pwn2own-2025-2: Second entry from May 17th (Incorrect bounds check elimination when using ExtractLinearSum)
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
People
(Reporter: freddy, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [bugmon:confirmed,bisected][adv-main138.0.4+][adv-esr128.10.1+][adv-esr115.23.1+])
Attachments
(8 files, 1 obsolete file)
|
82.06 KB,
application/pdf
|
Details | |
|
12.82 KB,
application/x-javascript
|
Details | |
|
163 bytes,
text/html
|
Details | |
|
11.48 KB,
text/plain
|
Details | |
|
392 bytes,
application/x-javascript
|
Details | |
|
221 bytes,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-release+
diannaS
:
approval-mozilla-esr115+
diannaS
:
approval-mozilla-esr128+
freddy
:
sec-approval+
|
Details | Review |
|
603 bytes,
text/html
|
Details |
This is the placeholder bug for the first pwn2own entry that we are going to receive tomorrow (May 17th 2025). Creating it now such that access is going to be widely available and granted ahead of time.
This entry is credited to Manfred Paul (@manf@infosec.exchange).
|
Reporter | |
Comment 1•6 months ago
|
||
|
|
Reporter | |
Comment 2•6 months ago
|
||
|
|
Reporter | |
Comment 3•6 months ago
|
||
|
|
Reporter | |
Comment 4•6 months ago
|
||
|
|
Reporter | |
Updated•6 months ago
|
|
||
Comment 5•6 months ago
|
||
|
||
Updated•6 months ago
|
|
|
Reporter | |
Updated•6 months ago
|
|
|
Reporter | |
Updated•6 months ago
|
|
|
Reporter | |
Updated•6 months ago
|
|
Assignee | |
Comment 6•6 months ago
|
||
This is a problem with ExtractLinearSum in the JIT backend as explained in the excellent write-up.
This function supports 'modulo' and 'infinite' math spaces. The former doesn't work well for bounds check optimizations. In practice this was not an issue until we added support for large array buffers and typed arrays (enabled in bug 1703505).
It's possible this only affects processes with Spectre mitigations off (IIRC that's Fission content processes on desktop) but I'm not 100% sure about this and we shouldn't rely on it.
|
|
Reporter | |
Comment 7•6 months ago
|
||
|
|
||
Comment 8•6 months ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #6)
It's possible this only affects processes with Spectre mitigations off (IIRC that's Fission content processes on desktop) but I'm not 100% sure about this and we shouldn't rely on it.
Manfred also mentioned that Spectre mitigations break this reliably because the value is folded once more back into positive as far as I understood.
|
|
Assignee | |
Comment 9•6 months ago
|
||
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
|
Reporter | |
Updated•6 months ago
|
|
||
Updated•6 months ago
|
|
|
Assignee | |
Comment 10•6 months ago
|
||
|
|
Assignee | |
Comment 11•6 months ago
|
||
|
|
||
Comment 12•6 months ago
|
||
Per some discussion on Slack from jandem, it appears that Spectre mitigations prevent the crash in the test case. This means that the test case won't crash either on Android or when run via a file:// URI.
|
||
Comment 13•6 months ago
|
||
|
||
Updated•6 months ago
|
|
|
||
Comment 14•6 months ago
|
||
Comment on attachment 9488481 [details]
Bug 1966614 - Don't support modulo math space in ExtractLinearSum. r?iain!
Approved for 139.0b10
Approved for 138.0.4 dot release
Approved for 115.23.1esr
Approved for 128.10.1esr
|
|
||
Comment 15•6 months ago
|
||
| uplift | ||
|
|
||
Comment 16•6 months ago
|
||
| uplift | ||
|
|
||
Comment 17•6 months ago
•
|
||
| uplift | ||
|
|
||
Comment 18•6 months ago
•
|
||
| uplift | ||
|
|
||
Updated•6 months ago
|
|
|
||
Comment 19•6 months ago
•
|
||
| uplift | ||
|
|
||
Comment 20•6 months ago
•
|
||
| uplift | ||
|
|
Reporter | |
Updated•6 months ago
|
|
|
Reporter | |
Updated•6 months ago
|
|
||
Updated•6 months ago
|
|
||
Comment 21•6 months ago
|
||
Verified as fixed for mobile, on the following builds:
Firefox for Android:
- Nightly 140.0a1 from 05/17
- Beta 139.0b10
- 138.0.4
Focus for Android:
- Nightly 140.0a1 from 05/17
- Beta 139.0b10
- 138.0.4
Tested with Nothing Phone (2a) 5G (Android 14), Lenovo Yoga Tab 11 (Android 12) and Motorola Nexus 6 (Android 8).
|
||
Updated•6 months ago
|
|
||
Comment 22•6 months ago
|
||
Verified bug as fixed on rev mozilla-central 20250518220019-8e9456975478.
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 23•6 months ago
|
||
A pernosco session for this bug can be found here.
|
||
Updated•5 months ago
|
|
|
||
Comment 24•5 months ago
|
||
Managed to reproduce the issue on 140.0a1 (2025-05-16).
Confirming the fix also on Firefox 115.24 ESR, Firefox 128.11 ESR and on Firefox 140.0a1 (2025-05-19).
|
||
Comment 25•5 months ago
|
||
(In reply to Pulsebot from comment #13)
Pushed by dsmith@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/3197c34f492e
Don't support modulo math space in ExtractLinearSum. r=iain, a=dsmith
Perfherder has detected a browsertime performance change from push 46e4a93846b20b6a408f4be3876276320f6695af.
If you have any questions, please reach out to a performance sheriff. Alternatively, you can find help on Slack by joining #perf-help, and on Matrix you can find help by joining #perftest.
Improvements:
| Ratio | Test | Platform | Options | Absolute values (old vs new) | Performance Profiles |
|---|---|---|---|---|---|
| 4% | google-docs PerceptualSpeedIndex | linux1804-64-shippable-qr | fission warm webrender | 2,394.15 -> 2,302.90 | Before/After |
| 4% | google-docs LastVisualChange | linux1804-64-shippable-qr | fission warm webrender | 5,221.32 -> 5,027.28 | Before/After |
| 4% | google-docs PerceptualSpeedIndex | linux1804-64-shippable-qr | cold fission webrender | 3,024.09 -> 2,913.38 | Before/After |
| 4% | google-docs LastVisualChange | linux1804-64-shippable-qr | cold fission webrender | 5,810.53 -> 5,607.35 | Before/After |
| 3% | google-docs ContentfulSpeedIndex | linux1804-64-shippable-qr | fission warm webrender | 1,608.32 -> 1,555.40 | Before/After |
| ... | ... | ... | ... | ... | ... |
| 3% | google-docs ContentfulSpeedIndex | linux1804-64-shippable-qr | cold fission webrender | 1,973.94 -> 1,917.77 | Before/After |
Details of the alert can be found in the alert summary, including links to graphs and comparisons for each of the affected tests.
If you need the profiling jobs you can trigger them yourself from treeherder job view or ask a performance sheriff to do that for you.
You can run all of these tests on try with ./mach try perf --alert 45219
The following documentation link provides more information about this command.
|
|
||
Updated•5 months ago
|
|
|
||
Comment 26•4 months ago
|
||
There's a public writeup of this now.
|
||
Updated•2 months ago
|
Description
•