Closed Bug 1684861 Opened 5 years ago Closed 5 years ago

Baseline compiler does not take offset into account for atomic wait or notify. (was: Different error messages with WebAssembly Memory and ion vs. baseline)

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- fixed

People

(Reporter: decoder, Assigned: yury)

Details

(Keywords: regression, testcase)

Attachments

(2 files)

Testcase
9.73 KB, application/octet-stream
Details
Bug 1684861 - wasm: add address folding for atomic wake/wait.
48 bytes, text/x-phabricator-request
Details | Review

The attached testcase produces different error messages on mozilla-central revision 20210103-89fef9703703 (build with --enable-debug, run with either --no-threads --wasm-compiler=baseline test.js or --no-threads --wasm-compiler=ion test.js).

debug64/dist/bin/js --no-threads --wasm-compiler=baseline test.js
test.js line 10 > WebAssembly.Module:43:1 RuntimeError: index out of bounds

vs.

debug64/dist/bin/js --no-threads --wasm-compiler=ion test.js
test.js line 10 > WebAssembly.Module:43:1 RuntimeError: unaligned memory access

Marking this s-s until :lth had time to investigate. We should be able to ignore this in the fuzzer if it turns out to be not an issue.

Attached file Testcase

Yeah, this is weird. The problem is a call to the wake() operation, and ion and baseline receive a different value here, which is why we see different error messages. But it's not clear yet why the values are different.

Assignee: nobody → lhansen
Severity: -- → S3
Status: NEW → ASSIGNED
Priority: -- → P1
(module
  (type (;0;) (func))
  (func $main (type 0)
    i32.const -64
    i32.const -63
    memory.atomic.notify offset=1
    unreachable)
  (memory (;0;) 4 4)
  (export "main" (func $main)))

The bug is that the baseline compiler forgets to fold the offset into the address (-64). If it did, the effective address would be -65 which would give rise to the "unaligned memory access" error. As it is, the address is aligned when it comes from the baseline compiler and thus we fall through to the next check, which is a bounds check. ("index out of bounds" is a bit generic frankly.)

This is not a security problem because everything is properly bounds checked, we just don't compute the correct address. So we should open up. I'll retitle.

Priority: P1 → P2
Summary: Different error messages with WebAssembly Memory and ion vs. baseline → Baseline compiler does not take offset into account for atomic wait or notify. (was: Different error messages with WebAssembly Memory and ion vs. baseline)
Assignee: lhansen → ydelendik

Unhiding per comment 3.

Group: javascript-core-security
Flags: needinfo?(jseward)

There might be a need to redesign API for SymbolicAddress::Wake and co. functions to accept final and valid pointer instead of (memory +) 32bit-offset. Do we want to refactor these instead of patching only baseline compiler?

Flags: needinfo?(lhansen)

Related patch for wasmtime repo https://github.com/bytecodealliance/wasmtime/pull/2556

Commented on the patch. I think the API is fine, we just need to generate simpler code in baseline, that folds the offset and does nothing else.

Flags: needinfo?(lhansen)
Flags: needinfo?(jseward)

Sorry, did not mean to clear ni? for Julian!

Flags: needinfo?(jseward)
Pushed by ydelendik@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bf1b2cc8b927 wasm: add address folding for atomic wake/wait. r=lth

Few potential TODOs:

  • "... Positive tests of wait and notify that use a nonzero offset. [...] Basically for wait, it should be enough to have a value already in a location that we wait for so that the wait does not block. Notify is trickier, we may need to set something up with shell workers. Something in js/src/tests/shell/futex.js may serve as an inspiration."

  • Cranelift update (for https://github.com/bytecodealliance/wasmtime/pull/2556) and enable the test

Whiteboard: [keep-alive]

https://hg.mozilla.org/mozilla-central/rev/bf1b2cc8b927

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox86: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
status-firefox84: --- → wontfix
status-firefox85: --- → wontfix
status-firefox-esr78: --- → wontfix
Flags: needinfo?(jseward) → in-testsuite+
Flags: needinfo?(jseward)

The Cranelift components of this have been fixed upstream in
https://github.com/bytecodealliance/wasmtime/pull/2556/.
The fix has been pulled into nightly by the CL rebase in bug 1689950,
which is also now closed.

Yury, have all the non-CL components of this landed now? If so can we close?

Flags: needinfo?(jseward) → needinfo?(ydelendik)

If so can we close?

Uh, duh. It is closed already. Ignore ..

Flags: needinfo?(ydelendik)

Julian, we need to enable testing with js/src/jit-test/tests/wasm/regress/bug1684861.js though. These tests shall work with CL compiler.

Whiteboard: [keep-alive]
Flags: needinfo?(ydelendik)
Flags: needinfo?(ydelendik)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: