Closed
Bug 1913214
Opened 7 months ago
Closed 7 months ago
Assertion failure: val.isInt32(), at js/src/jit/JSJitFrameIter.h:503
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
131 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox129 | --- | unaffected |
| firefox130 | --- | unaffected |
| firefox131 | --- | fixed |
People
(Reporter: sm-bugs, Assigned: anba)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external)
Attachments
(2 files)
Steps to reproduce:
Checkout commit ef4ef8198add3192d1e49157fb3f377ea7e60009 and invoke the js shell as follows (please note that rr's chaos mode is used here):
rr record -h js --fast-warmup --fuzzing-safe <test-case>
Actual results:
[2353976] Assertion failure: val.isInt32(), at js/src/jit/JSJitFrameIter.h:503
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==2353976==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5558a0d518b7 bp 0x7ffef30fd6b0 sp 0x7ffef30fd680 T2353976)
==2353976==The signal is caused by a WRITE memory access.
==2353976==Hint: address points to the zero page.
#0 0x5558a0d518b7 in js::jit::SnapshotIterator::readInt32() js/src/jit/JSJitFrameIter.h:503:5
#1 0x5558a0d5a5a1 in js::jit::RInt32ToBigInt::recover(JSContext*, js::jit::SnapshotIterator&) const js/src/jit/Recover.cpp:2023:20
#2 0x5558a13bd97c in js::jit::SnapshotIterator::computeInstructionResults(JSContext*, js::jit::RInstructionResults*) const js/src/jit/JitFrames.cpp:2094:29
#3 0x5558a13bc51a in js::jit::SnapshotIterator::initInstructionResults(js::jit::MaybeReadFallback&) js/src/jit/JitFrames.cpp:2047:12
#4 0x5558a0ce020a in js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JSJitFrameIter const&, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*, js::jit::BailoutReason) js/src/jit/BaselineBailouts.cpp:1635:17
#5 0x5558a0cdf895 in js::jit::Bailout(js::jit::BailoutStack*, js::jit::BaselineBailoutInfo**) js/src/jit/Bailouts.cpp:146:7
#6 0x279364ada3d1 (<unknown module>)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV js/src/jit/JSJitFrameIter.h:503:5 in js::jit::SnapshotIterator::readInt32()
==2353976==ABORTING
Blocks: 1903968
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 129 → Trunk
|
||
Updated•7 months ago
|
Group: core-security → javascript-core-security
|
|
||
Updated•7 months ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
|
Assignee | |
Comment 2•7 months ago
|
||
Yes.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)
|
|
||
Updated•7 months ago
|
Keywords: regression
Regressed by: 1910769
|
||
Comment 3•7 months ago
|
||
Set release status flags based on info from the regressing bug 1910769
status-firefox129:
--- → unaffected
status-firefox130:
--- → unaffected
status-firefox131:
--- → affected
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
|
|
||
Updated•7 months ago
|
Keywords: reporter-external
|
|
Assignee | |
Comment 4•7 months ago
|
||
Not security-sensitive, because we safely crash when hitting the release assertion. And even without the release assertion, we'd just reinterpret a double as an int32_t, which is also not security-sensitive.
|
|
Assignee | |
Comment 5•7 months ago
|
||
|
|
||
Updated•7 months ago
|
Group: javascript-core-security
Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/ce9eebac621a
Handle non-int32 inputs when recovering RInt32ToBigInt. r=iain
|
||
Comment 7•7 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → 131 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•