Closed Bug 563125 Opened 14 years ago Closed 14 years ago

"Assertion failure: m != TT_INT32 || isInt32(*vp)" with array.length

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- wanted
status1.9.1 --- wanted

People

(Reporter: jruderman, Assigned: dvander)

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

refreshed
1.62 KB, patch
n.nethercote
: review+
Details | Diff | Splinter Review 
var array = new Array(4294967295);
for (var j = 0; j < 2; ++j) { '' + array.length; }

Assertion failure: m != TT_INT32 || isInt32(*vp), at ../jstracer.cpp:3859

Opt does not crash, but I'm filing this as security-sensitive anyway because tracer bugs scare me.
This assertion failure happens in both 64-bit and 32-bit builds, fwiw.
Attached patch patch (obsolete) — Splinter Review 
this feels pretty lame but i don't have any better ideas.

i dont think this is exploitable since the worst that can happen is the tracer interpreters a uint32 as an int32 (leads to correctness bugs) - but andreas should confirm.
This should have been asserting ever since tracing was enabled. I assert with -j as far back as Nov 2008 - http://hg.mozilla.org/tracemonkey/rev/04c360f123e5
blocking2.0: --- → ?
Keywords: regression
OS: Linux → All
Hardware: x86 → All
Version: unspecified → Trunk
Whiteboard: [sg:nse?]
blocking2.0: ? → final+
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Unless this is exploitable it's not going to block stable branch releases.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
status1.9.1: --- → wanted
status1.9.2: --- → wanted
WFM in f1a334334d13.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to up the post-JM loop count.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Attached patch refreshedSplinter Review 
Assignee: general → dvander

        Attachment #442891 -
        Attachment is obsolete: true
Status: REOPENED → ASSIGNED

        Attachment #492018 -
        Flags: review?

    
    

    
  
Not exploitable.
Group: core-security
Whiteboard: [sg:nse?]

        Attachment #492018 -
        Flags: review? → review?(nnethercote)

    
    

    
  
Comment on attachment 492018 [details] [diff] [review]
refreshed

>-        v_ins = w.i2d(w.lduiObjPrivate(obj_ins));
>+        v_ins = w.lduiObjPrivate(obj_ins);
>+        if (obj->getArrayLength() <= JSVAL_INT_MAX) {
>+            guard(true, w.leui(v_ins, w.immi(JSVAL_INT_MAX)), BRANCH_EXIT);
>+            v_ins = w.i2d(v_ins);
>+        } else {
>+            v_ins = w.ui2d(v_ins);
>+        }

Wouldn't this suffice?

          v_ins = w.ui2d(w.lduiObjPrivate(obj_ins));

    
    

    
  
Then the value wouldn't be demoted since IsPromoteInt() would return false.

    
    

    
  
(In reply to comment #10)
> Then the value wouldn't be demoted since IsPromoteInt() would return false.

Which IsPromoteInt() call are you referring to?  Should it be IsPromote() or isPromoteUint() instead?

    
    

    
  
Yes and no... IsPromoteInt is called in the forward pipeline to demote float math to integer math (and float stores to integer stores). It can't be IsPromoteUint because there is no TT_* for an unsigned integer, so when leaving trace the very large value would be boxed incorrectly as a signed integer.

Code that checks IsPromoteInt() but not IsPromoteUint() should probably be looking at both, but that's a separate bug. Here I just want to keep performance the same, that is (x < array.length) should use integer math not float.

    
    

    
  
Comment on attachment 492018 [details] [diff] [review]
refreshed

(In reply to comment #12)
> 
> Here I just want to keep performance the same, that is (x < array.length)
> should use integer math not float.

There's an extra guard, but that's probably better than using float math.

        Attachment #492018 -
        Flags: review?(nnethercote) → review+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/e020c8f1099d
Status: ASSIGNED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED

    
    

    
  
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug563125.js.
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: