Closed Bug 1657561 Opened 6 months ago Closed 5 months ago

Hit MOZ_CRASH(not implemented: unimplemented lowering for opcode Fence) at cranelift-codegen/src/isa/x64/lower.rs:1964

Categories

(Core :: Javascript: WebAssembly, defect, P3)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
81 Branch
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox79 --- disabled
firefox80 --- disabled
firefox81 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

Details

(4 keywords)

Attachments

(2 files)

The attached testcase crashes on mozilla-central revision 20200806-6e35e01646d7 (build with --enable-fuzzing --enable-debug, run with --no-threads --wasm-compiler=cranelift test.js).

Backtrace:

==9092==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55af35728ce5 bp 0x7fff75c9bb60 sp 0x7fff75c9bb50 T9092)
    #0 0x55af35728ce4 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
    #1 0x55af35728ce4 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:253:3
    #2 0x55af35728ce4 in RustMozCrash mozglue/static/rust/wrappers.cpp:17:3
    #3 0x55af35728c94 in mozglue_static::panic_hook::hcf93afeab0f1f120 mozglue/static/rust/lib.rs:89:8
    #4 0x55af3572858b in core::ops::function::Fn::call::h71908f84f4fbb781 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/ops/function.rs:72:4
    #5 0x55af35c7f374 in std::panicking::rust_panic_with_hook::hb976084785e50594 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:474:16
    #6 0x55af35c7ee8a in rust_begin_unwind /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:378:4
    #7 0x55af35c7edfa in std::panicking::begin_panic_fmt::h82e7fee729e9f5fb /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:332:4
    #8 0x55af35ab2524 in cranelift_codegen::isa::x64::lower::lower_insn_to_regs::h258d585117c447f5 third_party/rust/cranelift-codegen/src/isa/x64/lower.rs
    #9 0x55af35accb1a in cranelift_codegen::isa::x64::lower::_$LT$impl$u20$cranelift_codegen..machinst..lower..LowerBackend$u20$for$u20$cranelift_codegen..isa..x64..X64Backend$GT$::lower::h6b71467a9d3f77f3 third_party/rust/cranelift-codegen/src/isa/x64/lower.rs:1977:8
    #10 0x55af35accb1a in cranelift_codegen::machinst::lower::Lower$LT$I$GT$::lower_clif_block::h6c2943e81b52a2c5 third_party/rust/cranelift-codegen/src/machinst/lower.rs:596:16
    #11 0x55af35accb1a in cranelift_codegen::machinst::lower::Lower$LT$I$GT$::lower::h3b3a40263d5b4a7c third_party/rust/cranelift-codegen/src/machinst/lower.rs:758:16
    #12 0x55af35abbeee in cranelift_codegen::machinst::compile::compile::h9245039dd2efd1c8 third_party/rust/cranelift-codegen/src/machinst/compile.rs:28:8
    #13 0x55af35abbeee in cranelift_codegen::isa::x64::X64Backend::compile_vcode::h39c08e6c950e90eb third_party/rust/cranelift-codegen/src/isa/x64/mod.rs:45:8
    #14 0x55af35abbeee in _$LT$cranelift_codegen..isa..x64..X64Backend$u20$as$u20$cranelift_codegen..machinst..MachBackend$GT$::compile_function::h8639d39e45541d9c third_party/rust/cranelift-codegen/src/isa/x64/mod.rs:56:20
    #15 0x55af35b07cd6 in cranelift_codegen::context::Context::compile::he4af3604dd10dbd8 third_party/rust/cranelift-codegen/src/context.rs:186:25
    #16 0x55af3579afd1 in baldrdash::compile::BatchCompiler::compile::hb1a1d04b65c41763 js/src/wasm/cranelift/src/compile.rs:147:19
    #17 0x55af357a84f5 in cranelift_compile_function js/src/wasm/cranelift/src/lib.rs:220:20
    #18 0x55af351d6dd0 in js::wasm::CraneliftCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmCraneliftCompile.cpp:496:10
    #19 0x55af352886ab in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:743:16
    #20 0x55af35289cbb in locallyCompileCurrentTask js/src/wasm/WasmGenerator.cpp:790:8
    #21 0x55af35289cbb in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:928:24
    #22 0x55af351d47a8 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:566:13
    #23 0x55af351d418d in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) js/src/wasm/WasmCompile.cpp:589:8
    #24 0x55af3531bdaa in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1522:7
    #25 0x55af3427b891 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:487:13
    [...]
    #40 0x55af340974b2 in _start (dist/bin/js+0x6b54b2)
Attached file Testcase

:bbouvier (when you're back) or :jseward, I wonder if the compiler gating logic is allowing atomics to be used with the Cranelift x64 backend? They aren't implemented on x64 yet, so the panic in the lowering opcode-match makes sense.

:decoder, thanks for this! FWIW, the highest priority on Cranelift fuzzing (IMHO) is with the aarch64 backend, as we're hoping to turn it on soon; the new x64 backend is relatively much younger. Of course we always appreciate the fuzzbugs regardless :-)

Flags: needinfo?(jseward)
Severity: -- → S3
Priority: -- → P3
Flags: needinfo?(bbouvier)

Found it; the argument processing logic was incorrect for shared memory, i've got a fix.

Flags: needinfo?(jseward)
Flags: needinfo?(bbouvier)
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED

The flag setting in the ModuleEnv if shared memory is available was using the
wrong predicate. In addition to looking at if shared memory is effectively
enabled, it should also look at whether we're fuzzing or not.

This fixes crashes that happen only when fuzzing, that is, running the shell
with --wasm-compiler=cranelift --fuzzing-safe.

Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2bac59a88ca2
Fix wasm arguments processing logic for shared memory; r=lth
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
You need to log in before you can comment on or make changes to this bug.