1562392 - [Cranelift] thread '<unnamed>' panicked at 'unsupported return value type', third_party/rust/cranelift-wasm/src/translation_utils.rs:140:14

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 207bcf72dac7 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --wasm-compiler=cranelift):

new WebAssembly.Module(
  wasmTextToBinary("(module (func \$test (block anyref (unreachable)) unreachable))")
);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  mozalloc_abort (msg=msg@entry=0x555556c02980 "Redirecting call to abort() to mozalloc_abort\n") at memory/mozalloc/mozalloc_abort.cpp:33
#1  0x00005555558a2fe0 in abort () at memory/mozalloc/mozalloc_abort.cpp:79
#2  0x0000555556b01f67 in panic_abort::__rust_start_panic::abort::hb92452da2fb4d52a () at src/libpanic_abort/lib.rs:49
#3  0x0000555556b01f56 in __rust_start_panic () at src/libpanic_abort/lib.rs:45
#4  0x0000555556af17a9 in rust_panic () at src/libstd/panicking.rs:523
#5  0x0000555556af16cc in rust_panic_with_hook () at src/libstd/panicking.rs:494
#6  0x00005555569b39dc in std::panicking::begin_panic::h9faa7e103fb56e56 (msg=..., file_line_col=0x7ffff6c1c2dd <write+45>) at /rustc/3c235d5600393dfe6c36eeed34042efad8d4f26e/src/libstd/panicking.rs:408
#7  0x00005555569ac42e in cranelift_wasm::translation_utils::num_return_values::h951e9747bfccaa90 (ty=<optimized out>) at third_party/rust/cranelift-wasm/src/translation_utils.rs:140
#8  0x0000555556b9c150 in cranelift_wasm::code_translator::translate_operator::h5a38cf6634c3b0fd (op=..., builder=0x7fffffffa260, state=0x7ffff6922960, environ=<optimized out>) at third_party/rust/cranelift-wasm/src/code_translator.rs:136
#9  0x0000555556b36eec in cranelift_wasm::func_translator::parse_function_body::h620bc9a954aa7cf3 (reader=..., builder=0x7fffffffa260, state=0x7ffff6922960, environ=0x7fffffffa3c0) at third_party/rust/cranelift-wasm/src/func_translator.rs:209
#10 0x0000555556b36b17 in cranelift_wasm::func_translator::FuncTranslator::translate_from_reader::h65c92e8f0260d092 (self=<optimized out>, reader=..., func=<optimized out>, environ=0x7fffffffa3c0) at third_party/rust/cranelift-wasm/src/func_translator.rs:106
#11 0x0000555556b36dd5 in cranelift_wasm::func_translator::FuncTranslator::translate::h0dede614b0f03660 (self=0x7ffff6eeb770 <_IO_stdfile_2_lock>, code=..., code_offset=<optimized out>, func=0x7ffff6c1c2dd <write+45>, environ=0x7fffffffa3c0) at third_party/rust/cranelift-wasm/src/func_translator.rs:62
#12 0x00005555568f4546 in baldrdash::compile::BatchCompiler::translate_wasm::hd833101254e1667f (self=<optimized out>, func=0x7fffffffa670) at js/src/wasm/cranelift/src/compile.rs:129
#13 0x00005555568f0a48 in cranelift_compile_function (compiler=<optimized out>, data=<optimized out>, data@entry=0x7fffffffa670, result=result@entry=0x7fffffffa760) at js/src/wasm/cranelift/src/lib.rs:93
#14 0x000055555649f84c in js::wasm::CraneliftCompileFunctions (env=..., lifo=..., inputs=..., code=code@entry=0x7ffff4ceb780, error=error@entry=0x7fffffffc598) at js/src/wasm/WasmCraneliftCompile.cpp:413
#15 0x0000555556534475 in ExecuteCompileTask (task=0x7ffff4ceb3d8, error=0x7fffffffc598) at js/src/wasm/WasmGenerator.cpp:728
#16 0x0000555556534c1c in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=0x7fffffffb770) at js/src/wasm/WasmGenerator.cpp:775
#17 js::wasm::ModuleGenerator::finishFuncDefs (this=this@entry=0x7fffffffb770) at js/src/wasm/WasmGenerator.cpp:904
#18 0x0000555556475434 in DecodeCodeSection<js::wasm::Decoder> (env=..., d=..., mg=...) at js/src/wasm/WasmCompile.cpp:557
#19 0x0000555556476032 in DecodeCodeSection<js::wasm::Decoder> (mg=..., d=..., env=...) at js/src/wasm/WasmCompile.cpp:534
#20 js::wasm::CompileBuffer (args=..., bytecode=..., error=error@entry=0x7fffffffc598, warnings=warnings@entry=0x7fffffffc600, listener=listener@entry=0x0) at js/src/wasm/WasmCompile.cpp:580
#21 0x000055555656e016 in js::WasmModuleObject::construct (cx=<optimized out>, cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=<optimized out>) at js/src/wasm/WasmJS.cpp:1136
#22 0x000055555590b06f in CallJSNative (cx=0x7ffff5f19000, native=native@entry=0x55555656ddf0 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
[...]
#35 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11367
rax	0x555557dd2160	93825034690912
rbx	0x7ffff6eea700	140737336223488
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x555556ba435b	93825015628635
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffff9d20	140737488330016
rsp	0x7fffffff9d10	140737488330000
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x555557d97c80	93825034452096
r13	0x7fffffff9ea0	140737488330400
r14	0xe	14
r15	0x1	1
rip	0x5555558a301b <mozalloc_abort(char const*)+59>
=> 0x5555558a301b <mozalloc_abort(char const*)+59>:	movl   $0x0,0x0
   0x5555558a3026 <mozalloc_abort(char const*)+70>:	ud2

Comment 1

[Benjamin Bouvier [:bbouvier] (inactive)]

Yay for Cranelift fuzzing! Handled in https://github.com/CraneStation/cranelift/pull/812.

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

ni? me to close this bug once we've bumped Cranelift in Spidermonkey.

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Fixed in bug 1563263 that just landed.