Closed
Bug 1649432
Opened 5 years ago
Closed 5 years ago
Hit MOZ_CRASH(attempt to subtract with overflow) at third_party/rust/cranelift-codegen/src/isa/aarch64/inst/emit.rs:522
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
RESOLVED
FIXED
mozilla80
| Tracking | Status | |
|---|---|---|
| firefox80 | --- | fixed |
People
(Reporter: decoder, Assigned: cfallin)
Details
(4 keywords, Whiteboard: [fuzzblocker])
Attachments
(1 file)
|
9.79 KB,
application/octet-stream
|
Details |
The following testcase crashes on mozilla-central revision 921a30cac33b (debug build, run with --no-threads --fuzzing-safe --shared-memory=off --no-wasm-reftypes --no-wasm-simd --wasm-compiler=cranelift --disable-oom-functions test.js):
See attachment.
Backtrace:
==15901==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0xaaaad9198518 bp 0xffffc39300e0 sp 0xffffc39300e0 T15901)
==15901==The signal is caused by a WRITE memory access.
==15901==Hint: address points to the zero page.
#0 0xaaaad9198518 in MOZ_Crash(char const*, int, char const*) js/src/debugarm64/dist/include/mozilla/Assertions.h:332:3
#1 0xaaaad9198518 in RustMozCrash mozglue/static/rust/wrappers.cpp:17:3
#2 0xaaaad91984b0 in mozglue_static::panic_hook::hab9de6a045acd6f9 mozglue/static/rust/lib.rs:89:9
#3 0xaaaad9197bb8 in core::ops::function::Fn::call::h42fc17debf41a12f /rustc/c7087fe00d2ba919df1d813c040a5d47e43b0fe7/src/libcore/ops/function.rs:72:5
#4 0xaaaad97dc250 in std::panicking::rust_panic_with_hook::h305b4a351876bf14 /rustc/c7087fe00d2ba919df1d813c040a5d47e43b0fe7/src/libstd/panicking.rs:515:17
#5 0xaaaad97dbe88 in rust_begin_unwind /rustc/c7087fe00d2ba919df1d813c040a5d47e43b0fe7/src/libstd/panicking.rs:419:5
#6 0xaaaad97feffc in core::panicking::panic_fmt::hcb1b84e6cf233e06 /rustc/c7087fe00d2ba919df1d813c040a5d47e43b0fe7/src/libcore/panicking.rs:111:14
#7 0xaaaad97fef80 in core::panicking::panic::h24ea81b636d125ee /rustc/c7087fe00d2ba919df1d813c040a5d47e43b0fe7/src/libcore/panicking.rs:54:5
#8 0xaaaad959dcb0 in cranelift_codegen::isa::aarch64::inst::emit::_$LT$impl$u20$cranelift_codegen..machinst..MachInstEmit$u20$for$u20$cranelift_codegen..isa..aarch64..inst..Inst$GT$::emit::h0a41628b7a71f843 third_party/rust/cranelift-codegen/src/isa/aarch64/inst/emit.rs
#9 0xaaaad94de6f4 in cranelift_codegen::machinst::vcode::VCode$LT$I$GT$::emit::he1b745bcf98ea9ce third_party/rust/cranelift-codegen/src/machinst/vcode.rs:387:17
#10 0xaaaad946d090 in _$LT$cranelift_codegen..isa..aarch64..AArch64Backend$u20$as$u20$cranelift_codegen..machinst..MachBackend$GT$::compile_function::h62ba7d7e624ee6ec third_party/rust/cranelift-codegen/src/isa/aarch64/mod.rs:63:22
#11 0xaaaad95ef930 in cranelift_codegen::context::Context::compile::hab119e476ef097db third_party/rust/cranelift-codegen/src/context.rs:186:26
#12 0xaaaad91f7e34 in baldrdash::compile::BatchCompiler::compile::h107e5fc5b71b6daf js/src/wasm/cranelift/src/compile.rs:146:20
#13 0xaaaad91f5b48 in cranelift_compile_function js/src/wasm/cranelift/src/lib.rs:220:21
#14 0xaaaad8c40bd0 in js::wasm::CraneliftCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmCraneliftCompile.cpp:490:10
#15 0xaaaad8d0124c in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:743:16
#16 0xaaaad8d02a20 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() js/src/wasm/WasmGenerator.cpp:790:8
#17 0xaaaad8d02a20 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:928:24
#18 0xaaaad8c3e58c in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:561:13
#19 0xaaaad8c3deac in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) js/src/wasm/WasmCompile.cpp:584:8
#20 0xaaaad8d9c2f0 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1477:7
#21 0xaaaad7e1dcd4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:484:13
[...]
#37 0xaaaad7ce26f0 in _start (/srv/builds/dist/bin/js+0x9b86f0)
|
Reporter | |
Comment 1•5 years ago
|
||
|
Assignee | |
Comment 2•5 years ago
|
||
Thanks! A fix in upstream Cranelift is pending in this PR: https://github.com/bytecodealliance/wasmtime/pull/1954.
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → cfallin
|
|
Reporter | |
Comment 3•5 years ago
|
||
Thanks. This is a frequent issue and I have stopped further fuzzing until we have the fix in mozilla-central.
Whiteboard: [fuzzblocker]
|
|
Assignee | |
Comment 4•5 years ago
|
||
Patch to version-bump Cranelift is over on Bug 1648885 (the vendoring update resolves both this bug and that one).
|
|
Assignee | |
Comment 5•5 years ago
|
||
Fixed with patch for Bug 1648885, landed in m-c at https://hg.mozilla.org/mozilla-central/rev/da778e8edbdc.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Target Milestone: --- → mozilla80
You need to log in
before you can comment on or make changes to this bug.
Description
•