression grace" period so unfortunately this bug does not qualify for a bug bounty.

Flags: sec-bounty? → sec-bounty-
Has Regression Range: --- → yes
Keywords: regression
Flags: needinfo?(jseward)
Attachment #9253185 - Flags: feedback?(jseward)
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: