Closed Bug 1937176 Opened 1 year ago Closed 1 year ago

Assertion failure: rawIndex > 0 && index < RealmFuses::FuseIndex::LastFuseIndex, at vm/RealmFuses.cpp:75

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox133 --- unaffected
firefox134 --- unaffected
firefox135 --- fixed

People

(Reporter: gkw, Assigned: mgaudet)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(3 files)

debug stack
478 bytes, text/plain
Details
Assertion stack for another testcase
4.01 KB, text/plain
Details
Bug 1937176 - Fix incorrect assertion bound r?iain
48 bytes, text/x-phabricator-request
Details | Review
Attached file debug stack 
gczeal(19);
for (let i = 0; i < 99; i++) {
  function g() {
    function f() {
      with ({}) {}
    }
    class C extends f {}
  }
  g();
  disblic(g);
}

(gdb) bt
#0  js::jit::ICStub::jitCode (this=this@entry=0x7ffff657e2d0) at /home/i32g7900a/trees/mozilla-central/js/src/jit/BaselineIC.h:199
#1  0x000055555784b437 in DisassembleBaselineICs (cx=0x7ffff6f39a00, argc=<optimized out>, vp=<optimized out>)
    at /home/i32g7900a/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:1937
#2  0x000010ef43cd7143 in ?? ()
#3  0x0000000000000089 in ?? ()
#4  0x00007fffffffc830 in ?? ()
#5  0x0000000000000000 in ?? ()
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8228bb0a8957
user:        Iain Ireland
date:        Thu Dec 05 18:20:38 2024 +0000
summary:     Bug 1791109: Add testing function to disassemble baseline ics r=mgaudet

Run with --fuzzing-safe --no-threads --fast-warmup, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 49130c85c5ed.

Setting s-s just in case. Iain, is bug 1791109 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(iireland)
Group: core-security → javascript-core-security
function f() {
  for (let i = 0; i < 9; i++) {
    for (let [j] = [0]; j < 1; j++) {}
  }
}
f();
disblic(f);

shows Assertion failure: rawIndex > 0 && index < RealmFuses::FuseIndex::LastFuseIndex, at vm/RealmFuses.cpp:75, run with --fuzzing-safe --no-threads --fast-warmup.

Set release status flags based on info from the regressing bug 1791109

status-firefox133: --- → unaffected
status-firefox134: --- → unaffected
status-firefox-esr128: --- → unaffected
See Also: → 1937206
See Also: → 1937270

Incorrectly written assert (by me) patch incoming.

Flags: needinfo?(iireland)
Group: javascript-core-security
Severity: -- → S3
Priority: -- → P3
Duplicate of this bug: 1937270
Duplicate of this bug: 1937206
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
See Also: 1937206
See Also: 1937270
See Also: → 1937430

There are actually two bugs here: the assertion Matt fixed (testcase in comment 1) and the original one involving gczeal. We'll make this bug about the former, and fix the other one in bug 1937430.

Summary: Crash [@ js::jit::ICStub::jitCode] or Assertion failure: rawIndex > 0 && index < RealmFuses::FuseIndex::LastFuseIndex, at vm/RealmFuses.cpp:75 → Assertion failure: rawIndex > 0 && index < RealmFuses::FuseIndex::LastFuseIndex, at vm/RealmFuses.cpp:75
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f3262fe1c37c Fix incorrect assertion bound r=iain

https://hg.mozilla.org/mozilla-central/rev/f3262fe1c37c

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox135: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch
Flags: sec-bounty? → sec-bounty-
Duplicate of this bug: 1938853
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: