1650482 - Crash [@ ??] with SIGILL in Cranelift

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision f0ac79e1ed53 (debug build, run with --no-threads --fuzzing-safe --shared-memory=off --no-wasm-reftypes --no-wasm-simd --wasm-compiler=cranelift --disable-oom-functions):

load("wasm-module-builder.js");
let builder = new WasmModuleBuilder();
let args = [];
let kSig = makeSig([], []);
builder.addFunction("main", kSig)
  .addBody([ 65,40,65,81,109,65,81,109,65,111,65,65,111,111,65,65,65,110,65,230,109,65,111,192,111,65,65,111,65,65,119,111,65,192,65,116,111,65,119,111,65,65,65,111,106,111,65,65,111,192,65,0,0 ])
  .exportFunc();
let imports = {};
let buffer = builder.toBuffer();
let module = new WebAssembly.Module(buffer);
let instance = new WebAssembly.Instance(module, imports);
main = function() { return instance.exports.main(...args); };
main();

Backtrace:

==30973==ERROR: UndefinedBehaviorSanitizer: ILL on unknown address 0x238000a37198 (pc 0x238000a37198 bp 0xffffd7c077a0 sp 0xffffd7c077a0 T30973)
    #0 0x238000a37198  (<unknown module>)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: ILL (<unknown module>) 
==30973==ABORTING

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200703215022-efa2336315ed
> mozilla-central 20200703035655-b48777a21aab
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 3

[Christian Holler (:decoder)]

Some additional debug information:

Thread 1 "js" received signal SIGILL, Illegal instruction.
0x00000fc8afa32198 in ?? ()
(gdb) bt   
#0  0x00000fc8afa32198 in ?? ()
#1  0x00000fc8afa322c4 in ?? ()                            
Backtrace stopped: Cannot access memory at address 0x1b00000000000018
(gdb) x /16i $pc-32
   0xfc8afa32178:       mov     x0, #0xffee                     // #65518
   0xfc8afa3217c:       movk    x0, #0xffff, lsl #16
   0xfc8afa32180:       sxtw    x0, w0
   0xfc8afa32184:       sxtw    x1, w1
   0xfc8afa32188:       sdiv    x2, x0, x1
   0xfc8afa3218c:       cbnz    x1, 0xfc8afa32194
   0xfc8afa32190:       .inst   0xd4a00000 ; undefined
   0xfc8afa32194:       msub    x0, x2, x1, x0
=> 0xfc8afa32198:       .inst   0x53207c01 ; undefined
   0xfc8afa3219c:       mov     x0, #0xffc1                     // #65473
   0xfc8afa321a0:       movk    x0, #0xffff, lsl #16
   0xfc8afa321a4:       sxtw    x0, w0
   0xfc8afa321a8:       sxtw    x1, w1
   0xfc8afa321ac:       sdiv    x2, x0, x1
   0xfc8afa321b0:       cbnz    x1, 0xfc8afa321b8
   0xfc8afa321b4:       .inst   0xd4a00000 ; undefined
(gdb) info reg
x0             0x0      0
x1             0xffffffffffffffff       -1
x2             0x12     18
x3             0xffffffffcc10   281474976697360
x4             0xaaaaad32cd50   187650026949968
x5             0xffffffffcc68   281474976697448
x6             0xffffffffffffffff       -1
x7             0xffffffffffffffff       -1
x8             0xffffffffcd10   281474976697616
x9             0xaaaaaf4ca4d0   187650062197968
x10            0x31a00  203264
x11            0x1      1
x12            0x1      1
x13            0x2e1    737
x14            0x1      1
x15            0xffffffffd5f0   281474976699888
x16            0xffffffffc710   281474976696080
x17            0xffffbf305190   281473889358224
x18            0xffffffffd6c2   281474976700098
x19            0xffffffffcd10   281474976697616
x20            0xaaaaaf5dd170   187650063323504
x21            0x0      0
x22            0xffffffffd0a0   281474976698528
x23            0xaaaaaf7767f0   187650065000432
x24            0xfc8afa32240    17354614579776
x25            0xaaaaad97cbf0   187650033568752
x26            0xffffffffc950   281474976696656
x27            0x0      0
x28            0xaaaa00a800000000       -6149101619666485248
x29            0xffffffffc6f0   281474976696048
x30            0xfc8afa322c4    17354614579908
sp             0xffffffffc6f0   0xffffffffc6f0
pc             0xfc8afa32198    0xfc8afa32198
cpsr           0x40000000       [ EL=0 Z ]
fpsr           0x11     17
fpcr           0x0      0
(gdb) x /16w $pc-32
0xfc8afa32178:  0xd29ffdc0      0xf2bfffe0      0x93407c00      0x93407c21
0xfc8afa32188:  0x9ac10c02      0xb5000041      0xd4a00000      0x9b018040
0xfc8afa32198:  0x53207c01      0xd29ff820      0xf2bfffe0      0x93407c00
0xfc8afa321a8:  0x93407c21      0x9ac10c02      0xb5000041      0xd4a00000
(gdb) c
Continuing.

Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.

Comment 4

[Benjamin Bouvier [:bbouvier] (inactive)]

Nice catch! The code generating the shift did approximate - shift_count % 64 with 64 - x, which is incorrect for x = 0. Fix coming in Cranelift; we'll bump Cranelift here.

Comment 5

[Benjamin Bouvier [:bbouvier] (inactive)]

https://github.com/bytecodealliance/wasmtime/pull/1999 will need to be reviewed and landed before bumping.

Comment 6

[Jim Mathies [:jimm]]

Hey Ben, can we get a priority and severity on this bug? thanks!

Comment 7

[Benjamin Bouvier [:bbouvier] (inactive)]

Sure! This is affecting Cranelift aarch64, which is Nightly only, disabled by default. We have a fix, and it's likely it'll land with the next Cranelift bump in bug 1633721.

Comment 8

[Christian Holler (:decoder)]

This was fixed by the bump in bug 1633721.