Closed Bug 1902907 Opened 5 months ago Closed 5 months ago

Assertion failure: startOfUninitialized <= nfixed, at jit/MacroAssembler.cpp:922

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox127 --- wontfix
firefox128 --- wontfix
firefox129 --- fixed

People

(Reporter: nils.bars, Assigned: jandem)

References

(Blocks 3 open bugs, Regression)

Details

(Keywords: regression, reporter-external)

Attachments

(2 files)

bug.js
776 bytes, text/plain
Details
Bug 1902907 - Don't leak template RegExpObject to JS through 'disassemble' testing function. r?arai!
48 bytes, text/x-phabricator-request
Details | Review
Attached file bug.js

Steps to reproduce:

Checkout commit 97eeb1c55a5c73bd3938d4899685321a7967333b and invoke the js shell as follows:

js --fuzzing-safe  <testcase>

Actual results:

Assertion failure: startOfUninitialized <= nfixed, at jit/MacroAssembler.cpp:922

Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Flags: sec-bounty?
Product: Firefox → Core
Group: core-security → javascript-core-security
Attachment #9407732 - Attachment mime type: application/x-javascript → text/plain
Component: JavaScript Engine → JavaScript Engine: JIT

Reduced test below.

// --fast-warmup --no-threads
Object.defineProperty(RegExp.prototype, "flags", {get: function() {
    Array.prototype.push.call(this);
}});
function f() {
    var s = disassemble();
    for (var i = 0; i < 200; i++) {
        s.replace(/0./);
    }
}
f();

Oh this is creative. The disassemble() call ends up calling ValueToSource on the script's template RegExp object. Unfortunately this can have side-effects, in this case it invokes our custom flags getter and this messes up the template object enough to confuse codegen later.

disassemble is a testing function that's not exposed to normal JS code.

Group: javascript-core-security
Assignee: nobody → jdemooij
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6b239eb7bae6
user:        Tooru Fujisawa
date:        Tue Aug 02 13:56:27 2022 +0000
summary:     Bug 1782166 - Part 1: Add JSScript::dump and move shell dis() function implementation into it. r=nbp

Jan, would bug 1782166 be a likely regressor, since you're already working on it?

Keywords: regression
Regressed by: 1782166

Set release status flags based on info from the regressing bug 1782166

status-firefox127: --- → affected
status-firefox128: --- → affected
status-firefox129: --- → affected
status-firefox-esr115: --- → affected
Blocks: sm-shell, sm-jits
Severity: -- → S4
Priority: -- → P2

Call ToDisassemblySource instead of ValueToSource because it handles this without
calling into JS.

The JSOp::Object and JSOp::CallSiteObj objects can have a similar issue, but these
objects are already exposed to script so aren't affected the same way. I tried to add
a special mode to ValueToSource to handle these objects too without running JS, but it
got too complicated for this testing function issue.

Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/09d29cf7128f Don't leak template RegExpObject to JS through 'disassemble' testing function. r=arai

https://hg.mozilla.org/mozilla-central/rev/09d29cf7128f

Status: ASSIGNED → RESOLVED
Closed: 5 months ago
status-firefox129: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
Blocks: 1903968

The patch landed in nightly and beta is affected.
:jandem, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox128 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jdemooij)
status-firefox128: fix-optionalwontfix
Flags: needinfo?(jdemooij)
Flags: sec-bounty? → sec-bounty-
Keywords: reporter-external
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: