Closed Bug 1657062 Opened 5 years ago Closed 5 years ago

Crash [@ RustMozCrash] through [@ cranelift_codegen::remove_constant_phis::do_remove_constant_phis]

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- disabled
firefox-esr78 --- disabled
firefox79 --- disabled
firefox80 --- disabled
firefox81 --- fixed

People

(Reporter: decoder, Assigned: cfallin)

Details

(4 keywords, Whiteboard: [bugmon:update,bisect,confirmed])

Crash Data

Attachments

(2 files)

Testcase
713 bytes, application/octet-stream
Details
Bug 1657062: vendor Cranelift to rev fc88898e9ad7766feadfa0954c4594fcccd86b92 to fix fuzzbug. r=jseward
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200804-fdfd1e91d204 (fuzzing-asan-opt build, run with --no-threads --wasm-compiler=cranelift test.js):

See attachment.

Backtrace:

==24558==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x5557fa83d47b bp 0x7ffe23ab16e0 sp 0x7ffe23ab1290 T0)
==24558==The signal is caused by a WRITE memory access.
==24558==Hint: address points to the zero page.
    #0 0x5557fa83d47a in RustMozCrash (opt64-fuzzing/dist/bin/js+0x3fd647a)
    #1 0x5557fa511bac in mozglue_static::panic_hook::h92ca72deb9e91048 mozglue/static/rust/lib.rs:89:8
    #2 0x5557fa511a7b in core::ops::function::Fn::call::hc67766f75bab9932 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/ops/function.rs:72:4
    #3 0x5557fa6d8361 in std::panicking::rust_panic_with_hook::hb976084785e50594 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:474:16
    #4 0x5557fa2aada4 in std::panicking::begin_panic::h754db2cdab6ed7a5 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:397:4
    #5 0x5557fa2eaef5 in cranelift_codegen::remove_constant_phis::do_remove_constant_phis::h49f89c941a0da509 third_party/rust/cranelift-codegen/src/remove_constant_phis.rs:264:16
    #6 0x5557fa38b59e in cranelift_codegen::context::Context::remove_constant_phis::h8955d9784fc805f4 third_party/rust/cranelift-codegen/src/context.rs:303:8
    #7 0x5557fa38b59e in cranelift_codegen::context::Context::compile::h6503bb0e7708b3ef third_party/rust/cranelift-codegen/src/context.rs:183:8
    #8 0x5557fa254d06 in baldrdash::compile::BatchCompiler::compile::h2820611680d9fec6 js/src/wasm/cranelift/src/compile.rs:147:19
    #9 0x5557fa252dd2 in cranelift_compile_function js/src/wasm/cranelift/src/lib.rs:220:20
    #10 0x5557f99dc4c1 in js::wasm::CraneliftCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmCraneliftCompile.cpp:490:10
    #11 0x5557f9adabe4 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:743:16
    #12 0x5557f9adaed8 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() js/src/wasm/WasmGenerator.cpp:790:8
    #13 0x5557f9adc6c8 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:928:24
    #14 0x5557f99d690f in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:566:13
    #15 0x5557f99d4fab in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) js/src/wasm/WasmCompile.cpp:589:8
    #16 0x5557f9b9e8fb in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1519:7
    #17 0x5557f82f0bf0 in CallJSNative js/src/vm/Interpreter.cpp:487:13
    [...]
    #33 0x5557f7f0b1fe in _start (opt64-fuzzing/dist/bin/js+0x16a41fe)

Note: This requires a non-debug build. In a debug build I get this error instead:

[2020-08-04T07:48:47Z ERROR baldrdash] Cranelift compilation error: Verifier errors
test.js:2:14 CompileError: Cranelift error in clifFunc #0

If the verifier is always supposed to succeed, then it should probably be fatal in debug builds. If it is not (verifier failures are allowed), then it should probably be disabled for fuzzing if it is a debug-only feature.

Attached file Testcase
Flags: needinfo?(cfallin)
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect,confirmed]
Bugmon Analysis: Unable to reproduce bug using the following builds: > mozilla-central 20200804091327-7cb90fa4f485 > mozilla-central 20200804022706-fdfd1e91d204 Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Thanks for this! This PR on the Cranelift side seems to fix things: https://github.com/bytecodealliance/wasmtime/pull/2097

I'll vendor this in once the PR lands over there.

Flags: needinfo?(cfallin)

This patch vendors in the latest version of Cranelift, including the
following PR, which fixes this fuzzbug:

https://github.com/bytecodealliance/wasmtime/pull/2097

Assignee: nobody → cfallin
Status: NEW → ASSIGNED
Pushed by cfallin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e8802c34116d vendor Cranelift to rev fc88898e9ad7766feadfa0954c4594fcccd86b92 to fix fuzzbug. r=jseward

https://hg.mozilla.org/mozilla-central/rev/e8802c34116d

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox81: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: