Closed
Bug 1769723
Opened 2 years ago
Closed 2 years ago
Differential Testing: Different output message involving --ion-eager
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
102 Branch
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox100 | --- | unaffected |
firefox101 | --- | unaffected |
firefox102 | --- | fixed |
People
(Reporter: gkw, Assigned: anba)
References
(Regression)
Details
(Keywords: regression, testcase)
Attachments
(1 file)
function f(x) {
return (+(x || Math.abs(1)) ? 0 : x);
}
f();
f();
f();
f();
f();
f();
f();
f();
f();
f();
f();
print(f("\0"));
stdout: (also happens when you pass it in as a testcase)
$ ./js-dbg-64-linux-x86_64-1254448a9518 --fuzzing-safe --differential-testing --ion-offthread-compile=off --baseline-eager --no-ion
js> function f(x) {
return (+(x || Math.abs(1)) ? 0 : x);
}
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> print(f("\0"));
js>
$ ./js-dbg-64-linux-x86_64-1254448a9518 --fuzzing-safe --differential-testing --ion-offthread-compile=off --ion-eager
js> function f(x) {
return (+(x || Math.abs(1)) ? 0 : x);
}
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> print(f("\0"));
0
js>
Note that a "0" is printed after the print statement with --ion-eager
.
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b3b4b19b2fec
user: André Bargull
date: Fri May 06 17:24:14 2022 +0000
summary: Bug 1767966 - Part 6: Handle boxed values in single-test blocks. r=jandem
Compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-bootstrap --disable-tests
, tested on m-c rev 1254448a9518.
Setting s-s to be safe as a start. Andre, is bug 1767966 a likely regressor?
Flags: sec-bounty?
Flags: needinfo?(andrebargull)
Comment 1•2 years ago
|
||
Set release status flags based on info from the regressing bug 1767966
status-firefox100:
--- → unaffected
status-firefox101:
--- → unaffected
status-firefox-esr91:
--- → unaffected
Assignee | ||
Comment 2•2 years ago
|
||
Backed out changeset b3b4b19b2fec
Updated•2 years ago
|
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Updated•2 years ago
|
Group: core-security → javascript-core-security
Assignee | ||
Updated•2 years ago
|
Flags: needinfo?(andrebargull)
Comment 3•2 years ago
|
||
From D146954
(Removing the MUnbox instruction doesn't lead to type confusion attacks, because BlockIsSingleTest verified that the MUnbox was only used for a MTest instruction.)
Does that mean this is not a vulnerability?
Flags: needinfo?(andrebargull)
Comment 4•2 years ago
|
||
This is a correctness bug, but not a security bug.
Group: javascript-core-security
Flags: needinfo?(andrebargull)
Updated•2 years ago
|
Keywords: regression
Pushed by ncsoregi@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/ed94d4236236 Don't remove unbox instructions when folding tests. r=jandem
Comment 7•2 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
Updated•2 years ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•