Closed Bug 1885781 Opened 8 months ago Closed 8 months ago

Assertion failure: length == str.length implies begin == 0, at jit/VMFunctions.cpp:2978

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1885828

People

(Reporter: lukas.bernhard, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-jit, reporter-external, sec-high)

Attachments

(3 files)

6d5114b3ba4e5c3414a19419ca1d0170ca149b13.diff
1.34 KB, text/plain
Details
.mozconfig.clean
642 bytes, text/plain
Details
crash_2024_03_17_string.py
4.07 KB, text/plain
Details

Steps to reproduce:

On git commit 6d5114b3ba4e5c3414a19419ca1d0170ca149b13 I encountered a flakey crash in the js -shell. Unfortunately, reproducing seems to require the reprl fuzzing interface. Furthermore, the crash is flakey.
I attached my mozconfig, a (minor) diff to spidermonkey, and the python script that runs the shell under rr control + sends the samples via the reprl interface.

https://pernos.co/debug/nU4nwEredehUNpDMO8sDfw/index.html

I'll attempt to bisect tomorrow.

Blocks: l11d-js-fuzzing
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine: JIT
Product: Firefox → Core
Attached file .mozconfig.clean
Group: core-security → javascript-core-security

Bisecting the issue points to commit 426f62bd4988594fb63e655baee99f237887804e related to bug 1861983

This is likely the same issue as bug 1885828. The same assertion can be triggered when adjusting the test case from bug 1885828 to use substr instead of slice:

function f9(a10) {
    for (let i13 = 1000; i13-- > 0;) {
        (`(f32.neg`).substr(a10).search(undefined);
    }   
}
f9(1);
f9(-1);

Should we mark this as duplicate of bug 1885828?

Flags: needinfo?(andrebargull)

I didn't attempt to try to use the reprl fuzzing interface to reproduce the issue, so I'm not 100%-sure that this is a duplicate of bug 1885828, but it still seems very likely to be the same issue, especially because the test case from comment #3 contains this code:

function f3(a4) {
// ...
for ( //...
("6 Jun 2014" + -Infinity).substr(a4)
// ...
}
f3(1);
f3(-1);

which is the same pattern as in bug 1885828: Loop which includes a call to String_substr/String_slice, which is first call with a positive and later a negative input.

Flags: needinfo?(andrebargull)
Blocks: sm-opt-jits
Severity: -- → S2
Priority: -- → P1

I'll mark it duplicate for now, and if it isn't fixed by 1885828 we can reopen this one.

Status: NEW → RESOLVED
Closed: 8 months ago
Duplicate of bug: CVE-2024-3855
Keywords: csectype-jit, sec-high
Resolution: --- → DUPLICATE

Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons

Keywords: reporter-external
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: