Closed Bug 1875650 Opened 9 months ago Closed 9 months ago

Assertion failure: !obj->nonCCWRealm()->realmFuses.optimizeGetIteratorFuse.intact(), at jit/CacheIR.cpp:13809

Categories

(Core :: JavaScript Engine, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
124 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- unaffected
firefox123 --- wontfix
firefox124 --- fixed

People

(Reporter: gkw, Assigned: mgaudet)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files, 2 obsolete files)

Attached file debug stack
for (let i = 0; i < 10; i++) {
  (function () {})();
}
oomAtAllocation(5);
let [] = (function () {
  return [];
})();
Assertion failure: !obj->nonCCWRealm()->realmFuses.optimizeGetIteratorFuse.intact(), at /home/skygentoo/trees/mozilla-central/js/src/jit/CacheIR.cpp:13809
#01: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-5471899cc9d0/js-dbg-64-linux-x86_64-5471899cc9d0 +0x2a2faae]
#02: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-5471899cc9d0/js-dbg-64-linux-x86_64-5471899cc9d0 +0x2a2f5be]
#03: ???[/home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-5471899cc9d0/js-dbg-64-linux-x86_64-5471899cc9d0 +0x27ed332]
#04: ??? (???:???)
Segmentation fault
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/1cc5c9da21b9
user:        Matthew Gaudet
date:        Wed Jan 10 20:37:04 2024 +0000
summary:     Bug 1871597 - Update assertions around OptimizedGetIterator fuse status r=iain

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 5471899cc9d0.

Matt, is bug 1871597 a likely regressor? Setting s-s just in case.

Flags: sec-bounty?
Flags: needinfo?(mgaudet)
Group: core-security → javascript-core-security

Yes; yet again the assertion is too tight. This time, in the presence of OOM we lose the ability to correctly assert fuse state here; GlobalObject::getOrCreateArrayIteratorPrototype fails due to OOM, which means that we cannot say the fuse is no longer intact.

This is not S-S.

Much to my chagrin, I suspect I will simply remove this assert, but I'll see how gross it would be to expose the OOM information so perhaps that assert could be MOZ_ASSERT_IF(!oom, fuseIntact).

Flags: needinfo?(mgaudet)
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Group: javascript-core-security

(Trying to chase the OOM, it's gross, so just taking the assertions out)

Attachment #9375814 - Attachment description: Bug 1875650 - Remove fuse assertions which are unsound in the presence of OOM r?iain → Bug 1875650 - Mark allocation of prototype object as OOMUnsafe r?iain
Blocks: sm-runtime
Severity: -- → S3
Priority: -- → P2
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/264843534b49 Mark allocation of prototype object as OOMUnsafe r=iain
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

The patch landed in nightly and beta is affected.
:mgaudet, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(mgaudet)

This should have no impact on users and so isn't worth uplifting.

Flags: needinfo?(mgaudet)

Comment on attachment 9376503 [details]
Bug 1875650 - Add jit option for emulatesUndefinedFuse r?jandem

Revision D199654 was moved to bug 1866158. Setting attachment 9376503 [details] to obsolete.

Attachment #9376503 - Attachment is obsolete: true

Comment on attachment 9376504 [details]
Bug 1875650 - Add a pref for emulates undefined fuse r?jandem

Revision D199655 was moved to bug 1866158. Setting attachment 9376504 [details] to obsolete.

Attachment #9376504 - Attachment is obsolete: true
a11y-review: --- → requested
a11y-review: requested → ---
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: