Closed Bug 1783149 Opened 2 years ago Closed 2 years ago

Assertion failure: IsResumableMIRType(op->type()) (Resume point cannot encode its operands), at jit/IonAnalysis.cpp:3383

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1783507
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox103 --- unaffected
firefox104 --- unaffected
firefox105 --- affected

People

(Reporter: decoder, Assigned: iain)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

Detailed Crash Information
1.64 KB, text/plain
Details
Testcase
81 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20220804-23d50b5617de (debug build, run with --fuzzing-safe --no-threads --fast-warmup):

const v1 = new Int8Array();
do {
  const v5 = -3676459854 in v1;
} while (0 < 3);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557b0b53c in js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&, bool, bool) ()
#1  0x0000555557b05593 in js::jit::OptimizeMIR(js::jit::MIRGenerator*) ()
#2  0x0000555557b0dfff in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#3  0x0000555557b0f318 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#4  0x0000555557b0fd6c in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#5  0x0000555557b1041a in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#6  0x00001bfef720c408 in ?? ()
[...]
#9  0x0000000000000000 in ?? ()
rax	0x55555578d41b	93824994563099
rbx	0x0	0
rcx	0x5555582a5790	93825039751056
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb460	140737488335968
rsp	0x7fffffffb400	140737488335872
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff5e624f8	140737318888696
r13	0x7ffff5e613c0	140737318884288
r14	0x2	2
r15	0x7ffff5e62540	140737318888768
rip	0x555557b0b53c <js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&, bool, bool)+4460>
=> 0x555557b0b53c <_ZN2js3jit28AssertExtendedGraphCoherencyERNS0_8MIRGraphEbb+4460>:	movl   $0xd37,0x0
   0x555557b0b547 <_ZN2js3jit28AssertExtendedGraphCoherencyERNS0_8MIRGraphEbb+4471>:	callq  0x555556c28160 <abort>

S-s because this is a JIT assert.

Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220804154332-92717aa5366c.
The bug appears to have been introduced in the following build range:

Start: 8d77d940ff1b8a41c623cb838d25e37fa172d393 (20220802173613)
End: 4d6c12570af3a6214c97010213c150410db52cd0 (20220802175939)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8d77d940ff1b8a41c623cb838d25e37fa172d393&tochange=4d6c12570af3a6214c97010213c150410db52cd0

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

The problem here is that MCompare can have MIRType::IntPtr operands, but we don't know how to encode IntPtr operands for recover instructions.

In a release build, I think we end up in this code, which will try to treat it as a Value. We basically end up encoding nonsense; I don't know for sure that it's exploitable, but I can't rule it out.

The easy fix is to change MCompare::canRecoverOnBailout to return false if compareType() == Compare_UIntPtr. The harder fix is to encode IntPtr in recover instructions; I think this will require adding a new Mode in RValueAllocation, at least for 32-bit.

Recovering these instructions isn't particularly important, so for now I'm going to put up a patch with the easy fix, and we can consider doing the harder fix later.

Assignee: nobody → iireland
Status: NEW → ASSIGNED

Setting regressed_by field after analyzing regression range found by bugmon.

Regressed by: 1062893

Set release status flags based on info from the regressing bug 1062893

status-firefox103: --- → unaffected
status-firefox104: --- → unaffected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected
Attachment #9288572 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: