Assertion failure: !lir->isCall(), at /js/src/jit/shared/Lowering-shared-inl.h:50
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox91 | --- | unaffected |
| firefox92 | --- | unaffected |
| firefox93 | --- | verified |
People
(Reporter: decoder, Assigned: rhunt)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][sec-survey])
Attachments
(4 files)
The following testcase crashes on mozilla-central revision 20210824-7857f4c37a92 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --fast-warmup --wasm-compiler=optimized --blinterp-eager --ion-warmup-threshold=0):
function test() {
function wasmEvalText(str, imports, options) {
let binary = wasmTextToBinary(str);
m = new WebAssembly.Module(binary, options);
return new WebAssembly.Instance(m, imports);
}
let e91 = wasmEvalText(`
(module
(global $g (mut externref) (ref.null extern))
(func (export "set") (param externref) local.get 0 global.set $g)
)
`).exports;
let obj = { field: null };
e91.set(obj);
for (var v4 = 0; v4 < 10; v4++) {}
} test();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x000055555774dc9f in void js::jit::LIRGeneratorShared::define<0ul>(js::jit::details::LInstructionFixedDefsTempsHelper<1ul, 0ul>*, js::jit::MDefinition*, js::jit::LDefinition const&) ()
#0 0x000055555774dc9f in void js::jit::LIRGeneratorShared::define<0ul>(js::jit::details::LInstructionFixedDefsTempsHelper<1ul, 0ul>*, js::jit::MDefinition*, js::jit::LDefinition const&) ()
#1 0x0000555557aa10ef in js::jit::LIRGenerator::visitWasmAnyRefFromJSObject(js::jit::MWasmAnyRefFromJSObject*) ()
#2 0x0000555557ad4f2c in js::jit::LIRGenerator::visitInstruction(js::jit::MInstruction*) ()
#3 0x0000555557ad580f in js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) ()
#4 0x0000555557ad5c55 in js::jit::LIRGenerator::generate() ()
#5 0x000055555799af3f in js::jit::GenerateLIR(js::jit::MIRGenerator*) ()
#6 0x000055555799c118 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7 0x000055555799d85e in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#8 0x000055555799e119 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#9 0x000055555799e8ea in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#10 0x0000362458d1a8b7 in ?? ()
#11 0x00007fffffffb618 in ?? ()
#12 0x00007fffffffb578 in ?? ()
#13 0x00005555580e5350 in js::jit::tailCallVMFunctions ()
#14 0x0000000000000000 in ?? ()
rax 0x55555582691a 93824995191066
rbx 0x7ffff5612238 140737310171704
rcx 0x555558128820 93825038190624
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffff9e50 140737488330320
rsp 0x7fffffff9e30 140737488330288
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f98840 140737353713728
r10 0x0 0
r11 0x0 0
r12 0x7fffffff9f70 140737488330608
r13 0x7ffff5608748 140737310132040
r14 0x7ffff560a6a8 140737310140072
r15 0x7fffffff9f70 140737488330608
rip 0x55555774dc9f <void js::jit::LIRGeneratorShared::define<0ul>(js::jit::details::LInstructionFixedDefsTempsHelper<1ul, 0ul>*, js::jit::MDefinition*, js::jit::LDefinition const&)+207>
=> 0x55555774dc9f <_ZN2js3jit18LIRGeneratorShared6defineILm0EEEvPNS0_7details32LInstructionFixedDefsTempsHelperILm1EXT_EEEPNS0_11MDefinitionERKNS0_11LDefinitionE+207>: movl $0x32,0x0
0x55555774dcaa <_ZN2js3jit18LIRGeneratorShared6defineILm0EEEvPNS0_7details32LInstructionFixedDefsTempsHelperILm1EXT_EEEPNS0_11MDefinitionERKNS0_11LDefinitionE+218>: callq 0x555556b06a2a <abort>
Marking s-s because this is a JIT assert.
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
|
||
Comment 3•4 years ago
|
||
This should be nightly-only, I think.
|
|
||
Comment 4•4 years ago
|
||
I'm guessing LIROps.yaml is wrong in flagging this as a call instruction.
|
||
Comment 5•4 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210824094724-7857f4c37a92.
Failed to bisect testcase (Unable to launch the start build!):
Start: ae3feb731c92425c7bd4d32b9d0c8fbb907f4f9b (20200825033900)
End: 7857f4c37a928c219638460c7048940a78bbf1ba (20210824094724)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
|
||
Comment 6•4 years ago
|
||
guessing severity based on comment 4, which is itself a guess. Please feel free to correct when you know more.
|
Assignee | |
Comment 7•4 years ago
|
||
I don't see any other wasm LIR nodes that are marked incorrectly.
|
|
Assignee | |
Comment 8•4 years ago
|
||
Test case fails without this, passes with it.
|
|
Assignee | |
Comment 9•4 years ago
|
||
Regressing commit: https://hg.mozilla.org/integration/autoland/rev/e25df64152c2. So this should be only in nightly right now, as Lars said.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 10•4 years ago
|
||
wasm: Correctly mark WasmAnyRefFromJSObject as not a call. r=lth
https://hg.mozilla.org/integration/autoland/rev/51454ee5ad201c86769509589d6e6b102272d128
https://hg.mozilla.org/mozilla-central/rev/51454ee5ad20
|
|
||
Comment 11•4 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210831031805-a75035552058.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 13•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
|
Assignee | |
Comment 15•4 years ago
|
||
|
|
Assignee | |
Updated•4 years ago
|
|
|
||
Comment 16•4 years ago
|
||
|
|
||
Updated•3 years ago
|
Description
•