Closed Bug 1884708 Opened 2 years ago Closed 2 years ago

Scale::Invalid gets baked into MWasmStoreElementKA

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jseward, Assigned: bvisness)

Details

Attachments

(1 file)

assert_valid_scale.diff as referred to in comment 0
3.93 KB, application/octet-stream
Details

BUILD: current m-c, x86_64-linux, configure

CC="ccache clang" CXX="ccache clang++" ../src/configure --enable-debug --enable-optimize="-g -O0" --disable-tests --disable-shared-js --disable-sysroot

Test case is bug1882772_poc6.js

RUN:

IONFLAGS=dump-mir-expr ./dist/bin/js --no-threads --no-ion --wasm-compiler=ion /nfs/compx/bug1882772_poc6.js

Fails when printing the MIR at entry to OptimizeMIR, thusly:

Block35:
232 = Int32.phi 227 235
233 = None.wasmstoreelementkaHit MOZ_CRASH(Unknown Scale) at /nfs/compx/MC_SCALE/js/src/jit/shared/Assembler-shared.h:122

RUN (MORE):

Apply attached patch "assert_valid_scale.diff"

Build; rerun:

./dist/bin/js --no-threads --no-ion --wasm-compiler=ion /nfs/compx/bug1882772_poc6.js

Assertion failure: IsValidScale(scale), at /nfs/compx/MC_SCALE/js/src/jit/MIR.h:11707

This is writeGcValueAtBasePlusScaledIndex calling
MWasmStoreElementKA::MWasmStoreElementKA.

Group: core-security

This is not a bug. We deliberately pass Scale::Invalid to MWasmStoreElementKA when storing v128 values. Since there is no Scale::TimesSixteen in hardware, v128 scales must be computed manually; this is already handled correctly in CodeGenerator.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: