Closed Bug 1641973 Opened 4 years ago Closed 4 years ago

Crash [@ EmitShuffleSimd128((anonymous namespace)::FunctionCompiler&)] or Crash [@ js::jit::MWasmShuffleSimd128::New]

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox76 --- unaffected
firefox77 --- unaffected
firefox78 --- disabled
firefox79 --- verified

People

(Reporter: decoder, Assigned: lth)

References

(Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect])

Crash Data

Attachments

(3 files)

Testcase
10.25 KB, application/octet-stream
Details
Minimal selfcontained test case
160 bytes, application/x-javascript
Details
Bug 1641973 - Make sure to check inDeadCode. r=bbouvier
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200529-2ea544687871 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

See attachment.

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555569192ee in EmitShuffleSimd128((anonymous namespace)::FunctionCompiler&) ()
#1  0x00005555568fbfba in EmitBodyExprs((anonymous namespace)::FunctionCompiler&) ()
#2  0x00005555568f8cd9 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#3  0x00005555568e3f0d in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#4  0x00005555568e4d07 in js::wasm::ModuleGenerator::finishFuncDefs() ()
#5  0x000055555686eafe in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) ()
#6  0x000055555686e699 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) ()
#7  0x000055555694bd24 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) ()
#8  0x00005555559385e2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#20 0x00005555557aedd2 in main ()
rax	0x0	0
rbx	0x7ffff4abf917	140737298299159
rcx	0x7fffffff8bd8	140737488325592
rdx	0x7fffffff8ba0	140737488325536
rsi	0x3fffff80	1073741696
rdi	0x7fffffff8bb8	140737488325560
rbp	0x7fffffff8880	140737488324736
rsp	0x7fffffff87e0	140737488324576
r8	0x7fffffff8d28	140737488325928
r9	0x3	3
r10	0x7fffffff8ba8	140737488325544
r11	0x10	16
r12	0x0	0
r13	0x0	0
r14	0x400000000000000	288230376151711744
r15	0x0	0
rip	0x5555569192ee <EmitShuffleSimd128((anonymous namespace)::FunctionCompiler&)+2158>
=> 0x5555569192ee <_ZL18EmitShuffleSimd128RN12_GLOBAL__N_116FunctionCompilerE+2158>:	cmpb   $0xa,0x30(%r13)
   0x5555569192f3 <_ZL18EmitShuffleSimd128RN12_GLOBAL__N_116FunctionCompilerE+2163>:	je     0x555556918d50 <_ZL18EmitShuffleSimd128RN12_GLOBAL__N_116FunctionCompilerE+720>
Attached file Testcase 

    
    

    
  
Wasm SIMD is nightly only at this point, so setting as S4.


Severity: critical → S4
Flags: needinfo?(lhansen)
Priority: -- → P1

    
  
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
Flags: needinfo?(lhansen)

    
    

    
  
Looks like NPE resulting from malformed input that is incorrectly not rejected.



    
    

    
  
Actually, failure to check inDeadCode().



    
    

    
  


  

        Attachment #9153345 -
        Attachment description: Bug 1641973 - Make sure to check inDeadCode. r?bbouvier → Bug 1641973 - Make sure to check inDeadCode. r=bbouvier

    
    

    
  
Pushed by lhansen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cfe5dc930b4c
Make sure to check inDeadCode. r=bbouvier

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/cfe5dc930b4c


Status: ASSIGNED → RESOLVED
Closed: 4 years ago

          status-firefox79:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Status: RESOLVED → VERIFIED

          status-firefox79:
          fixedverified
Keywords: bugmon

    
    

    
  
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200604153220-0d21bdf3fc01.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

    
  
Has Regression Range: --- → yes

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: