Closed Bug 1876137 Opened 1 year ago Closed 1 year ago

MOZ_ASSERT for some wasm shuffle

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- unaffected
firefox123 --- fixed
firefox124 --- fixed

People

(Reporter: yury, Assigned: yury)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files, 1 obsolete file)

test.js
230 bytes, application/x-javascript
Details
Bug 1876137 - Properly match zero-extend shuffle. r?jseward
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

Ryan ran into https://searchfox.org/mozilla-central/source/js/src/jit/ShuffleAnalysis.cpp#395 assert when loading PhotoShop in a debug build.

(const js::jit::SimdConstant::I8x16 &) lanes = <no value available>: {
  [0] = '\0'
  [1] = '\x02'
  [2] = '\x04'
  [3] = '\x06'
  [4] = '\b'
  [5] = '\n'
  [6] = '\f'
  [7] = '\x0e'
  [8] = '\x10'
  [9] = '\x12'
  [10] = '\x14'
  [11] = '\x16'
  [12] = '\x18'
  [13] = '\x1a'
  [14] = '\x1c'
  [15] = '\x1e'
}

Link to repro: https://photoshop.adobe.com/id/tmp:6zebda?learnid=7b050fa34872

Regressions: 1870148
Regressed by: 1870148
No longer regressions: 1870148
Attached file test.js
Keywords: regression
Severity: -- → S3
Priority: -- → P1
Assignee: nobody → ydelendik
Status: NEW → ASSIGNED

Set release status flags based on info from the regressing bug 1870148

status-firefox122: --- → unaffected
status-firefox123: --- → affected
status-firefox124: --- → affected
status-firefox-esr115: --- → unaffected
Group: core-security → javascript-core-security
Attachment #9376126 - Flags: approval-mozilla-beta?
Pushed by ydelendik@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9879c887ba03 Properly match zero-extend shuffle. r=jseward

https://hg.mozilla.org/mozilla-central/rev/9879c887ba03

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch
Attachment #9376126 - Attachment is obsolete: true
Attachment #9376126 - Flags: approval-mozilla-beta?

Comment on attachment 9376064 [details]
Bug 1876137 - Properly match zero-extend shuffle. r?jseward

Beta/Release Uplift Approval Request

  • User impact if declined: Incorrect behavior in some wasm programs or MOZ_CRASH().
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): isolated to specific functionality in wasm + ion
  • String changes made/needed:
  • Is Android affected?: Unknown
Attachment #9376064 - Flags: approval-mozilla-beta?

Yury, does this have any kind of security impact?

Flags: needinfo?(ydelendik)

(In reply to Christian Holler (:decoder) from comment #8)

Yury, does this have any kind of security impact?

Just as mentioned in user impact for beta uplift request: incorrect program results or explicit MOZ_CRASH().

Flags: needinfo?(ydelendik)
Group: core-security-release

Comment on attachment 9376064 [details]
Bug 1876137 - Properly match zero-extend shuffle. r?jseward

Approved for 123 beta 3, thanks.

Attachment #9376064 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: