Closed Bug 1663858 Opened 4 years ago Closed 4 years ago

Hit MOZ_CRASH(assertion failed: if let Some(num_bits) = num_bits { num_bits < if is_64 { 64 } else { 32 } } else { true }) at cranelift-codegen/src/isa/x64/inst/mod.rs:869

Categories

(Core :: JavaScript: WebAssembly, defect, P3)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

Details

(4 keywords)

Attachments

(1 file)

Testcase
9.64 KB, application/octet-stream
Details

The attached testcase crashes on mozilla-central revision 20200908-dc90a7a18c07 (debug build, run with --no-threads --fuzzing-safe --shared-memory=off --no-wasm-multi-value --no-wasm-simd --wasm-compiler=cranelift --disable-oom-functions test.js).

Backtrace:

==19313==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5558ea2d5c15 bp 0x7ffe85974450 sp 0x7ffe85974440 T19313)
==19313==The signal is caused by a WRITE memory access.
==19313==Hint: address points to the zero page.
    #0 0x5558ea2d5c15 in MOZ_Crash dist/include/mozilla/Assertions.h:254:3
    #1 0x5558ea2d5c15 in RustMozCrash mozglue/static/rust/wrappers.cpp:17:3
    #2 0x5558ea2d5bc4 in mozglue_static::panic_hook::hcf93afeab0f1f120 mozglue/static/rust/lib.rs:89:8
    #3 0x5558ea2d54bb in core::ops::function::Fn::call::h71908f84f4fbb781 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/ops/function.rs:72:4
    #4 0x5558ea851254 in std::panicking::rust_panic_with_hook::hb976084785e50594 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:474:16
    #5 0x5558ea53546e in std::panicking::begin_panic::h6e1db4d78be3e92f /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:397:4
    #6 0x5558ea67278d in cranelift_codegen::isa::x64::inst::Inst::shift_r::h3ffb9e2a823af127 third_party/rust/cranelift-codegen/src/isa/x64/inst/mod.rs:869:8
    #7 0x5558ea67278d in cranelift_codegen::isa::x64::lower::lower_insn_to_regs::hb45e778184dd3502 third_party/rust/cranelift-codegen/src/isa/x64/lower.rs:653:21
    #8 0x5558ea68cb80 in cranelift_codegen::isa::x64::lower::_$LT$impl$u20$cranelift_codegen..machinst..lower..LowerBackend$u20$for$u20$cranelift_codegen..isa..x64..X64Backend$GT$::lower::h917227de3751a4e1 third_party/rust/cranelift-codegen/src/isa/x64/lower.rs:2458:8
    #9 0x5558ea68cb80 in cranelift_codegen::machinst::lower::Lower$LT$I$GT$::lower_clif_block::h73a6c0af6fc86c90 third_party/rust/cranelift-codegen/src/machinst/lower.rs:599:16
    #10 0x5558ea68cb80 in cranelift_codegen::machinst::lower::Lower$LT$I$GT$::lower::h9b166c4bc018e45b third_party/rust/cranelift-codegen/src/machinst/lower.rs:761:16
    #11 0x5558ea67bbeb in cranelift_codegen::machinst::compile::compile::h550d93ab5cffa853 third_party/rust/cranelift-codegen/src/machinst/compile.rs:28:8
    #12 0x5558ea67bbeb in cranelift_codegen::isa::x64::X64Backend::compile_vcode::h99a6dae3799ab55f third_party/rust/cranelift-codegen/src/isa/x64/mod.rs:45:8
    #13 0x5558ea67bbeb in _$LT$cranelift_codegen..isa..x64..X64Backend$u20$as$u20$cranelift_codegen..machinst..MachBackend$GT$::compile_function::h3d8eef6fc3e842ff third_party/rust/cranelift-codegen/src/isa/x64/mod.rs:56:20
    #14 0x5558ea6c8026 in cranelift_codegen::context::Context::compile::hb235661a92c1d489 third_party/rust/cranelift-codegen/src/context.rs:192:25
    #15 0x5558ea346ed1 in baldrdash::compile::BatchCompiler::compile::h0259044dd3052d95 js/src/wasm/cranelift/src/compile.rs:147:19
    #16 0x5558ea354465 in cranelift_compile_function js/src/wasm/cranelift/src/lib.rs:220:20
    #17 0x5558e9d5e146 in js::wasm::CraneliftCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmCraneliftCompile.cpp:496:10
    #18 0x5558e9e06176 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:752:16
    #19 0x5558e9e077eb in locallyCompileCurrentTask js/src/wasm/WasmGenerator.cpp:815:8
    #20 0x5558e9e077eb in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:953:24
    #21 0x5558e9d5bbca in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:579:13
    #22 0x5558e9d5b5b4 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:603:8
    #23 0x5558e9e94846 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1514:25
    #24 0x5558e8e0e6e1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:507:13
    [...]

Not marking s-s because this seems to affect the X64 backend only, which is not enabled by default.

Attached file Testcase

Thanks! Coincidentally, I've got a fix for this on a local branch, because this was triggered in existing test cases too; we just didn't see it because Cranelift x86 doesn't run in CI.

P3 because x64.

Severity: -- → S3
Priority: -- → P3
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED

Fixed by a Cranelift bump in another bug, probably bug 1664453.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
status-firefox82: disabledfixed
status-firefox-esr78: --- → unaffected
Target Milestone: --- → 82 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: