Closed Bug 1951212 Opened 7 months ago Closed 7 months ago

Assertion failure: operand.reg().size() == rd.size(), at jit/arm64/vixl/Assembler-vixl.cpp:4449

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
138 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox136 --- wontfix
firefox137 --- fixed
firefox138 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(3 files)

debug stack
5.99 KB, text/plain
Details
Bug 1951212 - Fix register size in convertFloat32ToInt32.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1951212 - Fix register size in convertFloat32ToInt32.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Attached file debug stack 
for (var i = 0 ; i < 99 ; i++) {
  (function() { return Math.fround(Math.sqrt(0)) == false; })();
}

267     #    define MOZ_CrashSequence(x, y) __builtin_trap()                                                                                                 (gdb) bt
#0  0x00005555580ba083 in MOZ_CrashSequence (aAddress=0x0, aLine=4449) at /home/i32g7900a/shell-cache/js-dbg-64-armsim64-linux-x86_64-c8dfbf5b0342/objdir-js/dist/include/mozilla/Assertions.h:267
#1  vixl::Assembler::AddSub (this=0x7ffff696e018, rd=..., rn=..., operand=..., S=vixl::SetFlags, op=vixl::SUB) at /home/i32g7900a/trees/mozilla-central/js/src/jit/arm64/vixl/Assembler-vixl.cpp:4449
#2  0x00005555581369c1 in vixl::MacroAssembler::AddSubMacro (this=0x7ffff696e018, rd=..., rn=..., operand=..., S=vixl::SetFlags, op=vixl::SUB) at /home/i32g7900a/trees/mozilla-central/js/src/jit/arm64/vixl/MacroAssembler-vixl.cpp:1094
#3  0x000055555834a8c5 in js::jit::MacroAssemblerCompat::convertFloat32ToInt32 (this=0x7ffff696e018, src=src@entry=..., dest=..., fail=fail@entry=0x7fffffffbea4, negativeZeroCheck=<optimized out>) at /home/i32g7900a/trees/mozilla-central/js/src/jit/arm64/MacroAssembler-arm64.h:623
#4  0x000055555828d946 in js::jit::CodeGenerator::visitFloat32ToInt32 (this=this@entry=0x7ffff696e000, lir=lir@entry=0x7ffff6963778) at /home/i32g7900a/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:1164
#5  0x00005555582bb148 in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff696e000) at /home/i32g7900a/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:8005
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c9b5c247e242
user:        Nicolas B. Pierron
date:        Tue Feb 04 13:43:54 2025 +0000
summary:     Bug 1940716 - convertDoubleToInt32: Clobber destination register when zero. r=jandem

Run with --fuzzing-safe --no-threads --ion-eager --ion-edgecase-analysis=off, compile with AR=ar sh ../configure --enable-simulator=arm64 --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev c8dfbf5b0342.

Nicolas, is bug 1940716 a likely regressor? (That bug is s-s, btw, so I cannot set the Regressed by field)

Flags: sec-bounty?
Flags: needinfo?(nicolas.b.pierron)
Group: core-security → javascript-core-security
Assignee: nobody → nicolas.b.pierron
Severity: -- → S3
Flags: needinfo?(nicolas.b.pierron)
Priority: -- → P1

Reading the code, this is indeed a bug, but it should have no consequence on the generated code.

The problem comes from having one register being 32 bits, while the rest is a 64 bit operand. This happens in 2 instructions Cmp and Mov within convertFloat32ToInt32, and in both cases the zero register xzr in used where wzr is supposed to be used. The assembler asserts that the operand size is identical to the register size, but the size of the operand has no impact on the code generation and therefore has no impact in optimized build code generation which generates code as-if wzr was used.

Severity: S3 → S4
Regressed by: 1940716

Given that this should have no impact on code generation, as mentioned in comment 1, this is safe to open.

Group: javascript-core-security
Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/994bf35ddde5 Fix register size in convertFloat32ToInt32. r=mgaudet

https://hg.mozilla.org/mozilla-central/rev/994bf35ddde5

Status: NEW → RESOLVED
Closed: 7 months ago
status-firefox138: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch
Attachment #9471021 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: none (only debug build are crashing)
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: none
  • Explanation of risk level: Debug build Assertion prevent the execution.
  • String changes made/needed: N/A
  • Is Android affected?: yes
Attachment #9471021 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: