Closed Bug 1767268 Opened 3 years ago Closed 2 years ago

dtoa error: cmp called with a->x[a->wds-1] == 0

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [bugmon:update,bisect][adv-main103-])

Attachments

(2 files)

Detailed Crash Information
35 bytes, text/plain
Details
Testcase
28 bytes, text/plain
Details

The following testcase produces an error on mozilla-central revision 20220429-a3002a9b4204 (fuzzing-debug build, run with --fuzzing-safe --no-threads):

(a=W=>a(W**-W+W || 6+W ))` `

Error:

cmp called with a->x[a->wds-1] == 0

Apparently this is triggers a really old Bug() statement in dtoa code that does not even crash but just calls exit. I have no clue what this "assert" means, so I'm marking this s-s until investigated.

Attached file Testcase

NI myself to see if this changed upstream. I also want to see if we can use the double-conversion library more - last time I tried this there were some perf issues.

Flags: needinfo?(jdemooij)

Bugmon Analysis
Unable to reproduce bug 1767268 using build mozilla-central 20220429094842-a3002a9b4204. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(choller)

We don't know the regressor and can't bisect this right now.

Flags: needinfo?(choller)

Reduced test case:

var v = 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111113.504938994813925e-1211;

This happens under js_strtod_harder.

Python fixed a similar issue in https://bugs.python.org/issue7743 with a number of different code changes. The dtoa code has diverged so taking their changes isn't trivial...

I'm considering replacing the remaining uses of dtoa.c with the double-conversion library (bug 1691998). The dtoa code is often a bit faster in micro-benchmarks, I think part of that is because it doesn't support as many runtime options, but I also don't think string-to-double is super perf-critical.

I don't get a crash from either the original testcase or the comment 7 one (which looks completely unrelated?). Does this work on in some environments? I do get a "too much recursion" error on the web console from decoder's testcase.

Ah, when you say "error" you mean "assertion"? I was no using a debug build.

So is this a security bug or is it just returning bad output for this case (in Release builds)?

(In reply to Daniel Veditz [:dveditz] from comment #10)

Ah, when you say "error" you mean "assertion"? I was no using a debug build.

"assertion" in the sense of debug-only printf + exit(1), yeah. That's why fuzzing didn't find this sooner as it doesn't look like a regular assertion/crash.

(In reply to Daniel Veditz [:dveditz] from comment #11)

So is this a security bug or is it just returning bad output for this case (in Release builds)?

I suspect it's not a real security bug, but this dtoa.c code is so obscure that it's hard to feel confident about this.

Depends on: 1691998
Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)
Keywords: sec-audit
Depends on: 1770158
No longer depends on: 1691998
Flags: needinfo?(jdemooij)

This should be fixed now with bug 1770158. We can let that ride the trains.

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox103: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
Assignee: nobody → jdemooij
Group: javascript-core-security → core-security-release
status-firefox101: fix-optionalwontfix
status-firefox102: --- → wontfix
status-firefox-esr91: --- → wontfix

:jandem, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(jdemooij)

(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #15)

:jandem, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?

It doesn't contain a bisection range. See also comment 6.

Flags: needinfo?(jdemooij) → needinfo?(mcastelluccio)

Sorry, regression from a recent change in the bot...

Flags: needinfo?(mcastelluccio)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+

I was able to reproduce this issue on Ubuntu 22.04 following the STR from Comment 0, on an affected fuzzing-debug build from 2022-05-30, before it was fixed by Bug 1770158.
Verified as fixed on Firefox 103.0a1 (20220531152954 - fuzzing debug build), on Ubuntu 22.04 and Windows 10 x64.

Status: RESOLVED → VERIFIED
status-firefox103: fixedverified
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect][adv-main103-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: