Closed
Bug 925305
Opened 11 years ago
Closed 11 years ago
Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Modified registers between VM call and OsiPoint)), at jit/shared/CodeGenerator-shared.cpp:532
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla27
Tracking | Status | |
---|---|---|
firefox26 | --- | unaffected |
firefox27 | --- | fixed |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: shu)
References
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 1 obsolete file)
409 bytes,
text/plain
|
Details | |
2.04 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision aa986b6ce882 (run with --fuzzing-safe --ion-eager): enableOsiPointRegisterChecks(); function testFloat32SetElemIC(a) { for (var i = 0; i < a.length; i++) { var r = Math.fround(Math.random()); a[i] = r; } } testFloat32SetElemIC(new Array(2048)); testFloat32SetElemIC(new Float64Array(2048));
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect]
Updated•11 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
Comment 2•11 years ago
|
||
This looks like a float32 + setelem IC issue. Can you take a look? Thanks :)
Flags: needinfo?(shu)
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/ed91189f940e user: Brian Hackett date: Wed Sep 18 09:43:21 2013 -0600 summary: Bug 917441 - Remove dependence of IonBuilder on ScriptAnalysis, r=jandem. This iteration took 418.712 seconds to run.
Comment 4•11 years ago
|
||
Add sec-critical security rating as this assertion implies that one register is mutated and the mutation can be observed with a try-catch. (In reply to Jan de Mooij [:jandem] from comment #2) > This looks like a float32 + setelem IC issue. Can you take a look? Thanks :) I guess the easiest would be to add a NoFloatPolicy on the MSetElementCache value operand.
Keywords: sec-critical
Assignee | ||
Comment 5•11 years ago
|
||
Shouldn't have been doing conversion in place. So far this hasn't been a problem because all relevant uses of pushArg on float32s have been between saveLive/restoreLive pairs, which made the in-place conversion not observable. The OSI point checker is installed in callVM though, in between saveLive and restoreLive, and so was able to observe this.
Attachment #815669 -
Flags: review?(jdemooij)
Assignee | ||
Updated•11 years ago
|
Assignee: general → shu
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•11 years ago
|
||
Fix the other place where we were converting in place.
Attachment #815694 -
Flags: review?(jdemooij)
Assignee | ||
Updated•11 years ago
|
Attachment #815669 -
Attachment is obsolete: true
Attachment #815669 -
Flags: review?(jdemooij)
Comment 8•11 years ago
|
||
Comment on attachment 815694 [details] [diff] [review] Use ScratchFloatReg when converting float32->double for callVM. (r=?) Review of attachment 815694 [details] [diff] [review]: ----------------------------------------------------------------- Stealing review on shu's request.
Attachment #815694 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 9•11 years ago
|
||
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/f422b59826c1
Comment 10•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f422b59826c1
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 11•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 12•11 years ago
|
||
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.
status-b2g18:
--- → unaffected
Updated•11 years ago
|
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-firefox26:
--- → unaffected
status-firefox27:
--- → fixed
status-firefox-esr24:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•