Closed Bug 1657895 Opened 5 years ago Closed 5 years ago

Cranelift: Hit MOZ_CRASH(assertion failed: `(left == right)` left: `types::I32`, right: `types::I64`: declared type of variable Variable(0) doesn't match type of value v10) at third_party/rust/cranelift-frontend/src/frontend.rs:321

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox79 --- disabled
firefox80 --- disabled
firefox81 --- fixed

People

(Reporter: decoder, Assigned: cfallin)

References

Details

(4 keywords, Whiteboard: [bugmon:update,bisect,confirmed][fuzzblocker])

Attachments

(3 files)

Testcase
9.81 KB, application/octet-stream
Details
Bug 1657895: fix fuzzbug by vendoring Cranelift to rev e88d74903102266a18e97489557760b9be67f782. r=jseward
47 bytes, text/x-phabricator-request
Details | Review
Bug 1657895: update Baldrdash (Cranelift bindings) for minor API changes. r=jseward
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 95cbd1379138 (--enable-debug --enable-fuzzing build, run with --no-threads --disable-oom-functions --wasm-compiler=cranelift test.js):

See attachment.

Backtrace:

==10745==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0xaaaab17ba6f4 bp 0xffffc65b87a0 sp 0xffffc65b87a0 T10745)
==10745==The signal is caused by a WRITE memory access.
==10745==Hint: address points to the zero page.
    #0 0xaaaab17ba6f4 in MOZ_Crash(char const*, int, char const*) dist/include/mozilla/Assertions.h:254:3
    #1 0xaaaab17ba6f4 in RustMozCrash mozglue/static/rust/wrappers.cpp:17:3
    #2 0xaaaab17b9650 in mozglue_static::panic_hook::hf434884dcdf9776a mozglue/static/rust/lib.rs:89:9
    #3 0xaaaab17b8c14 in core::ops::function::Fn::call::h019a6380d2b5b804 /rustc/d3fb005a39e62501b8b0b356166e515ae24e2e54/src/libcore/ops/function.rs:72:5
    #4 0xaaaab1e54390 in std::panicking::rust_panic_with_hook::h31170e69b0c9835c /rustc/d3fb005a39e62501b8b0b356166e515ae24e2e54/src/libstd/panicking.rs:490:17
    #5 0xaaaab1e53f90 in rust_begin_unwind /rustc/d3fb005a39e62501b8b0b356166e515ae24e2e54/src/libstd/panicking.rs:388:5
    #6 0xaaaab1e53f04 in std::panicking::begin_panic_fmt::h7e3761aa3be916ba /rustc/d3fb005a39e62501b8b0b356166e515ae24e2e54/src/libstd/panicking.rs:342:5
    #7 0xaaaab19f240c in cranelift_frontend::frontend::FunctionBuilder::def_var::ha16b649755bdbfa3 third_party/rust/cranelift-frontend/src/frontend.rs:321:9
    #8 0xaaaab1f18acc in cranelift_wasm::code_translator::translate_operator::h2a41787cccd8e9a4 third_party/rust/cranelift-wasm/src/code_translator.rs
    #9 0xaaaab1f0ef68 in cranelift_wasm::func_translator::parse_function_body::hbc08d559ad15c469 third_party/rust/cranelift-wasm/src/func_translator.rs:236:9
    #10 0xaaaab1f0e500 in cranelift_wasm::func_translator::FuncTranslator::translate_from_reader::hedd711ab3341b00c third_party/rust/cranelift-wasm/src/func_translator.rs:112:9
    #11 0xaaaab1f0e72c in cranelift_wasm::func_translator::FuncTranslator::translate::h23d3eebe2f9ff09c third_party/rust/cranelift-wasm/src/func_translator.rs:65:9
    #12 0xaaaab1f09ef4 in baldrdash::compile::BatchCompiler::translate_wasm::hfc2010fdae76f5e5 js/src/wasm/cranelift/src/compile.rs:162:9
    #13 0xaaaab18288fc in cranelift_compile_function js/src/wasm/cranelift/src/lib.rs:214:21
    #14 0xaaaab1275140 in js::wasm::CraneliftCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmCraneliftCompile.cpp:496:10
    #15 0xaaaab13354a4 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:753:16
    #16 0xaaaab1336cd4 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() js/src/wasm/WasmGenerator.cpp:816:8
    #17 0xaaaab1336cd4 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:954:24
    #18 0xaaaab1272b60 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:566:13
    #19 0xaaaab1272480 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:590:8
    #20 0xaaaab13cf5e8 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1523:25
    #21 0xaaaab03a7548 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:507:13
    [...]
Attached file Testcase
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect][fuzzblocker]
Keywords: bugmon
Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisect,confirmed][fuzzblocker]
Bugmon Analysis: Unable to reproduce bug using the following builds: > mozilla-central 20200807093158-cc8993c8140a > mozilla-central 20200807033206-d51942b1e2d8 Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

This pulls in (in addition to other miscellaneous changes) a Cranelift
PR which fixes a Wasm translation issue in which the value stack was not
properly restored to have the if-block-parameters in the else-branch
after the if-branch ended in an unreachable opcode:

https://github.com/bytecodealliance/wasmtime/pull/2120

This commit currently refers to a local branch on GitHub; it will be
edited when the GitHub PR lands.

Assignee: nobody → cfallin
Status: NEW → ASSIGNED

Recently Cranelift modified the spelling of Stackmap and stackmap to
two-word forms; this adapts our embedding of Cranelift accordingly.

Depends on D86459

Severity: -- → S3
Priority: -- → P1
Summary: Hit MOZ_CRASH(assertion failed: `(left == right)` left: `types::I32`, right: `types::I64`: declared type of variable Variable(0) doesn't match type of value v10) at third_party/rust/cranelift-frontend/src/frontend.rs:321 → Cranelift: Hit MOZ_CRASH(assertion failed: `(left == right)` left: `types::I32`, right: `types::I64`: declared type of variable Variable(0) doesn't match type of value v10) at third_party/rust/cranelift-frontend/src/frontend.rs:321
Attachment #9168951 - Attachment description: Bug 1657895: fix fuzzbug by vendoring Cranelift to rev dd5a5ebdbcb76ce90e16524b3a7c951022e7348d (LOCAL BRANCH DO NOT COMMIT). r=jseward → Bug 1657895: fix fuzzbug by vendoring Cranelift to rev e88d74903102266a18e97489557760b9be67f782. r=jseward
Pushed by cfallin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bcea744caa66 fix fuzzbug by vendoring Cranelift to rev e88d74903102266a18e97489557760b9be67f782. r=jseward https://hg.mozilla.org/integration/autoland/rev/5c9c06afd067 update Baldrdash (Cranelift bindings) for minor API changes. r=jseward

https://hg.mozilla.org/mozilla-central/rev/bcea744caa66
https://hg.mozilla.org/mozilla-central/rev/5c9c06afd067

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox81: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: