Closed Bug 1151333 Opened 9 years ago Closed 9 years ago

Crash [@ ??] with SIMD swizzle

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox37 --- unaffected
firefox38 --- unaffected
firefox39 --- unaffected
firefox40 --- verified
firefox-esr31 --- unaffected
firefox-esr38 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

Details

(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file)

General shuffle should reserve space for numVectors + 1 vectors
3.74 KB, patch
sunfish
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 421548077f12 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --ion-offthread-compile=off --ion-eager):

function assertEqX4(vec, arr, ...opts) {}
var i4 = SIMD.int32x4(1, 2, 3, 4);
for (var i = 0; i < 150; i++) {
        assertEqX4(SIMD.int32x4.swizzle(i4, i, 3, 2, 0), [1, 4, 3, 1]);
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000200000001 in ?? ()
#0  0x0000000200000001 in ?? ()
#1  0x0000000400000003 in ?? ()
#2  0x00007ffff4d5e12a in ?? ()
#3  0x0000000000000000 in ?? ()
rax	0x7fff00000000	140733193388032
rbx	0xfffc7ffff4d7ac40	-985162605679552
rcx	0xfffa00000000000d	-1688849860263923
rdx	0x0	0
rsi	0x40000000	1073741824
rdi	0x7fffffffc5c0	140737488340416
rbp	0x7fffffffd0d0	140737488343248
rsp	0x7fffffffd188	140737488343432
r8	0x7ffff698d108	140737330598152
r9	0x0	0
r10	0x2	2
r11	0x7ffff6958498	140737330381976
r12	0x8	8
r13	0x7fffffffd5a0	140737488344480
r14	0x7ffff4d7ac40	140737301163072
r15	0x7ffff7fe8640	140737354040896
rip	0x200000001	8589934593
=> 0x200000001:	


Marking sec-critical due to invalid jump.
Keywords: csectype-wildptr
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150320081439" and the hash "5dcff2ab60e6".
The "bad" changeset has the timestamp "20150320082235" and the hash "6abbe0f83479".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5dcff2ab60e6&tochange=6abbe0f83479
Needinfo from Benjamin based on comment 1.
Flags: needinfo?(benj)
Duh, that's really weird we didn't catch it before, because it also affects correctness. Sorry for this silly issue, it probably appeared during the generalization of SimdGeneralShuffle...

So we were overwriting stack values, before this patch, which would lead to very undefined behavior. The only way I can think of, to avoid this in the future is, if that's doable, to have a RAII class that would mprotect the stack above the masm.framePushed() value at construct, and un-mprotect it at exit. Probably overkill for just this operation, but could be useful for other nodes...
Assignee: nobody → benj
Status: NEW → ASSIGNED
Flags: needinfo?(benj)
Attachment #8589117 - Flags: review?(sunfish)
This is related to the SIMD global object, which is enabled only on nightlies, so other versions aren't affected.
status-firefox37: --- → unaffected
status-firefox38: --- → unaffected
status-firefox39: --- → unaffected
Comment on attachment 8589117 [details] [diff] [review]
General shuffle should reserve space for numVectors + 1 vectors

Review of attachment 8589117 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/SIMD/swizzle.js
@@ +60,5 @@
>      }
>  }
>  
> +function testInt32x4SwizzleBailout() {
> +    // Fuzz bug 1151333. Wrap function call in try/catch.

Instead of referencing a non-public bug here, I think we can just describe what this test is testing. "Test out-of-bounds non-constant indices. These are expected to throw."

::: js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp
@@ +2395,5 @@
>  
>      // This won't generate fast code, but it's fine because we expect users
>      // to have used constant indices (and thus MSimdGeneralShuffle to be fold
>      // into MSimdSwizzle/MSimdShuffle, which are fast).
> +    masm.reserveStack(Simd128DataSize * (numVectors + 1));

"Simd128DataSize * (numVectors + 1)" is an interesting enough expression that, with 4 uses (1 here and 3 below), should get its own variable so that we can give it a name and a comment like "we need space to store the input vectors, plus 1 to compute the result in".
Attachment #8589117 - Flags: review?(sunfish) → review+
Thank you for the review. I've used a temporary variable for Simd128DataSize*(numVectors+1) and added a comment about it.

https://hg.mozilla.org/integration/mozilla-inbound/rev/4cd0cd1e992a
https://hg.mozilla.org/mozilla-central/rev/4cd0cd1e992a
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → unaffected
status-b2g-v2.0M: --- → unaffected
status-b2g-v2.1: --- → unaffected
status-b2g-v2.1S: --- → unaffected
status-b2g-v2.2: --- → unaffected
status-b2g-master: --- → fixed
status-firefox40: affectedfixed
status-firefox-esr31: --- → unaffected
status-firefox-esr38: --- → unaffected
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Status: RESOLVED → VERIFIED
status-firefox40: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: