Closed Bug 1812001 Opened 2 years ago Closed 2 years ago

Assertion failure: IndicesAreValid(&obj->as<NativeObject>(), iterobj->getNativeIterator()), at js/src/vm/Iteration.cpp:1272

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox111 --- fixed

People

(Reporter: lukas.bernhard, Assigned: iain)

References

(Blocks 2 open bugs)

Details

Attachments

(2 files)

Bug 1812001: Don't sort enumerated properties with valid indices r=jandem
48 bytes, text/x-phabricator-request
Details | Review
Bug 1812001: Fix iterator-indices jitoption r=jandem
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

The following sample crashes the js shell on commit cf3af6bb6657278880f8baf38435eeb8f2d5d86c in GetIteratorImpl<true> when invoked as: obj-x86_64-pc-linux-gnu/dist/bin/js --fast-warmup --fuzzing-safe --enable-iterator-indices --ion-warmup-threshold=100 --differential-testing crash.js
Not setting s-s because iterator-indices are disabled by default.

for (let v0 = 0; v0 < 100; v0++) {
    function F1() {
        this[-65537] = 0;
        this[-1869467081] = 0;
        for (const v6 in this) {
            this[v6];
        }
    }   
    const v8 = new F1();
}
Blocks: cfi, sm-runtime
Component: Untriaged → JavaScript Engine: JIT
Product: Firefox → Core
Blocks: l11d-js-fuzzing
No longer blocks: cfi
Flags: needinfo?(iireland)
See Also: → 1799025
Severity: -- → S4
Priority: -- → P2

Since Bug 1799025 part 10, this feature is now enabled by default.

It seems to me that there is a bug in the patch which made it disabled by default:
https://phabricator.services.mozilla.com/D165215

SET_DEFAULT(disableIteratorIndices, false);
Group: javascript-core-security
Severity: S4 → S3
Priority: P2 → P1

Good Catch Nicolas; apologies!

Oops, I'll fix that option.

The good news is that this only affects --differential-testing. When doing differential testing, we sort enumerated keys to avoid non-determinism caused by enumeration hooks on native objects (see bug 707017). The associated indices aren't sorted, so the two lists get out of sync. We still only access valid properties, but we do so in the wrong order / for the wrong keys.

Fortunately, because we don't support the indices optimization for objects with enumeration hooks, there's no overlap between the cases where we have indices and the cases where we need to sort. So we should be able to just skip sorting if indices are present, and it shouldn't impede fuzzing.

Group: javascript-core-security
Flags: needinfo?(iireland)

We sort to avoid complications with enumeration hooks, but if there are valid indices, then we know there aren't any enumeration hooks.

Assignee: nobody → iireland
Status: NEW → ASSIGNED

Making this more like other ion optimization flags.

Depends on D167733

Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2212baf78cf4 Don't sort enumerated properties with valid indices r=jandem https://hg.mozilla.org/integration/autoland/rev/c27d72cbf0a6 Fix iterator-indices jitoption r=jandem

https://hg.mozilla.org/mozilla-central/rev/2212baf78cf4
https://hg.mozilla.org/mozilla-central/rev/c27d72cbf0a6

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox111: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: