Hit MOZ_CRASH(assertion failed: `(left == right)` left: `types::I32`, right: `types::I64`: declared type of variable Variable(0) doesn't match type of value v14) at third_party/rust/cranelift-frontend/src/frontend.rs:321
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | disabled |
firefox80 | --- | disabled |
firefox81 | --- | disabled |
firefox82 | --- | fixed |
People
(Reporter: decoder, Assigned: cfallin)
References
Details
(5 keywords)
Attachments
(2 files)
The attached testcase crashes on mozilla-central revision f92ce84f27df (build with --enable-optimize --enable-fuzzing --enable-cranelift --enable-tests --enable-valgrind --enable-gczeal --disable-jemalloc --enable-debug, run with --no-threads --disable-oom-functions --wasm-compiler=cranelift test.js).
Backtrace:
==29841==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0xaaaad1554bc0 bp 0xffffd66b2510 sp 0xffffd66b2510 T29841)
==29841==The signal is caused by a WRITE memory access.
==29841==Hint: address points to the zero page.
#0 0xaaaad1554bc0 in MOZ_Crash(char const*, int, char const*) dist/include/mozilla/Assertions.h:254:3
#1 0xaaaad1554bc0 in RustMozCrash mozglue/static/rust/wrappers.cpp:17:3
#2 0xaaaad1553684 in mozglue_static::panic_hook::h5f28c6fac2c8e399 mozglue/static/rust/lib.rs:89:9
#3 0xaaaad1552c48 in core::ops::function::Fn::call::h05c9fa242c263522 /rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9/src/libcore/ops/function.rs:72:5
#4 0xaaaad1bd4e74 in std::panicking::rust_panic_with_hook::h852f9f79cfc5802e /rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9/src/libstd/panicking.rs:530:17
#5 0xaaaad1bd4a5c in rust_begin_unwind /rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9/src/libstd/panicking.rs:437:5
#6 0xaaaad1bd49d0 in std::panicking::begin_panic_fmt::ha2a23ee0d4c2b687 /rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9/src/libstd/panicking.rs:391:5
#7 0xaaaad17ae190 in cranelift_frontend::frontend::FunctionBuilder::def_var::hd48dc5f75fe54619 third_party/rust/cranelift-frontend/src/frontend.rs:321:9
#8 0xaaaad1c9e13c in cranelift_wasm::code_translator::translate_operator::h0b87949138323cef third_party/rust/cranelift-wasm/src/code_translator.rs
#9 0xaaaad15c053c in cranelift_wasm::func_translator::parse_function_body::hdc36f737043296a8 third_party/rust/cranelift-wasm/src/func_translator.rs:236:9
#10 0xaaaad15bfb28 in cranelift_wasm::func_translator::FuncTranslator::translate_from_reader::h7ef425df5e0c5d15 third_party/rust/cranelift-wasm/src/func_translator.rs:112:9
#11 0xaaaad15bfd4c in cranelift_wasm::func_translator::FuncTranslator::translate::h0a4c95b2d3d68be9 third_party/rust/cranelift-wasm/src/func_translator.rs:65:9
#12 0xaaaad15bc29c in baldrdash::compile::BatchCompiler::translate_wasm::h7dc2511cdda8ae8d js/src/wasm/cranelift/src/compile.rs:162:9
#13 0xaaaad15ba118 in cranelift_compile_function js/src/wasm/cranelift/src/lib.rs:215:21
#14 0xaaaad0fa82e8 in js::wasm::CraneliftCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmCraneliftCompile.cpp:496:10
#15 0xaaaad1067f74 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:748:16
#16 0xaaaad1069ee0 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() js/src/wasm/WasmGenerator.cpp:817:8
#17 0xaaaad1069ee0 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:955:24
#18 0xaaaad0fa5d08 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:579:13
#19 0xaaaad0fa5628 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:603:8
#20 0xaaaad1100e84 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1522:25
#21 0xaaaad00a37b4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:508:13
[...]
Reporter | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Reduced shell test case:
let { exports } = new WebAssembly.Instance(
new WebAssembly.Module(wasmTextToBinary(`
(module
(func $main (param i32)
i32.const 39
i32.const 0
if (param i32) ;; label = @1
drop
i32.const 39
i32.const 0
if (param i32) ;; label = @2
drop
else
i64.load32_s align=1
unreachable
end
else
local.set 0
unreachable
end
)
(memory (;0;) 14 14))
`))
);
Assignee | ||
Comment 3•4 years ago
|
||
Fixed by https://github.com/bytecodealliance/wasmtime/pull/2197 (which is Ben's if-params fix from earlier today, adapted to the unreachable-code case).
Assignee | ||
Comment 4•4 years ago
|
||
This Cranelift update includes its PR #2197, which fixes a Wasm
translation bug, as well as other miscellaneous updates and fixes.
Updated•4 years ago
|
Updated•4 years ago
|
![]() |
||
Comment 6•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/d8502f45b50499a5f893720fc6ecef9c9dcdcc65
https://hg.mozilla.org/mozilla-central/rev/d8502f45b504
Updated•4 years ago
|
Updated•4 years ago
|
Comment 7•4 years ago
|
||
Removing the qe-verify+ flag since we were not able to reproduce the issue.
Comment 8•4 years ago
|
||
The PR mentions the potential for "mistranslation" which sounds exploitable so maybe sec-high, but if it's caught by an assert/rust-panic as in this specific testcase it wouldn't be as bad. (not spending too much time to figure it out since it's fixed and doesn't affect Release by default.)
Updated•4 years ago
|
Description
•