Closed Bug 1750496 Opened 2 years ago Closed 2 years ago

Differential testing: MStringSplit incorrect conguent_to

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox98 --- fixed

People

(Reporter: lukas.bernhard, Assigned: caroline)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Bug 1750496 - Remove congruent_to for MStringSplit. r?iain!
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

On git commit afbff3f3ae087181d9988fe19e09cc15927fb7ff I encountered a miscomputation during differential fuzzing.
The issue seems to be an incorrect computation of congruent_to for the instruction MStringSplit.
The MIR instruction returns an array object; MIROps.yaml defines congruent_to = if_operands_equal.
Having two subsequent split instructions such as generated by:

const v28 = "aa".split('');
const v35 = "aa".split('');

causes GVN to replace usages of v35 with the very object in v28.
Hence the two objects behave as one; modifications to v28 also modify v35 (as it is the same object).
Marking s-s just as a precaution, may be a correctness-only problem.

obj-x86_64-pc-linux-gnu/dist/bin/js --no-threads --cpu-count=1 --ion-offthread-compile=off --fuzzing-safe --differential-testing --ion-warmup-threshold=100 --baseline-warmup-threshold=10 --small-function-length=4096 --inlining-entry-threshold=4 --trial-inlining-warmup-threshold=64 sample.js

function main() {
  for (let v1 = 0; v1 < 125; v1++) {
      const v28 = "aa".split('');
      v28[0] = 1;
      const v35 = "aa".split('');
      print(v35[0]);  // should be a, becomes 1 as v35 is replaced with v28
      print(Object.is(v35, v28)); // should be false, becomes true
  }
}
main();
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine: JIT
Product: Firefox → Core
Group: core-security → javascript-core-security

Iain, Caroline, any idea from where this issue comes from?

Flags: needinfo?(iireland)
Flags: needinfo?(ccullen)
Blocks: sm-jits, sm-security
Severity: -- → S3
Priority: -- → P2

Looks as if when I was transcribing the ops to yaml, I accidentally added congruent_to for MStringSplit. I will fix that, thanks!

Flags: needinfo?(ccullen)

Oh, good catch.

I don't think this is s-s. We end up in the same state as if the code were const v35 = v28. It's an invalid transformation, but it's internally consistent, so there's no opportunity for (eg) type confusion.

Flags: needinfo?(iireland)
Group: javascript-core-security
Assignee: nobody → ccullen
Pushed by ccullen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ffac60c64852
Remove congruent_to for MStringSplit. r=iain

https://hg.mozilla.org/mozilla-central/rev/ffac60c64852

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox98: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
No longer blocks: sm-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: