Closed Bug 1650621 Opened 4 years ago Closed 4 years ago

Assertion failure: count.value < 32, at jit/x86-shared/MacroAssembler-x86-shared-SIMD.cpp:1775

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla80
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- disabled
firefox80 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisect][post-critsmash-triage])

Attachments

(2 files)

The attached testcase crashes on mozilla-central revision 20200703-b48777a21aab (debug build, run with --fuzzing-safe --no-threads test.js).

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555564798a4 in js::jit::MacroAssemblerX86Shared::packedRightShiftByScalarInt64x2(js::jit::Imm32, js::jit::FloatRegister, js::jit::FloatRegister) ()
#1  0x00005555565706e3 in js::jit::CodeGenerator::generateBody() ()
#2  0x00005555565ac131 in js::jit::CodeGenerator::generateWasm(js::wasm::FuncTypeIdDesc, js::wasm::BytecodeOffset, js::wasm::ArgTypeVector const&, js::jit::MachineState const&, unsigned long, js::wasm::FuncOffsets*, js::wasm::StackMaps*) ()
#3  0x00005555568b2438 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#4  0x000055555689d5dd in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#5  0x000055555689e3d7 in js::wasm::ModuleGenerator::finishFuncDefs() ()
#6  0x0000555556827e7e in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) ()
#7  0x0000555556827a23 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) ()
#8  0x0000555556906464 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) ()
#9  0x0000555555942582 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#21 0x00005555557b9c85 in main ()
rax	0x5555570d6764	93825021077348
rbx	0x7ffff5189818	140737305417752
rcx	0x555558383840	93825040660544
rdx	0x0	0
rsi	0x7ffff6abd770	140737331844976
rdi	0x7ffff6abc540	140737331840320
rbp	0x7fffffff86a0	140737488324256
rsp	0x7fffffff8640	140737488324160
r8	0x7ffff6abd770	140737331844976
r9	0x7ffff7fe3d40	140737354022208
r10	0x58	88
r11	0x7ffff67647a0	140737328334752
r12	0x7ffff57ee420	140737312121888
r13	0x7ffff57ee408	140737312121864
r14	0x0	0
r15	0x7fffffff8bb8	140737488325560
rip	0x5555564798a4 <js::jit::MacroAssemblerX86Shared::packedRightShiftByScalarInt64x2(js::jit::Imm32, js::jit::FloatRegister, js::jit::FloatRegister)+308>
=> 0x5555564798a4 <_ZN2js3jit23MacroAssemblerX86Shared31packedRightShiftByScalarInt64x2ENS0_5Imm32ENS0_13FloatRegisterES3_+308>:	movl   $0x6ef,0x0
   0x5555564798af <_ZN2js3jit23MacroAssemblerX86Shared31packedRightShiftByScalarInt64x2ENS0_5Imm32ENS0_13FloatRegisterES3_+319>:	callq  0x55555584855e <abort>

Marking s-s until investigated, since this is a range assert.

Attached file Testcase
Flags: needinfo?(bbouvier)

When lowering i64x2.shr_s, we can emit a simpler sequence if the shift count is
constant and less than 32; otherwise, a bigger code sequence needs to be
generated. When making this decision, the shift count wasn't masked, making it
so that a negative shift count would satisfy this condition but could be
greater than 32, in the immediate case. Masking the shift count solves the
issue and makes it also possible to use the constant code sequence for larger
shift counts.

The mask value of 63 is appropriate per specification, since we're operating on
an i64x2 register.

Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(bbouvier)
Severity: -- → S4
Priority: -- → P1
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Regressed by: 1637332
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Has Regression Range: --- → yes
Flags: in-testsuite+
Flags: qe-verify-
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect][post-critsmash-triage]
Group: core-security-release

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20200715215205-c4186bb32c30.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: