Closed Bug 1664453 Opened 4 years ago Closed 4 years ago

Hit MOZ_CRASH(assertion failed: `(left == right)` left: `types::I32`, right: `types::I64`: declared type of variable Variable(0) doesn't match type of value v14) at third_party/rust/cranelift-frontend/src/frontend.rs:321

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

ARM64
Linux
defect

Tracking

()

RESOLVED FIXED
82 Branch
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox80 --- disabled
firefox81 --- disabled
firefox82 --- fixed

People

(Reporter: decoder, Assigned: cfallin)

References

Details

(5 keywords)

Attachments

(2 files)

The attached testcase crashes on mozilla-central revision f92ce84f27df (build with --enable-optimize --enable-fuzzing --enable-cranelift --enable-tests --enable-valgrind --enable-gczeal --disable-jemalloc --enable-debug, run with --no-threads --disable-oom-functions --wasm-compiler=cranelift test.js).

Backtrace:

==29841==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0xaaaad1554bc0 bp 0xffffd66b2510 sp 0xffffd66b2510 T29841)
==29841==The signal is caused by a WRITE memory access.
==29841==Hint: address points to the zero page.
    #0 0xaaaad1554bc0 in MOZ_Crash(char const*, int, char const*) dist/include/mozilla/Assertions.h:254:3
    #1 0xaaaad1554bc0 in RustMozCrash mozglue/static/rust/wrappers.cpp:17:3
    #2 0xaaaad1553684 in mozglue_static::panic_hook::h5f28c6fac2c8e399 mozglue/static/rust/lib.rs:89:9
    #3 0xaaaad1552c48 in core::ops::function::Fn::call::h05c9fa242c263522 /rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9/src/libcore/ops/function.rs:72:5
    #4 0xaaaad1bd4e74 in std::panicking::rust_panic_with_hook::h852f9f79cfc5802e /rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9/src/libstd/panicking.rs:530:17
    #5 0xaaaad1bd4a5c in rust_begin_unwind /rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9/src/libstd/panicking.rs:437:5
    #6 0xaaaad1bd49d0 in std::panicking::begin_panic_fmt::ha2a23ee0d4c2b687 /rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9/src/libstd/panicking.rs:391:5
    #7 0xaaaad17ae190 in cranelift_frontend::frontend::FunctionBuilder::def_var::hd48dc5f75fe54619 third_party/rust/cranelift-frontend/src/frontend.rs:321:9
    #8 0xaaaad1c9e13c in cranelift_wasm::code_translator::translate_operator::h0b87949138323cef third_party/rust/cranelift-wasm/src/code_translator.rs
    #9 0xaaaad15c053c in cranelift_wasm::func_translator::parse_function_body::hdc36f737043296a8 third_party/rust/cranelift-wasm/src/func_translator.rs:236:9
    #10 0xaaaad15bfb28 in cranelift_wasm::func_translator::FuncTranslator::translate_from_reader::h7ef425df5e0c5d15 third_party/rust/cranelift-wasm/src/func_translator.rs:112:9
    #11 0xaaaad15bfd4c in cranelift_wasm::func_translator::FuncTranslator::translate::h0a4c95b2d3d68be9 third_party/rust/cranelift-wasm/src/func_translator.rs:65:9
    #12 0xaaaad15bc29c in baldrdash::compile::BatchCompiler::translate_wasm::h7dc2511cdda8ae8d js/src/wasm/cranelift/src/compile.rs:162:9
    #13 0xaaaad15ba118 in cranelift_compile_function js/src/wasm/cranelift/src/lib.rs:215:21
    #14 0xaaaad0fa82e8 in js::wasm::CraneliftCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmCraneliftCompile.cpp:496:10
    #15 0xaaaad1067f74 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:748:16
    #16 0xaaaad1069ee0 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() js/src/wasm/WasmGenerator.cpp:817:8
    #17 0xaaaad1069ee0 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:955:24
    #18 0xaaaad0fa5d08 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:579:13
    #19 0xaaaad0fa5628 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:603:8
    #20 0xaaaad1100e84 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1522:25
    #21 0xaaaad00a37b4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:508:13
    [...]
Attached file Testcase
Priority: -- → P1

Reduced shell test case:

let { exports } = new WebAssembly.Instance(
    new WebAssembly.Module(wasmTextToBinary(`
    (module
  (func $main (param i32)
    i32.const 39
    i32.const 0
    if (param i32)  ;; label = @1
      drop
      i32.const 39
      i32.const 0
      if (param i32)  ;; label = @2
        drop
      else
        i64.load32_s align=1
        unreachable
      end
    else
      local.set 0
      unreachable
    end
  )
  (memory (;0;) 14 14))
    `))
);

Fixed by https://github.com/bytecodealliance/wasmtime/pull/2197 (which is Ben's if-params fix from earlier today, adapted to the unreachable-code case).

This Cranelift update includes its PR #2197, which fixes a Wasm
translation bug, as well as other miscellaneous updates and fixes.

Assignee: nobody → cfallin
Status: NEW → ASSIGNED

Try run of CL-on-ARM64-simulator: link

Attachment #9175862 - Attachment description: Bug 1664453: vendor latest Cranelift to resolve some bugs. r=jseward → Bug 1664453: vendor Cranelift to 379aed8092cd1241ec7839e77d05557b1dceb234 to resolve two Wasm translation bugs. r=jseward
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
Flags: qe-verify+

Removing the qe-verify+ flag since we were not able to reproduce the issue.

Flags: qe-verify+

The PR mentions the potential for "mistranslation" which sounds exploitable so maybe sec-high, but if it's caught by an assert/rust-panic as in this specific testcase it wouldn't be as bad. (not spending too much time to figure it out since it's fixed and doesn't affect Release by default.)

Keywords: sec-high
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: