Closed Bug 1536592 Opened 6 years ago Closed 6 years ago

Crash [@ js::jit::Simulator::writeW]

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
ARM
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1535194
Tracking Flags:
Tracking Status
firefox68 --- affected

People

(Reporter: gkw, Assigned: lth)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:])

Attachments

(2 files, 1 obsolete file)

stack
3.99 KB, text/plain
Details
945.tar.xz
1.15 MB, application/octet-stream
Details
Attached file stack

The following testcase crashes on mozilla-central revision 1d783ed68779 (build with 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig AR=ar 'CC="clang -m32 -msse2 -mfpmath=sse"' sh /home/ubuntu/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-simulator=arm --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift, run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-compiler=baseline --arm-asm-nop-fill=1 w945-out.wrapper w945-out.wasm):

See attachment.

Backtrace:

#0 js::jit::Simulator::writeW (this=0xf6c3d000, addr=3132, value=-21612, instr=0x42ec0c1c, f=js::jit::Simulator::AllowUnaligned)
at /home/ubuntu/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:1546
#1 0x57f71950 in js::jit::Simulator::decodeType2 (this=0xf6c3d000, instr=0x42ec0c1c)
at /home/ubuntu/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:3412
#2 0x57f6c7a8 in js::jit::Simulator::instructionDecode (this=0xf6c3d000, instr=0x42ec0c1c)
at /home/ubuntu/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4679
#3 0x57f75afc in js::jit::Simulator::execute<false> (this=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4750
#4 js::jit::Simulator::callInternal (this=0xf6c3d000,
entry=0x46132fd8 "\377\377\377\352\004\340-\345\377\377\377\352\360\037-\351\377\377\377\352\020\212-\355\377\377\377", <incomplete sequence \352>)
at /home/ubuntu/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4828
/snip

For detailed crash information, see attachment.

I'm unsure if this is wasm-specific or related to the ARM simulator. Locking s-s out of precaution again.

Attached file Testcase (obsolete) —

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c474d2c881f5
user: Lars T Hansen
date: Thu Jan 31 08:50:38 2019 +0100
summary: Bug 1524178 - Enable lock-free 8-byte atomics for ARM+ARM64 simulators. r=jseward

Lars, is bug 1524178 a likely regressor?

Blocks: 1524178
Flags: needinfo?(lhansen)

The patch in bug 1535482 does not fix this issue.

===

The patch in bug 1535194 causes another assertion failure to show up:

Assertion failure: !off.isInvalid() (Failed to insert necessary far jump islands), at jit/arm/MacroAssembler-arm.cpp:4247
Segmentation fault (core dumped)

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)

The patch in bug 1535482 does not fix this issue.

That's as expected.

The patch in bug 1535194 causes another assertion failure to show up:

Assertion failure: !off.isInvalid() (Failed to insert necessary far jump islands), at jit/arm/MacroAssembler-arm.cpp:4247
Segmentation fault (core dumped)

Nice! That's more or less what we'd expect it to do, and it points to the necessity of investigating more careful insertion of far jump islands, I filed a bug for this already.

Flags: needinfo?(lhansen)
Assignee: nobody → lhansen
Status: NEW → ASSIGNED

This doesn't repro with all the other patches in my queue - we now OOM due to an assembler buffer overflow - so now I just need to find out which of those bugs to dup this as :)

We're going to dup it to bug 1535194 because that bug turns the problem into the problem of dealing with the far jump islands, which is not s-s; that problem is being addressed in various ways in bug 1535482 and bug 1536039.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Attached file 945.tar.xz

Compile with --enable-debug --enable-more-deterministic --enable-simulator=arm and other 32-bit configuration parameters, run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-compiler=baseline --arm-asm-nop-fill=1 w945-out.wrapper w945-out.wasm on m-c rev 1d783ed68779:

$ ./js-dbg-32-dm-armsim32-linux-x86_64-1d783ed68779 --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-compiler=baseline --arm-asm-nop-fill=1 w945-out.wrapper w945-out.wasm
Segmentation fault

(Reduced using wasm-reduce on the .wasm file and lithium on the .wrapper file)

Attachment #9052110 - Attachment is obsolete: true
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: