Closed Bug 1766809 Opened 3 years ago Closed 3 years ago

Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp:270

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1766806
Tracking Flags:
Tracking Status
firefox101 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(2 files)

Detailed Crash Information
4.79 KB, text/plain
Details
Testcase
9.66 KB, application/octet-stream
Details

The attached testcase crashes on mozilla-central revision 23768574eb6d (debug fuzzing build, run with --no-threads --fuzzing-safe --wasm-compiler=optimizing test.js).

Backtrace:

    ==2946==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0xaaaae827c214 bp 0xffffd0ef3690 sp 0xffffd0ef35e0 T2946)
    ==2946==The signal is caused by a WRITE memory access.
    ==2946==Hint: address points to the zero page.
        #0 0xaaaae827c214 in js::jit::AllocationIntegrityState::checkIntegrity(js::jit::LBlock*, js::jit::LInstruction*, unsigned int, js::jit::LAllocation) js/src/jit/RegisterAllocator.cpp
        #1 0xaaaae827875c in js::jit::AllocationIntegrityState::check() js/src/jit/RegisterAllocator.cpp:207:14
        #2 0xaaaae8040ff4 in js::jit::GenerateLIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1534:26
        #3 0xaaaae84a28cc in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmIonCompile.cpp:6944:23
        #4 0xaaaae8454af0 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:712:16
        #5 0xaaaae8456a14 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() js/src/wasm/WasmGenerator.cpp:773:8
        #6 0xaaaae8456a14 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:913:24
        #7 0xaaaae84168cc in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:709:13
        #8 0xaaaae8416250 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) js/src/wasm/WasmCompile.cpp:731:8
        #9 0xaaaae84bd278 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1815:7
        #10 0xaaaae6fcff38 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:420:13
        [...]

This is likely the same bug as bug 1766806 but we found this with our own fuzzer (and a different type of fuzzing). The fuzzer is based on the module builder API fuzzing on real ARM64 hardware.

Attached file Testcase

Fix attached to bug 1766806.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: