Closed Bug 1657888 Opened 5 years ago Closed 5 years ago

Cranelift: Crash [@ js::gc::detail::GetCellLocation] with Cranelift

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- disabled
firefox-esr78 --- disabled
firefox79 --- disabled
firefox80 --- disabled
firefox81 --- fixed

People

(Reporter: decoder, Assigned: cfallin)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect])

Crash Data

Attachments

(2 files)

Testcase
967 bytes, application/octet-stream
Details
Bug 1657888: Cranelift Wasm backend: zero-extend i32 args as well as returns. r=jseward
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 95cbd1379138 ((buildtype not available) build, run with --no-threads --disable-oom-functions --wasm-compiler=cranelift test.js):

See attachment.

Backtrace:

==10518==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7ffff80fffe8 (pc 0xaaaae8e6fa6c bp 0xffffe22e3800 sp 0xffffe22e3800 T10518)
==10518==The signal is caused by a READ memory access.
    #0 0xaaaae8e6fa6c in js::gc::detail::GetCellLocation(void const*) dist/include/js/HeapAPI.h:512:10
    #1 0xaaaae8e6fa6c in js::gc::IsCellPointerValid(void const*) dist/include/js/HeapAPI.h:557:19
    #2 0xaaaae8e6fa6c in JS::GCPolicy<JS::Value>::isValid(JS::Value const&) dist/include/js/Value.h:1126:34
    #3 0xaaaae8e6fa6c in JS::MutableHandle<JS::Value>::set(JS::Value const&) dist/include/js/RootingAPI.h:691:5
    #4 0xaaaae982d464 in js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:1274:7
    #5 0xffbcaf69f18  (<unknown module>)

This seems to reproduce only on ARM64.

Attached file Testcase

The Baldrdash (SpiderMonkey-to-Cranelift) glue layer was properly
setting the argument extension mode for 32-bit return values, so that
the high bits were zeroed, but it was not correctly setting this for
32-bit arguments. This matters when generated Wasm code calls back into
JS or native code; it must zero-extend the value before passing it to
the callee.

Assignee: nobody → cfallin
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P1
Summary: Crash [@ js::gc::detail::GetCellLocation] with Cranelift → Cranelift: Crash [@ js::gc::detail::GetCellLocation] with Cranelift
Pushed by cfallin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a50bfcf246e3 Cranelift Wasm backend: zero-extend i32 args as well as returns. r=jseward

https://hg.mozilla.org/mozilla-central/rev/a50bfcf246e3

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox81: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: