Closed Bug 1836710 Opened 2 years ago Closed 2 years ago

MIPS64 Ion compilation crash

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
Firefox 116
Platform:
Other
All
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1684730

People

(Reporter: parkjuny, Assigned: zhaojiazhong-hf)

References

(Blocks 1 open bug)

Details

Overview

Target: SpiderMonkey MIPS64 5/31 version - commit 8dd0d2bebe4c897152da6c86d937e4be80bbaa54

Executing div by zero WASM code 11 times lead to unaligned memory access. Not sure about the root cause, but it looks like the cause is in the Ion compilation.

Very likely to be a duplicate of Bug 1684730

Also, I'm not sure if this is a security issue. As this bug causes a crash, I'll report this as one just in case. Please disable security state if you think this is not a security issue.

Proof of Concept Code

(module
  (type (;0;) (func (param i64 i64) (result i64)))
  (import "mem" "mem" (memory (;0;) 1024))
  (func (;0;) (type 0) (param i64 i64) (result i64)
    local.get 0
    local.get 1
    i64.div_s)
  (export "main" (func 0)))

const code = new Uint8Array([0,97,115,109,1,0,0,0,1,7,1,96,2,126,126,1,126,2,13,1,3,109,101,109,3,109,101,109,2,0,128,8,3,2,1,0,7,8,1,4,109,97,105,110,0,0,10,9,1,7,0,32,0,32,1,127,11,11,1,0]);

let memory = new WebAssembly.Memory({
    initial: 1024
})
const module = new WebAssembly.Module(code);
const instance = new WebAssembly.Instance(module, {
    mem: {
        mem: memory
    }
});

try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
try{print(instance.exports.main(1n,0n))}catch(e){print(e)}
// at least 11 calls are needed to trigger the bug

The problem seems to be in the Ion compilation, but I have no clue which is the correct root cause. Instead of calling the function 11 times, executing the following three lines also cause the problem.

let code_extract = wasmExtractCode(module, "ion");
let funcs = code_extract.segments.filter(s=>s.kind === 0);
print(code_extract.code.slice(funcs[0].begin, funcs[0].end));

When using the following three lines, other WASM codes lead to the same problem.

$ builds/mips64_debug/dist/bin/js --wasm-compiler=ion bug3.js
RuntimeError: integer divide by zero
RuntimeError: integer divide by zero
RuntimeError: integer divide by zero
RuntimeError: integer divide by zero
RuntimeError: integer divide by zero
RuntimeError: integer divide by zero
RuntimeError: integer divide by zero
RuntimeError: integer divide by zero
RuntimeError: integer divide by zero
RuntimeError: integer divide by zero
Unaligned read at 0x00007f80ebbe2012, pc=0x00003f75c6aeb8b8
Hit MOZ_CRASH() at /home/candymate/repos/spidermonkey/gecko-dev/js/src/jit/mips64/Simulator-mips64.cpp:1673
#01: ???[builds/mips64_debug/dist/bin/js +0x2598b98]
#02: ???[builds/mips64_debug/dist/bin/js +0x258ed26]
#03: ???[builds/mips64_debug/dist/bin/js +0x258a365]
#04: ???[builds/mips64_debug/dist/bin/js +0x2590230]
#05: ???[builds/mips64_debug/dist/bin/js +0x25906ab]
#06: ???[builds/mips64_debug/dist/bin/js +0x286cb48]
#07: ???[builds/mips64_debug/dist/bin/js +0x18f866a]
#08: ???[builds/mips64_debug/dist/bin/js +0x18f906d]
#09: ???[builds/mips64_debug/dist/bin/js +0x18fa23a]
#10: ???[builds/mips64_debug/dist/bin/js +0x1ace791]
#11: ???[builds/mips64_debug/dist/bin/js +0x1b8308f]
#12: JS::OrdinaryToPrimitive(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>)[builds/mips64_debug/dist/bin/js +0x1b82607]
#13: ???[builds/mips64_debug/dist/bin/js +0x1b834d4]
#14: ???[builds/mips64_debug/dist/bin/js +0x1d52b28]
#15: ???[builds/mips64_debug/dist/bin/js +0x18025bb]
#16: ???[builds/mips64_debug/dist/bin/js +0x180244c]
#17: ???[builds/mips64_debug/dist/bin/js +0x191e546]
#18: ???[builds/mips64_debug/dist/bin/js +0x18f916b]
#19: ???[builds/mips64_debug/dist/bin/js +0x1909053]
#20: ???[builds/mips64_debug/dist/bin/js +0x18f869a]
#21: ???[builds/mips64_debug/dist/bin/js +0x18fb9cb]
#22: ???[builds/mips64_debug/dist/bin/js +0x18fbe40]
#23: ???[builds/mips64_debug/dist/bin/js +0x1a67780]
#24: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[builds/mips64_debug/dist/bin/js +0x1a679bc]
#25: ???[builds/mips64_debug/dist/bin/js +0x1837af6]
#26: ???[builds/mips64_debug/dist/bin/js +0x1836e24]
#27: ???[builds/mips64_debug/dist/bin/js +0x17f2933]
#28: ???[builds/mips64_debug/dist/bin/js +0x17ecb28]
#29: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x24083]
#30: ???[builds/mips64_debug/dist/bin/js +0x17e2009]
#31: ??? (???:???)
Group: core-security → javascript-core-security
Flags: needinfo?(zhaojiazhong-hf)

Thanks for your information, this issue is indeed the same as bug 1684730. The mips64 backend may emit unaligned memory accesses, but the simulator doesn't support it.
Since our mips64 machines may already have unaligned memory access hardware support or kernel workaround, this issue was not taken seriously. I will take a look at it after bug 1836708 is fixed.
And you may temporarily disable align check in mips64 simulator by setting environment variable MIPS_UNALIGNED: export MIPS_UNALIGNED=1.

Thank you very much!

Flags: needinfo?(zhaojiazhong-hf)
Severity: -- → S3
Priority: -- → P5
Assignee: nobody → zhaojiazhong-hf
Blocks: sm-jits
Severity: S3 → S4
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: P5 → P1
Group: javascript-core-security
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1684730
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.