Assertion failure: false, at js/src/vm/SelfHosting.cpp:436
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox127 | --- | disabled |
| firefox128 | --- | disabled |
| firefox129 | --- | fixed |
People
(Reporter: nils.bars, Assigned: anba)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, reporter-external)
Attachments
(3 files)
Steps to reproduce:
Checkout commit 9fcc11127fbfbdc88cbf37489dac90542e141c77 and invoke the js shell as follows:
js --fuzzing-safe <test-case>
Actual results:
Assertion failure: false, at js/src/vm/SelfHosting.cpp:436
|
||
Updated•12 days ago
|
|
||
Comment 1•12 days ago
|
||
Self-hosted JavaScript assertion info: ./../js/src/builtin/TypedArray.js:810: unexpected missing element
Reduced test below. Glancing at the code, these lines in resizableTypedArrayElementShiftBy look suspicious because both branchPtr calls have the same condition.
var buf = new SharedArrayBuffer(51, {maxByteLength:51});
new Float16Array(buf).lastIndexOf();
|
|
||
Updated•12 days ago
|
|
||
Comment 2•12 days ago
|
||
Set release status flags based on info from the regressing bug 1833647
|
Assignee | |
Comment 3•12 days ago
|
||
Taking because it blocks bug 1835034, for which I've started some initial patches.
|
|
||
Updated•12 days ago
|
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/44c41a7dfb0b Part 1: Jump not branch for float16. r=jandem https://hg.mozilla.org/integration/autoland/rev/4247c85f7948 Part 2: Add Float16Array to existing tests. r=jandem
|
||
Updated•12 days ago
|
|
||
Comment 5•12 days ago
|
||
What are the security implications of this problem? Security issues that affect more than Nightly need sec-approval before landing, if they are worse than sec-moderate. This bug does not even have a rating yet. Thanks.
|
|
Assignee | |
Comment 7•12 days ago
|
||
|
|
Assignee | |
Comment 8•12 days ago
|
||
Depends on D214922
|
|
Assignee | |
Comment 9•12 days ago
|
||
Float16Array isn't available outside of Nightly, see also bug 1903329, which removed the Nightly-only restriction and enabled Float16Array by default.
|
|
||
Comment 10•12 days ago
|
||
Thanks for the clarification.
|
|
||
Comment 11•12 days ago
|
||
This still needs a security rating, if only for possible bug bounty consideration, so if somebody could say what the security implications are it would be appreciated.
|
|
Assignee | |
Comment 12•12 days ago
|
||
I don't see any obvious sec-issues with this bug:
- This issue only affects length-tracking Float16Array with a growable SharedArrayBuffer.
- When tracking the length, the byte length of the underlying growable SharedArrayBuffer is read and then divided by the TypedArray's
BYTES_PER_ELEMENT. - Before the patch, the SharedArrayBuffer's byte length was divided by 8, but the correct divisor should have been 2.
- That means a too small length value was reported.
The overall affected operations are:
- The
inoperator. This led to reporting that an element is absent even though it's actually present. (Theinoperator with an indexed operand is compiled asindex < typedArray.length.) - The
TypedArray.prototype.lengthandTypedArray.prototype.byteLengthaccessor properties. This led to reporting a too small length resp. byte-length value. - The self-hosting intrinsic functions
TypedArrayLengthandPossiblyWrappedTypedArrayLength. This is probably the most interesting case, but after checking all callers to these two functions, I didn't see any obvious issue when reporting a too small length value.
|
|
||
Updated•12 days ago
|
|
||
Comment 13•11 days ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/44c41a7dfb0b
https://hg.mozilla.org/mozilla-central/rev/4247c85f7948
Description
•