1902983 - (CVE-2024-6614) Assertion failure: framePtr->hasCachedSavedFrame() || hasGoodExcuse, at vm/SavedStacks.cpp:1483

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Nils Bars]

Attachment: bug.js

Steps to reproduce:

Checkout commit 97eeb1c55a5c73bd3938d4899685321a7967333b and invoke the JS shell as shown below. Please note that this seems to be a flaky crash that only triggers one-fifth of the executions.

js --fuzzing-safe  --fast-warmup --ion-check-range-analysis --ion-extra-checks  --disable-oom-functions --enable-new-set-methods --small-function-length=1024 --inlining-entry-threshold=8 --gc-zeal=21,210 --ion-scalar-replacement=on --ion-pruning=on --ion-range-analysis=on --ion-inlining=on --ion-gvn=on --ion-osr=on --ion-edgecase-analysis=on --spectre-mitigations=on --ion-limit-script-size=on --ion-offthread-compile=on --ion-optimize-gcbarriers=on --ion-iterator-indices=on --nursery-size=2 --nursery-strings=on --nursery-bigints=on --enable-ic-frame-pointers --disable-bailout-loop-check --ion-optimize-shapeguards=on --ion-licm=on --ion-instruction-reordering=on --cache-ir-stubs=on --no-sse42 --monomorphic-inlining=default --ion-load-keys=off --ion-sink=off <testcase>
``


Actual results:

Assertion failure: framePtr->hasCachedSavedFrame() || hasGoodExcuse, at vm/SavedStacks.cpp:1483

Comment 1

[Jan de Mooij [:jandem]]

Good find. This is similar to bug 1900523 but when we do a direct call instead of through a JSJitToWasm frame.

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Bug 1902983 - Don't use bailout data after iterating Wasm frames. r?iain!

This is similar to bug 1900523, but the fix there was incomplete because the
JSJitToWasm frame type is only used when we go through the Wasm JIT entry
trampoline. Ion can also call Wasm functions directly and in that case the type
will be FrameType::Exit.

Comment 3

[Jan de Mooij [:jandem]]

I'll mark this sec-low like bug 1900523. The bug and analysis is very similar.

Comment 4

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6ef4b7955068
Don't use bailout data after iterating Wasm frames. r=iain

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/6ef4b7955068

Comment 6

[Jan de Mooij [:jandem]]

Attachment: Bug 1902983 - Don't use bailout data after iterating Wasm frames. r?iain!

This is similar to bug 1900523, but the fix there was incomplete because the
JSJitToWasm frame type is only used when we go through the Wasm JIT entry
trampoline. Ion can also call Wasm functions directly and in that case the type
will be FrameType::Exit.

Original Revision: https://phabricator.services.mozilla.com/D214098

Comment 7

[Phabricator Automation]

beta Uplift Approval Request

• User impact if declined: This is related to bug 1900523 and it would be nice to have both patches in ESR 128
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing: -
• Risk associated with taking this patch: Low
• Explanation of risk level: Fix for an edge case
• String changes made/needed: No
• Is Android affected?: yes

Comment 8

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/6c45b86f2a0c

Comment 9

[Daniel Veditz [:dveditz]]

I'm sorry, the bounty payment information was intended for your bug 1901411

Comment 10

[Simon Friedberger [:simonf]]

Attachment: advisory.txt