Closed Bug 1688262 Opened 4 years ago Closed 4 years ago

Assertion failure: count > 0 (Should have been a MOVE operation), at jit/x86-shared/CodeGenerator-x86-shared.cpp:3134

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

x86_64
All
defect

Tracking

()

VERIFIED FIXED
87 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox85 --- unaffected
firefox86 --- wontfix
firefox87 --- verified

People

(Reporter: decoder, Assigned: lth)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

The attached testcase crashes on mozilla-central revision 20210111-c6d819bd39da (build with --enable-debug, run with --no-threads --fuzzing-safe --wasm-compiler=optimizing --baseline-warmup-threshold=1 --ion-warmup-threshold=1 test.js).

Backtrace:

==29116==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x56230d392beb bp 0x7ffdee595000 sp 0x7ffdee594f70 T29116)
==29116==The signal is caused by a WRITE memory access.
==29116==Hint: address points to the zero page.
    #0 0x56230d392beb in js::jit::CodeGenerator::visitWasmPermuteSimd128(js::jit::LWasmPermuteSimd128*) js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:3134:7
    #1 0x56230d57be13 in js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:6906:9
    #2 0x56230d5d40a4 in js::jit::CodeGenerator::generateWasm(js::wasm::TypeIdDesc, js::wasm::BytecodeOffset, js::wasm::ArgTypeVector const&, js::jit::MachineState const&, unsigned long, js::wasm::FuncOffsets*, js::wasm::StackMaps*) js/src/jit/CodeGenerator.cpp:11840:8
    #3 0x56230d980fcb in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmIonCompile.cpp:5552:20
    #4 0x56230d94394c in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:782:16
    #5 0x56230d94547b in locallyCompileCurrentTask js/src/wasm/WasmGenerator.cpp:844:8
    #6 0x56230d94547b in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:982:24
    #7 0x56230d89a08d in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:571:13
    #8 0x56230d899b02 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:594:8
    #9 0x56230d995ad6 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1585:25
    #10 0x56230c7bbb71 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:503:13
    [...]

Marking s-s until investigated because this is a JIT-related assertion.

Attached file Testcase
Assignee: nobody → lhansen
Status: NEW → ASSIGNED

This is not s-s, it's just a missing guard in an optimization. The computation involves only vector values and there is no risk. This can be opened up.

Blocks: wasm-simd
Severity: -- → S2
OS: Linux → All
Priority: -- → P2
Group: javascript-core-security

The trigger for the rotate specialization did not check that the
second run of increasing values in the shuffle pattern, if present,
must start with lane value zero.

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210124215058-63534c66d7b8.
Failed to bisect testcase (Unable to launch the start build!):

Start: c0fa6d007c58437398cc06a97d221c42d41dcf9e (20200127093737)
End: c6d819bd39daf86acd5e0c5bce5d74c2db8b8d64 (20210111215143)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:bisected,confirmed]
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a3ea7c600ff2 Properly guard the simd rotate operation. r=jseward
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210127213646-050d232035a7.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

The patch landed in nightly and beta is affected.
:lth, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(lhansen)

I think no code on the open web uses this, the feature has not shipped yet, it's in Nightly behind a flag. Serious users use Nightly for this.

Flags: needinfo?(lhansen)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: