Closed
Bug 1497045
Opened 6 years ago
Closed 4 years ago
Assertion failure: getInstructionAt(nextOffset)->BranchType() == vixl::UncondBranchType, at js/src/jit/arm64/Assembler-arm64.cpp:296
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | wontfix |
| firefox65 | --- | wontfix |
| firefox66 | --- | fix-optional |
People
(Reporter: decoder, Unassigned)
References
(Blocks 2 open bugs)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
The following testcase crashes on mozilla-central revision 5675805eb31d (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize --enable-simulator=arm64, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager):
var N = 70*1000;
var x = build("&&")();
function build(operation) {
var a = [];
a.push("return f()");
for (var i = 1; i != N - 1; ++i)
a.push(class extends Object { constructor(){} });
return new Function(a.join(operation));
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555555da0bda in js::jit::Assembler::bind (this=0x7ffffffface8, label=0x7fffeedc11cc, targetOffset=...) at js/src/jit/arm64/Assembler-arm64.cpp:296
#0 0x0000555555da0bda in js::jit::Assembler::bind (this=0x7ffffffface8, label=0x7fffeedc11cc, targetOffset=...) at js/src/jit/arm64/Assembler-arm64.cpp:296
#1 0x0000555555a6cee2 in js::jit::Assembler::bind (this=this@entry=0x7ffffffface8, label=<optimized out>) at js/src/jit/arm64/Assembler-arm64.h:199
#2 0x00005555564cd9c5 in js::jit::BaselineCompiler::emitBody (this=this@entry=0x7fffffffacd0) at js/src/jit/BaselineCompiler.cpp:1167
#3 0x00005555564cfd98 in js::jit::BaselineCompiler::compile (this=this@entry=0x7fffffffacd0) at js/src/jit/BaselineCompiler.cpp:151
#4 0x0000555555aba125 in js::jit::BaselineCompile (cx=cx@entry=0x7ffff5f18000, script=0x7ffff5690280, forceDebugInstrumentation=<optimized out>) at js/src/jit/BaselineJIT.cpp:273
#5 0x0000555555abac1c in CanEnterBaselineJIT (cx=cx@entry=0x7ffff5f18000, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0) at js/src/jit/BaselineJIT.cpp:325
#6 0x0000555555abad58 in js::jit::CanEnterBaselineMethod (cx=cx@entry=0x7ffff5f18000, state=...) at js/src/jit/BaselineJIT.cpp:380
#7 0x0000555555c05cfa in js::jit::MaybeEnterJit (cx=cx@entry=0x7ffff5f18000, state=...) at js/src/jit/Jit.cpp:157
#8 0x000055555597c194 in js::RunScript (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:425
#9 0x000055555597c94f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:580
#10 0x000055555597cead in InternalCall (cx=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:607
#11 0x000055555597cffa in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:613
#12 0x0000555555acbe23 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7ffff597fea8, stub_=<optimized out>, argc=<optimized out>, vp=0x7ffff597fe60, res=...) at js/src/jit/BaselineIC.cpp:3810
#13 0x0000555555e4c922 in vixl::Simulator::VisitCallRedirection (this=0x7ffff5f3d800, instr=0x7ffff5f86288) at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:644
#14 0x0000555555e531c5 in vixl::Simulator::VisitException (this=0x7ffff5f3d800, instr=<optimized out>) at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:477
#15 0x0000555555ddf170 in vixl::Decoder::VisitException (this=<optimized out>, instr=0x7ffff5f86288) at js/src/jit/arm64/vixl/Decoder-vixl.cpp:872
#16 0x0000555555e3ef35 in vixl::Decoder::Decode (instr=<optimized out>, this=<optimized out>) at js/src/jit/arm64/vixl/Decoder-vixl.h:158
#17 vixl::Simulator::ExecuteInstruction (this=0x7ffff5f3d800) at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:194
#18 0x0000555555e4140c in vixl::Simulator::Run (this=0x7ffff5f3d800) at js/src/jit/arm64/vixl/Simulator-vixl.cpp:70
#19 0x0000555555e3f440 in vixl::Simulator::RunFrom (first=0x7ffff5f1a040, this=0x7ffff5f3d800) at js/src/jit/arm64/vixl/Simulator-vixl.cpp:78
#20 vixl::Simulator::call (this=0x7ffff5f3d800, entry=entry@entry=0xbf621d01960 "\376w\277\251\375\003", argument_count=argument_count@entry=8) at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:324
#21 0x0000555555c053f5 in EnterJit (cx=cx@entry=0x7ffff5f18000, state=..., code=0xbf621d32380 "\237#") at js/src/jit/Jit.cpp:105
[...]
#32 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10992
rax 0x0 0
rbx 0x7ffff3ad611c 140737281614108
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffa7e0 140737488332768
rsp 0x7fffffffa770 140737488332656
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x0 0
r11 0x0 0
r12 0x8fa6b8 9414328
r13 0x7f9eb8 8363704
r14 0x7ffffffface8 140737488334056
r15 0x7fffebad5b40 140737147394880
rip 0x555555da0bda <js::jit::Assembler::bind(js::jit::Label*, js::jit::BufferOffset)+378>
=> 0x555555da0bda <js::jit::Assembler::bind(js::jit::Label*, js::jit::BufferOffset)+378>: movl $0x0,0x0
0x555555da0be5 <js::jit::Assembler::bind(js::jit::Label*, js::jit::BufferOffset)+389>: ud2
Marking s-s because this is a low-level JIT assertion.
|
||
Updated•6 years ago
|
Flags: needinfo?(sstangl)
|
|
||
Updated•6 years ago
|
Priority: -- → P1
|
|
||
Comment 1•6 years ago
|
||
Sean and I are the right persons to investigate this issue. Does not sounds as a P1 for the current version but it would become soon.
status-firefox65:
--- → wontfix
status-firefox66:
--- → fix-optional
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Updated•6 years ago
|
Blocks: arm64-js-fuzz-bugs
|
|
||
Updated•6 years ago
|
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Updated•6 years ago
|
Flags: needinfo?(sstangl)
|
|
||
Comment 2•6 years ago
|
||
I was able to reproduce this issue, but testing on newer branches generates an out-of-memory instead of the SEGV reported previously. This behaviour change is caused by Bug 1535482, which limit the space to the branch addressable space.
After trying to poke at this issue, I could not find an exploitable case. However this cause the whole engine to crash with an OOM while the interpreter can still run fine when baseline is not eagerly compiling.
I will downgrade this issue to P3, as this is unlikely but this is still an easy way to do a DoS of a page.
|
||
Comment 3•5 years ago
|
||
Christian, does this assertion still happen? I'm asking because of comment 2. If that's correct, this isn't sec-anything, and we should reclassify.
Flags: needinfo?(choller)
|
Reporter | |
Comment 4•5 years ago
|
||
I can confirm that this doesn't reproduce anymore as mentioned in comment 2.
Flags: needinfo?(choller)
|
|
||
Comment 5•5 years ago
|
||
nbp, should we backport the patch in bug 1535482?
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 6•5 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #5)
nbp, should we backport the patch in bug 1535482?
No, This is an ARM64 issue and ARM64 is now stuck on Firefox 68, where bug 1535482 is already landed.
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 7•5 years ago
|
||
OK, we're well clear, then. Opening the bug and removing sec-high as this is now sec-nothing on all branches.
Group: javascript-core-security
Keywords: sec-high
|
||
Comment 8•4 years ago
|
||
Hey Christian, should we still keep this bug open if it is not reproducible anymore (Comment 4)?
Flags: needinfo?(choller)
|
|
Reporter | |
Comment 9•4 years ago
|
||
Closing as WFM per comment 4.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•