Closed Bug 1769209 Opened 3 years ago Closed 3 years ago

Differential output with --ion-eager

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1769723
Tracking Flags:
Tracking Status
firefox102 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:update,bisect])

Attachments

(1 file)

Testcase
379 bytes, text/plain
Details

The following testcase produces different outputs on mozilla-central revision 20220512-2f240882d907 (debug build):

function testMathyFunction(f, inputs) {
  var results = [];
    for (var j = 0; j < inputs.length; ++j)
      for (var k = 0; k < inputs.length; ++k)
        results.push(f(inputs[j], inputs[k]));
  print(results);
}
mathy5 = (
  function(x, y) {
            return (+(x || Math.fround()) ? (+y) : (+Math.log()))
  }
);
testMathyFunction(mathy5, [0, -0, '', '\0', [], undefined])

Run with --fuzzing-safe --differential-testing --ion-offthread-compile=off --ion-eager:

NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,0,0,0,NaN,0,NaN,0,0,0,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN

Run with --fuzzing-safe --differential-testing --ion-offthread-compile=off:

NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN,NaN

JIT bug, marking s-s until investigated.

Attached file Testcase

This sounds like a type policy issue on Fround, which change the way we evaluate the condition.
But this might not be the only issue as I would expect to see the patterns of 0 and NaN to be repeated. So there is possibly an issue with +y as well.

Blocks: sm-opt-jits
Severity: -- → S2
Flags: needinfo?(iireland)
Priority: -- → P2
Severity: S2 → S3

Bugmon Analysis
Unable to reproduce bug 1769209 using build mozilla-central 20220512094957-2f240882d907. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Nicolas: is lowering the severity to S3 an indicator that you don't think this is exploitable?

Flags: needinfo?(nicolas.b.pierron)

This is a duplicate of bug 1769723.

Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(iireland)
Regressed by: 1767966
Resolution: --- → DUPLICATE

(In reply to Daniel Veditz [:dveditz] from comment #4)

Nicolas: is lowering the severity to S3 an indicator that you don't think this is exploitable?

I reduced it to S3, as we have a toggle to disable Ion. Then whether this is a satisfactory work-around is debatable.

Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: