Closed Bug 1644507 Opened 5 years ago Closed 5 years ago

Assertion failure: from.toStackSlot()->slot() % SimdMemoryAlignment == 0, at jit/LIR.cpp:650

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- disabled
firefox77 --- disabled
firefox78 --- disabled
firefox79 --- verified

People

(Reporter: decoder, Assigned: lth)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Attachments

(2 files)

Testcase
9.65 KB, application/octet-stream
Details
Bug 1644507 - Remove an inappropriate MOZ_ASSERT. r?bbouvier
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200608-63dc5e9b1b02 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

See attachment.

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x000055555673bc9a in js::jit::LMoveGroup::add(js::jit::LAllocation, js::jit::LAllocation, js::jit::LDefinition::Type) ()
#0  0x000055555673bc9a in js::jit::LMoveGroup::add(js::jit::LAllocation, js::jit::LAllocation, js::jit::LDefinition::Type) ()
#1  0x0000555556a954c3 in js::jit::BacktrackingAllocator::resolveControlFlow() ()
#2  0x0000555556a9378d in js::jit::BacktrackingAllocator::go() ()
#3  0x000055555666211d in js::jit::GenerateLIR(js::jit::MIRGenerator*) ()
#4  0x0000555556914c2d in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#5  0x00005555568ffdcd in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#6  0x0000555556900bc7 in js::wasm::ModuleGenerator::finishFuncDefs() ()
#7  0x000055555688a9be in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) ()
#8  0x000055555688a559 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) ()
#9  0x0000555556968e94 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) ()
#10 0x0000555555939252 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#22 0x00005555557afdcd in main ()
rax	0x5555570fe2fa	93825021240058
rbx	0x6	6
rcx	0x555558369980	93825040554368
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffff77f0	140737488320496
rsp	0x7fffffff77d0	140737488320464
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff4a19ea0	140737297620640
r13	0x7ffff4a1ca30	140737297631792
r14	0x7ffff4a19bf0	140737297619952
r15	0x7ffff4a1c8e8	140737297631464
rip	0x55555673bc9a <js::jit::LMoveGroup::add(js::jit::LAllocation, js::jit::LAllocation, js::jit::LDefinition::Type)+890>
=> 0x55555673bc9a <_ZN2js3jit10LMoveGroup3addENS0_11LAllocationES2_NS0_11LDefinition4TypeE+890>:	movl   $0x28a,0x0
   0x55555673bca5 <_ZN2js3jit10LMoveGroup3addENS0_11LAllocationES2_NS0_11LDefinition4TypeE+901>:	callq  0x55555583f74e <abort>
Attached file Testcase

Probably better to use an unaligned load in the meanwhile.

Flags: needinfo?(lhansen)

Huh, I must have missed that one. I expect this is probably not s-s actually but will check further tomorrow.

When the SIMD code landed, all aligned loads/stores (except constant loads)
were changed to be unaligned, so as to not have to worry about aligning
SIMD parameters and locals. But I forgot to remove this assert.

Assignee: nobody → lhansen
Status: NEW → ASSIGNED

Outdated assertion, the code should be fine otherwise. Not s-s: DEBUG-only issue.

Flags: needinfo?(lhansen)
Group: javascript-core-security
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a7cf4676f6d1 Remove an inappropriate MOZ_ASSERT. r=bbouvier

https://hg.mozilla.org/mozilla-central/rev/a7cf4676f6d1

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox79: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Status: RESOLVED → VERIFIED
status-firefox79: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200611093454-10ad7868f3ca. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: