Closed Bug 1922104 Opened 2 months ago Closed 2 months ago

Assertion failure: HasSSE41(), at jit/x86-shared/Assembler-x86-shared.h:3757

Categories

(Core :: JavaScript Engine: JIT, defect)

defect

Tracking

()

RESOLVED FIXED
133 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox131 --- wontfix
firefox132 --- wontfix
firefox133 --- fixed

People

(Reporter: gkw, Assigned: anba)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

Attached file debug stack
new Float16Array()[0];
(gdb) bt
#0  js::jit::AssemblerX86Shared::vpmovzxwq (this=<optimized out>, src=..., dest=...) at /home/i32g7900a/trees/mozilla-central/js/src/jit/x86-shared/Assembler-x86-shared.h:3757
#1  0x00005555585cb851 in js::jit::MacroAssemblerX86Shared::convertFloat16ToFloat32 (this=0x7ffff7a1ca60 <_IO_stdfile_2_lock>, src=..., dest=...) at /home/i32g7900a/trees/mozilla-central/js/src/jit/x86-shared/MacroAssembler-x86-shared.h:413
#2  0x00005555585c79a0 in js::jit::MacroAssembler::loadFloat16<js::jit::BaseIndex> (this=0x7ffff7a1ca60 <_IO_stdfile_2_lock>, this@entry=0x7fffffffb920, src=..., dest=..., temp1=temp1@entry=..., temp2=temp2@entry=..., volatileLiveRegs=...) at /home/i32g7900a/trees/mozilla-central/js/src/jit/MacroAssembler.cpp:8189
#3  0x00005555585c81ec in js::jit::MacroAssembler::loadFromTypedArray<js::jit::BaseIndex> (this=0x7fffffffb920, arrayType=JS::Scalar::Float16, src=..., dest=..., temp2=..., fail=0x0, temp1=..., volatileLiveRegs=...) at /home/i32g7900a/trees/mozilla-central/js/src/jit/MacroAssembler.cpp:191
#4  js::jit::MacroAssembler::loadFromTypedArray<js::jit::BaseIndex> (this=0x7fffffffb920, arrayType=<optimized out>, src=..., dest=..., uint32Mode=<optimized out>, temp=..., fail=0x7fffffffc7a0, volatileLiveRegs=...) at /home/i32g7900a/trees/mozilla-central/js/src/jit/MacroAssembler.cpp:242
#5  0x000055555822aaf5 in js::jit::CacheIRCompiler::emitLoadTypedArrayElementResult (this=0x7fffffffb908, objId=..., indexId=..., elementType=JS::Scalar::Float16, handleOOB=true, forceDoubleForUint32=false, viewKind=js::jit::ArrayBufferViewKind::FixedLength) at /home/i32g7900a/trees/mozilla-central/js/src/jit/CacheIRCompiler.cpp:7240
/snip
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d5ea08f74244
user:        André Bargull
date:        Sat Jul 13 10:45:31 2024 +0000
summary:     Bug 1835034 - Part 7: Inline loading from Float16Array. r=jandem

Run with --fuzzing-safe --no-threads --ion-eager --enable-avx --no-sse4, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 0546d4eb6429.

Setting s-s just in case. :anba, is bug 1835034 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(andrebargull)
Group: core-security → javascript-core-security

Set release status flags based on info from the regressing bug 1835034

Duplicate of this bug: 1922148

Command-line flags allow to disable SSE and at the same time enabling AVX. This combination doesn't make sense and I don't know of any CPU which supports AVX but not SSE4.2 (and SSE4.2 support implies supporting all previous SSE versions).

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED

Also this is not a security-sensitive bug, because it requires shell-only functions.

Flags: needinfo?(andrebargull)
Group: javascript-core-security
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/35f435559ca8 Don't allow enabling AVX when SSE has been restricted. r=jandem
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
Flags: sec-bounty? → sec-bounty-

Can this combination of options be removed? It seems unfortunate to waste fuzzing effort on impossible configurations.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: