Closed Bug 1942737 Opened 16 days ago Closed 15 days ago

Assertion failure: def->type() == MIRType::Double

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox134 --- unaffected
firefox135 --- unaffected
firefox136 --- fixed

People

(Reporter: katoshi1337, Assigned: anba)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1942737: Relax an assertion to allow any number type. r=jandem!
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

./js ./poc.js

poc

const v1 = new Float32Array(Float32Array, Float32Array, Float32Array);
for (let v2 = 0; v2 < 5; v2++) {
    for (let v3 = 0; v3 < 5; v3++) {
        v1[Math.fround((1 / (1 / v1[v3])) + v1[v3 + 1])];
    }
    --v2;
}
gc();

Actual results:

[2523169] Assertion failure: def->type() == MIRType::Double, at /home/fuzzer/gecko-dev-master/js/src/jit/MIR.h:6604
==3426546==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5593a2a30c53 bp 0x7dbe7e7fe370 sp 0x7dbe7e7fe350 T3426550)
==3426546==The signal is caused by a WRITE memory access.
==3426546==Hint: address points to the zero page.
#0 0x5593a2a30c53 in js::jit::MGuardNumberToIntPtrIndex::MGuardNumberToIntPtrIndex(js::jit::MDefinition*, bool) /home/fuzzer/gecko-dev-master/js/src/jit/MIR.h:6604:5
#1 0x5593a29c516b in js::jit::MGuardNumberToIntPtrIndex* js::jit::MGuardNumberToIntPtrIndex::New<js::jit::MDefinition*&, bool&>(js::jit::TempAllocator&, js::jit::MDefinition*&, bool&) /home/fuzzer/gecko-dev-master/js/src/jit/MIR.h:6614:3
#2 0x5593a29c516b in WarpCacheIRTranspiler::emitGuardNumberToIntPtrIndex(js::jit::NumberOperandId, bool, js::jit::IntPtrOperandId) /home/fuzzer/gecko-dev-master/js/src/jit/WarpCacheIRTranspiler.cpp:1539:15
#3 0x5593a299310f in WarpCacheIRTranspiler::transpile(std::initializer_list<js::jit::MDefinition*>) /home/fuzzer/gecko-dev-master/js/src/jit/WarpCacheIRTranspiler.cpp:350:7
#4 0x5593a2985503 in js::jit::TranspileCacheIRToMIR(js::jit::WarpBuilder*, js::BytecodeLocation, js::jit::WarpCacheIR const*, std::initializer_list<js::jit::MDefinition*>, js::jit::CallInfo*) /home/fuzzer/gecko-dev-master/js/src/jit/WarpCacheIRTranspiler.cpp:6981:19
#5 0x5593a2985503 in js::jit::WarpBuilder::buildIC(js::BytecodeLocation, js::jit::CacheKind, std::initializer_list<js::jit::MDefinition*>) /home/fuzzer/gecko-dev-master/js/src/jit/WarpBuilder.cpp:3297:12
#6 0x5593a296e88d in js::jit::WarpBuilder::build_GetElem(js::BytecodeLocation) /home/fuzzer/gecko-dev-master/js/src/jit/WarpBuilder.cpp:1980:10
#7 0x5593a2965c7b in js::jit::WarpBuilder::buildBody() /home/fuzzer/gecko-dev-master/js/src/jit/WarpBuilder.cpp:673:19
#8 0x5593a2962a28 in js::jit::WarpBuilder::build() /home/fuzzer/gecko-dev-master/js/src/jit/WarpBuilder.cpp:300:8
#9 0x5593a2906e1c in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) /home/fuzzer/gecko-dev-master/js/src/jit/Ion.cpp:1603:18
#10 0x5593a2a3d8fd in js::jit::IonCompileTask::runTask() /home/fuzzer/gecko-dev-master/js/src/jit/IonCompileTask.cpp:52:24
#11 0x5593a2a3d8fd in js::jit::IonCompileTask::runHelperThreadTask(js::AutoLockHelperThreadState&) /home/fuzzer/gecko-dev-master/js/src/jit/IonCompileTask.cpp:30:5
#12 0x5593a1607135 in js::GlobalHelperThreadState::runTaskLocked(JS::HelperThreadTask*, js::AutoLockHelperThreadState&) /home/fuzzer/gecko-dev-master/js/src/vm/HelperThreads.cpp:668:11
#13 0x5593a1606faf in js::GlobalHelperThreadState::runOneTask(JS::HelperThreadTask*, js::AutoLockHelperThreadState&) /home/fuzzer/gecko-dev-master/js/src/vm/HelperThreads.cpp:624:3
#14 0x5593a164dab2 in js::HelperThread::threadLoop(js::InternalThreadPool*) /home/fuzzer/gecko-dev-master/js/src/vm/InternalThreadPool.cpp:324:25
#15 0x5593a164d6f7 in js::HelperThread::ThreadMain(js::InternalThreadPool*, js::HelperThread*) /home/fuzzer/gecko-dev-master/js/src/vm/InternalThreadPool.cpp:251:11
#16 0x5593a1678bc3 in void js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::callMain<0ul, 1ul>(std::integer_sequence<unsigned long, 0ul, 1ul>) /home/fuzzer/gecko-dev-master/js/src/threading/Thread.h:228:5
#17 0x5593a1678bc3 in js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::Start(void*) /home/fuzzer/gecko-dev-master/js/src/threading/Thread.h:217:11
#18 0x7dbe7f494ac2 in start_thread nptl/pthread_create.c:442:8
#19 0x7dbe7f52684f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Expected results:

Nothing

Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: other → unspecified
Group: core-security → javascript-core-security
Component: JavaScript Engine → JavaScript Engine: JIT

MGuardNumberToIntPtrIndex can now be called with any number type, so relax
the assertion. The DoublePolicy ensures non-Double inputs will be handled
correctly.

Assignee: nobody → andrebargull
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Blocks: sm-security, sm-opt-jits
Severity: -- → S3
Keywords: regression
Priority: -- → P1
Regressed by: 1941826

Set release status flags based on info from the regressing bug 1941826

status-firefox134: --- → unaffected
status-firefox135: --- → unaffected
status-firefox136: --- → affected
status-firefox-esr128: --- → unaffected
Duplicate of this bug: 1942931

It sounds like this is an overly strict assertion, so it isn't a security issue.

Group: javascript-core-security
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/2513a51493be Relax an assertion to allow any number type. r=jandem

https://hg.mozilla.org/mozilla-central/rev/2513a51493be

Status: ASSIGNED → RESOLVED
Closed: 15 days ago
status-firefox136: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
Duplicate of this bug: 1943585
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: