Assertion failure: movable == IsMovable::No, at jit/WarpBuilderShared.cpp:68
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox139 | --- | unaffected |
| firefox140 | --- | unaffected |
| firefox141 | --- | fixed |
People
(Reporter: gkw, Assigned: anba)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
var f = Iterator.prototype.drop;
for (var k = 0; k < 99; ++k) {
try {
(function () {
f();
})();
} catch (e) {}
}
(gdb) bt
#0 0x00005555580fcb3d in MOZ_CrashSequence (aAddress=0x0, aLine=68)
at /home/msf1/shell-cache/js-dbg-64-linux-x86_64-ce689cd992f5/objdir-js/dist/include/mozilla/Assertions.h:248
#1 js::jit::WarpBuilderShared::unboxObjectInfallible (this=0x7fffffffba68, def=0x7ffff5bc01e0, movable=js::jit::WarpBuilderShared::IsMovable::Yes)
at /home/msf1/trees/mozilla-central/js/src/jit/WarpBuilderShared.cpp:68
#2 js::jit::WarpBuilder::build_CloseIter (this=this@entry=0x7fffffffba68, loc=...) at /home/msf1/trees/mozilla-central/js/src/jit/WarpBuilder.cpp:1869
#3 0x00005555580f6fc7 in js::jit::WarpBuilder::buildBody (this=this@entry=0x7fffffffba68)
at /home/msf1/trees/mozilla-central/js/src/jit/WarpBuilder.cpp:689
#4 0x000055555810dd92 in js::jit::WarpBuilder::buildInline (this=0x7fffffffba68) at /home/msf1/trees/mozilla-central/js/src/jit/WarpBuilder.cpp:320
#5 js::jit::WarpBuilder::buildInlinedCall (this=this@entry=0x7fffffffc0c0, loc=..., inlineSnapshot=inlineSnapshot@entry=0x7ffff5bbf940, callInfo=...)
at /home/msf1/trees/mozilla-central/js/src/jit/WarpBuilder.cpp:3742
/snip
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/97665d31b0b6
user: André Bargull
date: Tue May 27 07:03:57 2025 +0000
summary: Bug 1935510 - Part 2: Perform IteratorClose when limit coercion throws or limit is invalid. r=spidermonkey-reviewers,iain
Run with --fuzzing-safe --no-threads --fast-warmup --ion-warmup-threshold=100, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev ce689cd992f5.
Andre, is bug 1935510 a likely regressor?
|
||
Updated•10 months ago
|
|
||
Comment 1•10 months ago
|
||
Set release status flags based on info from the regressing bug 1935510
|
Assignee | |
Comment 2•10 months ago
|
||
Yes, it's a regression from bug 1935510. Bug 1851976 added this assertion, so I guess using IsMovable::No in WarpBuilder::build_CloseIter is enough to fix this.
|
|
Assignee | |
Comment 3•10 months ago
|
||
|
||
Updated•10 months ago
|
|
||
Comment 4•10 months ago
|
||
What are the security implications? Seems dangerous to be moving something that we think shouldn't be moved.
|
||
Comment 5•10 months ago
|
||
This does not look security sensitive.
In this context, "movable" means that we can hoist computation of this value earlier. In this case, there's probably no way to hoist this node, because it's unreachable. If we did somehow hoist it, then it would unbox a value, which is just bit-twiddling without a consumer. If we also somehow hoisted a consumer and tried to dereference the unboxed value, it would be UnboxAsObject(UndefinedValue()), which (depending on platform) is either a null pointer, or a pointer with only high bits set, both of which would crash safely.
In short: an attacker would have to overcome multiple obstacles just to turn this into a safe crash.
|
||
Updated•10 months ago
|
|
|
||
Updated•9 months ago
|
|
|
||
Comment 8•9 months ago
|
||
Set release status flags based on info from the regressing bug 1935510
|
||
Updated•9 months ago
|
Description
•