Closed Bug 1827059 Opened 2 years ago Closed 2 years ago

Assertion failure: input()->isRecoveredOnBailout() == mustBeRecovered_ (assertRecoveredOnBailout failed during compilation), at /root/SM/sm-latest/js/src/jit/Recover.cpp:1909

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: 2020244068, Unassigned)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

id:000004,sig:11,src:001251,op:python,pos:0
856 bytes, text/plain
Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0

Steps to reproduce:

  1. git clone --depth 1 https://github.com/mozilla/gecko-dev.git (commit is 008eb054013d699239993782a2835eb2115e21fc)
  2. build it
  3. path/to/js/.js test.js
    I attach the test.js below

Actual results:

Assertion failure: input()->isRecoveredOnBailout() == mustBeRecovered_ (assertRecoveredOnBailout failed during compilation), at /root/SM/sm-latest/js/src/jit/Recover.cpp:1909
#01: ???[./js +0x827648]
#02: ???[./js +0x2f947c3]
#03: ???[./js +0x322af0c]
#04: ???[./js +0x323e608]
#05: ???[./js +0x365e648]
#06: ???[./js +0x3662b74]
#07: ???[./js +0x36cf8fc]
#08: ???[./js +0x37314c0]
#09: ???[./js +0x3763534]
#10: ???[./js +0x1367207]
#11: ???[./js +0x136793e]
#12: ???[./js +0x136846d]
#13: ???[./js +0x136858b]
#14: ???[./js +0x13b26cc]
#15: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x8609]
#16: clone[/lib/x86_64-linux-gnu/libc.so.6 +0x11f133]
#17: ??? (???:???)
Segmentation fault (core dumped)

Expected results:

successfully executed

Attachment #9327654 - Attachment mime type: text/x-csrc → text/plain

The attached jsshell testcase runs oomTest(Debugger.Script); so might not be applicable to web content. For convenience the testcase is:

// |jit-test| skip-if: !('oomTest' in this)

gczeal(0);

var x1 = [];
var x2 = [];
var x3 = [];
var x4 = [];
(function() {
    var gns = Object.getOwnPropertyNames(this);
    for (var i = 0; i < 49; assertRecoveredOnBailout(startgc, true)) {
        var gn = gns[i];
        var g = this[gn];
        if (typeof g == "function") {
            var hns = Object.getOwnPropertyNames(gn);
            for (var j = 0; j < hns.length; ++j) {
                x1.push("");
                x1.push("");
                x2.push("");
                x2.push("");
                x3.push("");
                x3.push("");
                x4.push("");
                x4.push("");
            }
        }
    }
})();
try {
    __proto__ = function(){};
} catch (e) {
    "" + e;
}
startgc(9222);
Function("\
    (function() {})();\
    oomTest(Debugger.Script);\
")();
Group: core-security → javascript-core-security
Component: General → JavaScript Engine

assertRecoveredOnBailout is a not a fuzzing-safe function which is used to create this kind of assertion.
It checks that we are not regressing performance, when used with the proper arguments.

There is a command line argument to disable non-fuzzing-safe function: --fuzzing-safe.

If there is a bug, it would be to improve the error message raised with this assertion to make it clear that this is not a security issue:
https://searchfox.org/mozilla-central/rev/2ce39261ea6a69e49d87f76a119494b2a7a7e42a/js/src/jit/Recover.cpp#1922

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Blocks: sm-security, sm-opt-jits
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: