Closed Bug 1653502 Opened 5 years ago Closed 5 years ago

Crash [@ ??] with SIGILL in Cranelift

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- unaffected
firefox80 --- fixed

People

(Reporter: decoder, Assigned: cfallin)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(2 files)

Testcase
9.75 KB, application/octet-stream
Details
Bug 1653502: Update vendored Cranelift to fix fuzzbug. r=bbouvier
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision f6127ce5c744 (debug build, run with --no-threads --fuzzing-safe --shared-memory=off --no-wasm-reftypes --no-wasm-simd --wasm-compiler=cranelift --disable-oom-functions test.js):

See attachment.

Backtrace:

==25445==ERROR: UndefinedBehaviorSanitizer: ILL on unknown address 0x1f51ac6c921c (pc 0x1f51ac6c921c bp 0xffffe00e50a0 sp 0xffffe00e50a0 T25445)
    #0 0x1f51ac6c921c  (<unknown module>)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: ILL (<unknown module>) 
==25445==ABORTING

This crash is very similar to bug 1650482 but that was fixed and this one still reproduces.

Attached file Testcase
Attachment #9164263 - Attachment filename: test.js → test.zip

Another invalid instruction generated by Cranelift aarch64, one of us should look into it.

Flags: needinfo?(jseward)
Flags: needinfo?(cfallin)
Flags: needinfo?(bbouvier)
Whiteboard: [fuzzblocker]
Severity: -- → S4
Priority: -- → P1
Assignee: nobody → cfallin
Flags: needinfo?(cfallin)
Flags: needinfo?(cfallin)

Interesting -- this seems to be a similar shift-amount-masking bug, but with the built-in reg extend/shift mode that some arithmetic instructions support. Here's the relevant bit of vcode from the RUST_LOG=debug output:

  Inst 111:   asr x3, x3, #32
  Inst 112:   movz x4, #65519
  Inst 113:   movk x4, #65535, LSL #16
  Inst 114:   sub w3, w3, w4, LSL 51

(The shift amount of 51 on the 32-bit sub is the bug.)

Should be an easy fix -- will have a patch soon!

Flags: needinfo?(cfallin)

This PR in Cranelift should fix the issue, once we merge it and then bump the version of Cranelift in-tree: https://github.com/bytecodealliance/wasmtime/pull/2042

(In reply to Chris Fallin [:cfallin] from comment #4)

This PR in Cranelift should fix the issue, once we merge it and then bump the version of Cranelift in-tree: https://github.com/bytecodealliance/wasmtime/pull/2042

I can confirm that this will fix the remaining crashes I have been seeing.

This patch pulls in revision 1b3b2dbfd00492161032760992a8699d19b640ca of
Cranelift. This includes PR bytecodealliance/wasmtime#2042, which fixes
bug 1653502 by properly masking the shift amount in a shift incorporated
into an aarch64 arithmetic instruction.

This patch also includes various other miscellaneous Cranelift
improvements that have been merged since the last version-bump,
including some aarch64 codegen improvements.

Flags: needinfo?(jseward)
Flags: needinfo?(bbouvier)
Pushed by cfallin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d5657e2d4be9 Update vendored Cranelift to fix fuzzbug. r=bbouvier

https://hg.mozilla.org/mozilla-central/rev/d5657e2d4be9

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Regressions: 1656403
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: