Closed
Bug 1776358
Opened 2 years ago
Closed 2 years ago
Assertion failure: (frameDepth_ % WasmStackAlignment) == 0 (Trap exit stub needs 16-byte aligned stack pointer), at jit/shared/CodeGenerator-shared.cpp:113
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
103 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | unaffected |
| firefox101 | --- | unaffected |
| firefox102 | --- | unaffected |
| firefox103 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Regression)
Details
(Keywords: regression, testcase)
Attachments
(1 file)
(function (s, foreign, h) {
"use asm";
var g = foreign.g;
function f() {
1 ? 0 : g(.0, .0, .0, .0, .0, .0, .0, .0, .0) | 0;
}
return f;
})();
Thread 1 "js-dbg-64-armsi" received signal SIGSEGV, Segmentation fault.
js::jit::CodeGeneratorShared::CodeGeneratorShared (this=0x7fffffff53b0, gen=0x7fffffff5190, graph=0x7ffff5e04e80, masmArg=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/shared/CodeGenerator-shared.cpp:112
112 MOZ_ASSERT((frameDepth_ % WasmStackAlignment) == 0,
(gdb) bt
#0 js::jit::CodeGeneratorShared::CodeGeneratorShared (this=0x7fffffff53b0, gen=0x7fffffff5190, graph=0x7ffff5e04e80, masmArg=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/shared/CodeGenerator-shared.cpp:112
#1 0x00005555577cf981 in js::jit::CodeGeneratorARM64::CodeGeneratorARM64 (this=0x7fffffff53b0, gen=0x0, graph=0x7ffff7c86723 <_IO_2_1_stderr_+131>, masm=0x5555582af440 <gMozCrashReason>) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/CodeGenerator-arm64.cpp:40
#2 0x0000555557a1ba52 in js::jit::CodeGenerator::CodeGenerator (this=0x7fffffff53b0, gen=0x7fffffff5190, graph=0x7ffff7c86723 <_IO_2_1_stderr_+131>, masm=0x5555582af440 <gMozCrashReason>) at /home/skygentoo/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:953
#3 0x0000555557d6612f in js::wasm::IonCompileFunctions (moduleEnv=..., compilerEnv=..., lifo=..., inputs=..., code=<optimized out>, error=error@entry=0x0) at /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:6940
#4 0x0000555557d2f823 in ExecuteCompileTask (task=0x7ffff6ad6000, error=0x0) at /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:739
#5 0x0000555557d304fa in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=0x7fffffff7850) at /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:800
#6 js::wasm::ModuleGenerator::finishFuncDefs (this=0x7fffffff7850) at /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:940
#7 0x0000555557cf1f74 in ModuleValidator<mozilla::Utf8Unit>::finish (this=<optimized out>, this@entry=0x7fffffff8b10) at /home/skygentoo/trees/mozilla-central/js/src/wasm/AsmJS.cpp:2199
#8 0x0000555557c38e5e in CheckModule<mozilla::Utf8Unit> (cx=<optimized out>, parserAtoms=..., parser=..., stmtList=<optimized out>, time=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/wasm/AsmJS.cpp:6459
#9 DoCompileAsmJS<mozilla::Utf8Unit> (parser=..., validated=<optimized out>, cx=<optimized out>, parserAtoms=..., stmtList=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/wasm/AsmJS.cpp:7148
#10 js::CompileAsmJS (cx=<optimized out>, parserAtoms=..., parser=..., stmtList=<optimized out>, validated=validated@entry=0x7fffffff94bf) at /home/skygentoo/trees/mozilla-central/js/src/wasm/AsmJS.cpp:7177
#11 0x000055555736b714 in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::asmJS (this=0x7fffffffb990, this@entry=0x7fffffff950e, list=0x5555582af440 <gMozCrashReason>, list@entry=0x7ffff6ac0268) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3891
#12 0x0000555557352860 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::asmJS (this=<optimized out>, list=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3904
#13 0x000055555734611c in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementList (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:4098
#14 0x0000555557350026 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionBody (this=this@entry=0x7fffffffb990, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Expression, type=js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::StatementListBody) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:2404
#15 0x000055555734ef21 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionFormalParametersAndBody (this=this@entry=0x7fffffffb990, inHandling=js::frontend::InAllowed, yieldHandling=<optimized out>, funNode=<optimized out>, funNode@entry=0x7fffffff96c0, kind=kind@entry=js::frontend::FunctionSyntaxKind::Expression, parameterListEnd=..., isStandaloneFunction=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3606
#16 0x000055555736b38a in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::innerFunctionForFunctionBox (this=0x7fffffffb990, funNode=0x7ffff6ac0060, outerpc=0x7fffffffa978, funbox=0x7ffff6ac00a0, inHandling=js::frontend::InAllowed, yieldHandling=(js::frontend::YieldIsKeyword | unknown: 0xf7c86722), newDirectives=0x7fffffff9c46, kind=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3302
#17 js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::innerFunction (this=this@entry=0x7fffffffb990, funNode=<optimized out>, outerpc=<optimized out>, explicitName=..., explicitName@entry=..., flags=..., toStringStart=<optimized out>, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Expression, generatorKind=<optimized out>, asyncKind=<optimized out>, tryAnnexB=<optimized out>, inheritedDirectives=..., newDirectives=0x7fffffff9c46) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3336
#18 0x0000555557347ed5 in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::trySyntaxParseInnerFunction (this=this@entry=0x7fffffffb990, funNode=funNode@entry=0x7fffffff9c48, explicitName=explicitName@entry=..., flags=..., flags@entry=..., toStringStart=3, toStringStart@entry=1, inHandling=(js::frontend::InProhibited | unknown: 0x292), inHandling@entry=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Expression, generatorKind=<optimized out>, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=<optimized out>, inheritedDirectives=..., newDirectives=0x7fffffff9c46) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3240
#19 0x0000555557351bcd in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::trySyntaxParseInnerFunction (this=0x7fffffffb990, funNode=0x7fffffff9c48, explicitName=..., toStringStart=1, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, newDirectives=0x7fffffff9c46, flags=..., kind=<optimized out>, generatorKind=<optimized out>, asyncKind=<optimized out>, tryAnnexB=<optimized out>, inheritedDirectives=...) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3279
#20 js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionDefinition (this=this@entry=0x7fffffffb990, funNode=0x7ffff6ac0060, toStringStart=toStringStart@entry=1, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., kind=js::frontend::FunctionSyntaxKind::Expression, generatorKind=<optimized out>, asyncKind=<optimized out>, tryAnnexB=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3104
#21 0x000055555735200f in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionExpr (this=this@entry=0x7fffffffb990, toStringStart=4157105955, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked, asyncKind=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3827
#22 0x000055555735fc4f in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::primaryExpr (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=js::frontend::TokenKind::Function, possibleError=possibleError@entry=0x7fffffffa130, invoked=js::frontend::ParserBase::PredictInvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:12383
#23 0x000055555735d99c in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::memberExpr (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=js::frontend::TokenKind::LeftCurly, allowCallSyntax=true, possibleError=possibleError@entry=0x7fffffffa130, invoked=js::frontend::ParserBase::PredictInvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:10542
#24 0x000055555735cd63 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::optionalExpr (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=js::frontend::TokenKind::Function, possibleError=possibleError@entry=0x7fffffffa130, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:10088
#25 0x000055555735c856 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::unaryExpr (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7fffffffa130, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked, privateNameHandling=<optimized out>, privateNameHandling@entry=js::frontend::PrivateNameAllowed) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:10320
#26 0x000055555735bc1f in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::orExpr (this=this@entry=0x7fffffffb990, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7fffffffa130, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:9520
#27 0x000055555735b84c in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::condExpr (this=this@entry=0x7fffffffb990, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=(unknown: 0x582af440), tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=0x0, possibleError@entry=0x7fffffffa130, invoked=(js::frontend::ParserBase::PredictInvoked | unknown: 0x2), invoked@entry=js::frontend::ParserBase::PredictInvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:9665
#28 0x00005555573547db in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::assignExpr (this=0x7fffffffb990, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, tripledotHandling=js::frontend::TripledotAllowed, possibleError=0x7fffffffa650, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:9833
#29 0x00005555573477c2 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::expr (this=0x7fffffffb990, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, tripledotHandling=js::frontend::TripledotAllowed, possibleError=0x7fffffffa650, invoked=(js::frontend::ParserBase::PredictInvoked | unknown: 0x2), invoked@entry=js::frontend::ParserBase::PredictInvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:9364
#30 0x0000555557354e44 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::exprInParens (this=0x7ffff7c87a60 <_IO_stdfile_2_lock>, this@entry=0x7fffffffb990, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=(js::frontend::YieldIsKeyword | unknown: 0xf7c86722), yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=(unknown: 0x582af440), tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=0x0, possibleError@entry=0x7fffffffa650) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:12576
#31 0x000055555735ff29 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::primaryExpr (this=this@entry=0x7fffffffb990, yieldHandling=(js::frontend::YieldIsKeyword | unknown: 0xf7c86722), yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, tt=<optimized out>, possibleError=0x0, possibleError@entry=0x7fffffffa650, invoked=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:12431
#32 0x000055555735d99c in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::memberExpr (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, tt=js::frontend::TokenKind::LeftCurly, allowCallSyntax=true, possibleError=possibleError@entry=0x7fffffffa650, invoked=js::frontend::ParserBase::PredictUninvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:10542
#33 0x000055555735cd63 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::optionalExpr (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, tt=js::frontend::TokenKind::LeftParen, possibleError=possibleError@entry=0x7fffffffa650, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:10088
#34 0x000055555735c856 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::unaryExpr (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffffa650, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked, privateNameHandling=<optimized out>, privateNameHandling@entry=js::frontend::PrivateNameAllowed) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:10320
#35 0x000055555735bc1f in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::orExpr (this=this@entry=0x7fffffffb990, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffffa650, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:9520
#36 0x000055555735b84c in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::condExpr (this=this@entry=0x7fffffffb990, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=(unknown: 0x582af440), tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=0x0, possibleError@entry=0x7fffffffa650, invoked=(js::frontend::ParserBase::PredictInvoked | unknown: 0x2), invoked@entry=js::frontend::ParserBase::PredictUninvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:9665
#37 0x00005555573547db in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::assignExpr (this=0x7fffffffb990, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x0, invoked=js::frontend::ParserBase::PredictUninvoked) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:9833
#38 0x00005555573477c2 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::expr (this=0x7fffffffb990, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x0, invoked=(js::frontend::ParserBase::PredictInvoked | unknown: 0x2)) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:9364
#39 0x0000555557349525 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::expressionStatement (this=0x7fffffffb990, yieldHandling=(js::frontend::YieldIsKeyword | unknown: 0xf7c86722), invoked=(js::frontend::ParserBase::PredictInvoked | unknown: 0x2)) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:6339
#40 0x0000555557348d3f in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementListItem (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:9220
#41 0x0000555557346055 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementList (this=this@entry=0x7fffffffb990, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:4076
#42 0x00005555573b923b in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::globalBody (this=0x7fffffffb990, globalsc=0x7fffffffaef0) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:1816
#43 0x0000555557404141 in ScriptCompiler<mozilla::Utf8Unit>::compile (this=this@entry=0x7fffffffb0a8, cx=cx@entry=0x7ffff6a2c200, sc=sc@entry=0x7fffffffaef0) at /home/skygentoo/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:740
#44 0x00005555573f4e1d in CompileGlobalScriptToStencilAndMaybeInstantiate<mozilla::Utf8Unit> (cx=cx@entry=0x7ffff6a2c200, tempLifoAlloc=..., input=..., srcBuf=..., scopeKind=js::ScopeKind::Global, output=...) at /home/skygentoo/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:297
#45 0x00005555573ca336 in CompileGlobalScriptImpl<mozilla::Utf8Unit> (cx=0x7ffff6a2c200, options=..., scopeKind=js::ScopeKind::Global, srcBuf=...) at /home/skygentoo/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:456
#46 js::frontend::CompileGlobalScript (cx=cx@entry=0x7ffff6a2c200, options=..., srcBuf=..., scopeKind=js::ScopeKind::Global) at /home/skygentoo/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:472
#47 0x0000555556da586e in CompileSourceBuffer<mozilla::Utf8Unit> (cx=<optimized out>, cx@entry=0x7ffff6a2c200, options=..., srcBuf=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:70
#48 0x0000555556da686b in JS::CompileUtf8File (cx=cx@entry=0x7ffff6a2c200, options=..., file=<optimized out>, file@entry=0x7ffff7864020) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:178
#49 0x0000555556b71a19 in RunFile (cx=cx@entry=0x7ffff6a2c200, filename=0x7fffffffde38 "w63-reduced.js", filename@entry=0x7ffff7864020 "\230$\255\373\344\344\344", <incomplete sequence \344>, file=file@entry=0x7ffff7864020, compileMethod=compileMethod@entry=CompileUtf8::DontInflate, compileOnly=false) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1023
#50 0x0000555556b7134f in Process (cx=cx@entry=0x7ffff6a2c200, filename=<optimized out>, forceTTY=false, kind=kind@entry=FileScript) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1657
#51 0x0000555556b376b7 in ProcessArgs (cx=0x7ffff6a2c200, op=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:10961
#52 Shell (cx=0x7ffff6a2c200, op=op@entry=0x7fffffffd6a8) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11699
#53 0x0000555556b3059a in main (argc=<optimized out>, argv=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12819
(gdb)
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ./configure --enable-simulator=arm64 --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-bootstrap --disable-tests, tested on m-c rev 581fb7e2cbe4.
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/9716d1d26289
user: Jan de Mooij
date: Fri Jun 17 11:21:24 2022 +0000
summary: Bug 1774449 - Always align SP to 16 bytes in Wasm Ion codegen for ARM64. r=rhunt
Not sure if this is s-s, I'd leave it to Jan.
Flags: sec-bounty?
Flags: needinfo?(jdemooij)
|
||
Comment 1•2 years ago
|
||
Set release status flags based on info from the regressing bug 1774449
status-firefox101:
--- → unaffected
status-firefox102:
--- → unaffected
status-firefox-esr91:
--- → unaffected
|
Assignee | |
Comment 2•2 years ago
|
||
Good find. Wasm computes gen->wasmMaxStackArgBytes() early on, but if later on we dead-code-eliminate call instructions, we can have the case where gen->needsStaticStackAlignment() is false but we do allocate possibly-unaligned space for the stack args.
This shouldn't be security-sensitive but I wonder if there's an old guaranteed-crash bug here on ARM64 similar to bug 1774449. I'll try to craft a test case later today.
|
|
Assignee | |
Comment 3•2 years ago
|
||
Here's a test that fails on release (FF 101), this likely has been an issue with the Wasm ARM64 Ion port since the beginning. The assertion added in bug 1774449 exposed this.
let func = wasmEvalText(`(module
(func
(param f64) (param f64) (param f64) (param f64) (param f64)
(param f64) (param f64) (param f64) (param f64)
)
(func
(param i32)
(result i32)
i32.const 0
(if (then
(call 0
(f64.const 0) (f64.const 0) (f64.const 0) (f64.const 0) (f64.const 0)
(f64.const 0) (f64.const 0) (f64.const 0) (f64.const 0)
)
))
(i32.div_s (get_local 0) (get_local 0))
)
(export "" (func 1))
)`).exports[""];
func(0);
|
|
Assignee | |
Comment 4•2 years ago
|
||
Because wasmMaxStackArgBytes is calculated early on, it was possible we later eliminated
all call instructions and needsStaticStackAlignment was false, but we still included
wasmMaxStackArgBytes in the frame size, breaking stack alignment invariants on ARM64.
The simplest fix is to not include wasmMaxStackArgBytes if we know there are no calls (left).
This fixes an old Ion ARM64 bug exposed by the assertion added in bug 1774449.
|
||
Updated•2 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(jdemooij)
|
||
Updated•2 years ago
|
Group: core-security → javascript-core-security
|
||
Comment 5•2 years ago
|
||
Only include wasmMaxStackArgBytes in Ion frame size if there are calls. r=rhunt
https://hg.mozilla.org/integration/autoland/rev/029838346d0e7a7a2d53f4b08993224b5e75c973
https://hg.mozilla.org/mozilla-central/rev/029838346d0e
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
|
|
Assignee | |
Updated•2 years ago
|
Group: core-security-release
|
|
||
Updated•2 years ago
|
Keywords: regression
|
|
||
Comment 6•2 years ago
|
||
Set release status flags based on info from the regressing bug 1774449
status-firefox-esr102:
--- → unaffected
|
||
Updated•2 years ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•