Closed Bug 1653977 Opened 4 years ago Closed 4 years ago

Hit MOZ_CRASH(unexpected v128 when setting global's value) at wasm/WasmJS.cpp:3166

Categories

(Core :: JavaScript: WebAssembly, defect, P3)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox78 --- disabled
firefox79 --- disabled
firefox80 --- disabled
firefox81 --- verified

People

(Reporter: decoder, Assigned: lth)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
259 bytes, text/plain
Details
Bug 1653977 - misc bugs for immutable v128 globals. r?bbouvier
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200720-015515bcba1f (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

function wasmEvalText(str, imports) {
    let binary = wasmTextToBinary(str);
    return new WebAssembly.Instance(new WebAssembly.Module(binary), imports);
}
wasmEvalText(`
  (module
    (global $g (export "g") v128 (v128.const f32x4 1 2 3 4))
  )
`).exports;

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555698c9e0 in js::WasmGlobalObject::setVal(JSContext*, JS::Handle<js::wasm::Val>) ()
#1  0x0000555556995c57 in CreateExportObject(JSContext*, JS::Handle<js::WasmInstanceObject*>, JS::GCVector<JSFunction*, 0ul, js::SystemAllocPolicy> const&, JS::GCVector<js::WasmTableObject*, 0ul, js::SystemAllocPolicy> const&, JS::Handle<js::WasmMemoryObject*>, JS::GCVector<js::wasm::Val, 0ul, js::SystemAllocPolicy> const&, JS::GCVector<js::WasmGlobalObject*, 0ul, js::SystemAllocPolicy> const&, mozilla::Vector<js::wasm::Export, 0ul, js::SystemAllocPolicy> const&) ()
#2  0x00005555569787eb in js::wasm::Module::instantiate(JSContext*, js::wasm::ImportValues&, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) const ()
#3  0x0000555556981762 in js::WasmInstanceObject::construct(JSContext*, unsigned int, JS::Value*) ()
#4  0x00005555559473f2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#5  0x000055555595aa89 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ()
[...]
#16 0x00005555557bbcea in main ()
rax	0x555557188526	93825021805862
rbx	0x639348b0c0	427672776896
rcx	0x5555583cb840	93825040955456
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb5d0	140737488336336
rsp	0x7fffffffb590	140737488336272
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0xffff800000000000	-140737488355328
r13	0xfff8800000000000	-2111062325329920
r14	0x7fffffffb718	140737488336664
r15	0x7ffff47fdc40	140737295408192
rip	0x55555698c9e0 <js::WasmGlobalObject::setVal(JSContext*, JS::Handle<js::wasm::Val>)+1120>
=> 0x55555698c9e0 <_ZN2js16WasmGlobalObject6setValEP9JSContextN2JS6HandleINS_4wasm3ValEEE+1120>:	movl   $0xc5e,0x0
   0x55555698c9eb <_ZN2js16WasmGlobalObject6setValEP9JSContextN2JS6HandleINS_4wasm3ValEEE+1131>:	callq  0x55555584c42e <abort>
Attached file Testcase
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200720141506-630250c6e58d. The bug appears to have been introduced in the following build range: > Start: 21fd1ef9cbe46d660f9cd51c26036c1e152d638e (20200505080613) > End: 643507d65bddc692a1cda6f772bcc44055d688a0 (20200505083327) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=21fd1ef9cbe46d660f9cd51c26036c1e152d638e&tochange=643507d65bddc692a1cda6f772bcc44055d688a0

This is a wasm simd isue: v128 globals should probably not be exposed to JS.

Regressed by: 1478632
Has Regression Range: --- → yes

Set release status flags based on info from the regressing bug 1478632

status-firefox78: --- → affected
status-firefox79: --- → affected
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → affected
Severity: -- → S3
Priority: -- → P3
Assignee: nobody → lhansen
Status: NEW → ASSIGNED

(In reply to Benjamin Bouvier [:bbouvier] from comment #3)

This is a wasm simd isue: v128 globals should probably not be exposed to JS.

No, the test case should succeed. This is an unimplemented case, I think. There's a separate guard if JS attempts to read or write the value of a v128 global, but initializing a module-local wasm global should work.

Two bugs for the price of one test case!

  • when initializing an immutable exported v128 global, a code path in
    WasmGlobalObject::setVal was taken that would MOZ_CRASH, but should
    not.

  • the baseline compiler did not have a code path for reading an
    immutable v128 global, and would MOZ_CRASH.

No drama, just corner cases that were unimplemented and untested.

Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d5744b763049 misc bugs for immutable v128 globals. r=bbouvier

https://hg.mozilla.org/mozilla-central/rev/d5744b763049

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox81: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Status: RESOLVED → VERIFIED
status-firefox81: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200728150440-2f8d4f1f6608. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: