Closed Bug 1939008 Opened 2 months ago Closed 1 month ago

A bug in JIT optimization: an exception about Array object

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
Other Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox134 --- wontfix
firefox135 --- wontfix
firefox136 --- fixed

People

(Reporter: anbu1024.me, Assigned: jandem)

References

(Regression)

Details

(Keywords: regression, reporter-external)

Attachments

(1 file)

Bug 1939008 - Don't optimize adding a dense element if the proto chain contains a typed array object. r?anba!
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0

Steps to reproduce:

A bug in JIT optimization, whether there are security risks or not requires further in-depth analysis.

Steps to reproduce:

version:

commit f490380b650997a8dc95b6b2a1306e9f4bfb486e

Build options:

/bin/sh ../../gecko-dev/js/src/configure --enable-debug --disable-optimize --disable-shared-js --disable-tests --enable-gczeal

Test case:

function opt(){
  const v0 = [];
  const v1 = new Uint32Array();
  const v2 = [];
  const v3 = v2.__proto__;
  v3.__proto__ = v1;
  for (const v4 in this) {
    v0[10] **= 1496956063;
  }
  return v0;
}

let a = opt();
let b = opt();
for (let i = 0; i < 100; i++) {
  opt();
}
let c = opt();
print(a)
print(b)
print(c)

Actual results:

Actual results:

The result has changed after JIT optimization.

a = ,,,,,,,,,,NaN
b = ,,,,,,,,,,NaN
c =
Group: core-security → javascript-core-security

The severity field is not set for this bug.
:willyelm, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(wmedina)

Thanks for the report. Not a security bug but it is a nice find.

A reduced test case:

function test() {
    Array.prototype.__proto__ = new Int8Array();
    for (let i = 0; i < 20; i++) {
        let v0 = [];
        v0[10] = 1;
        print(v0.length);
    }
}
test();

Result for this test case:

SM: 0 in the interpreter, 11 with IC stubs enabled
V8: 0 (not trunk but a fairly recent build)
Safari: 11

Reading the code I think this has to do with this code in SetNonexistentProperty. This changed in bug 1772858.

Changing CanAttachAddElement to return false for typed arrays on the proto chain makes us always print 0.

Group: javascript-core-security
Keywords: regression
Regressed by: 1772858
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Severity: -- → S3
Flags: needinfo?(wmedina)
Priority: -- → P3

This case is very uncommon and this avoids a difference in behavior after the changes in bug 1772858.

Set release status flags based on info from the regressing bug 1772858

status-firefox134: --- → affected
status-firefox135: --- → affected
status-firefox136: --- → affected
status-firefox-esr128: --- → unaffected
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c09df93e569b Don't optimize adding a dense element if the proto chain contains a typed array object. r=anba

https://hg.mozilla.org/mozilla-central/rev/c09df93e569b

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
status-firefox136: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch

The patch landed in nightly and beta is affected.
:jandem, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox135 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jdemooij)
status-firefox135: affectedwontfix
Flags: needinfo?(jdemooij)
Summary: A bug in JIT optimization → A bug in JIT optimization: an exception about Array object
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: