Closed
Bug 1769723
Opened 3 years ago
Closed 3 years ago
Differential Testing: Different output message involving --ion-eager
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
102 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox100 | --- | unaffected |
| firefox101 | --- | unaffected |
| firefox102 | --- | fixed |
People
(Reporter: gkw, Assigned: anba)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(1 file)
function f(x) {
return (+(x || Math.abs(1)) ? 0 : x);
}
f();
f();
f();
f();
f();
f();
f();
f();
f();
f();
f();
print(f("\0"));
stdout: (also happens when you pass it in as a testcase)
$ ./js-dbg-64-linux-x86_64-1254448a9518 --fuzzing-safe --differential-testing --ion-offthread-compile=off --baseline-eager --no-ion
js> function f(x) {
return (+(x || Math.abs(1)) ? 0 : x);
}
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> print(f("\0"));
js>
$ ./js-dbg-64-linux-x86_64-1254448a9518 --fuzzing-safe --differential-testing --ion-offthread-compile=off --ion-eager
js> function f(x) {
return (+(x || Math.abs(1)) ? 0 : x);
}
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> f();
0
js> print(f("\0"));
0
js>
Note that a "0" is printed after the print statement with --ion-eager.
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b3b4b19b2fec
user: André Bargull
date: Fri May 06 17:24:14 2022 +0000
summary: Bug 1767966 - Part 6: Handle boxed values in single-test blocks. r=jandem
Compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-bootstrap --disable-tests, tested on m-c rev 1254448a9518.
Setting s-s to be safe as a start. Andre, is bug 1767966 a likely regressor?
Flags: sec-bounty?
Flags: needinfo?(andrebargull)
|
||
Comment 1•3 years ago
|
||
Set release status flags based on info from the regressing bug 1767966
status-firefox100:
--- → unaffected
status-firefox101:
--- → unaffected
status-firefox-esr91:
--- → unaffected
|
Assignee | |
Comment 2•3 years ago
|
||
Backed out changeset b3b4b19b2fec
|
||
Updated•3 years ago
|
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
|
||
Updated•3 years ago
|
Group: core-security → javascript-core-security
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(andrebargull)
|
||
Comment 3•3 years ago
|
||
From D146954
(Removing the MUnbox instruction doesn't lead to type confusion attacks, because BlockIsSingleTest verified that the MUnbox was only used for a MTest instruction.)
Does that mean this is not a vulnerability?
Flags: needinfo?(andrebargull)
|
||
Comment 4•3 years ago
|
||
This is a correctness bug, but not a security bug.
Group: javascript-core-security
Flags: needinfo?(andrebargull)
|
|
||
Updated•3 years ago
|
Keywords: regression
Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/ed94d4236236
Don't remove unbox instructions when folding tests. r=jandem
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
|
|
||
Updated•3 years ago
|
Flags: sec-bounty? → sec-bounty-
|
Reporter | |
Updated•1 year ago
|
Blocks: gkw-js-fuzzing
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•