1859116 - arm64: unhandled load-unscaled-signed-halfword (LDURSH) in js::wasm::SummarizeTrapInstruction

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
  (module
    (func $fimport$0
      (param i32 i32)
    )
    (global $global$0
      (mut i32)
      (i32.const 0)
    )
    (memory 7)
    (func $0
      (result i64)
      (i64.const 1)
    )
    (func $2
      (param $0 i64)
      (if
        (global.get $global$0)
        (global.set $global$0
          (i32.const 1)
        )
      )
      (call $1
        (select
          (local.get 0)
          (call $0)
          (i32.load16_s
            (i32.const 1)
          )
        )
      )
    )
    (func $1
      (param $0 i64)
      (call $fimport$0
        (i32.wrap_i64
          (local.get 0)
        )
        (i32.wrap_i64
          (i64.const 0)
        )
      )
    )
  )
`)));

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/656ad1cea330
user:        Julian Seward
date:        Mon Oct 02 17:07:03 2023 +0000
summary:     Bug 1846474 - Part 7: enable TrapSite debug checking for x86, x64, arm64.  r=rhunt.

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with sh ../configure --host=x86_64-pc-mingw32 --target=x86_64-pc-mingw32 --enable-simulator=arm64 --enable-debug --enable-nspr-build --enable-ctypes --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev c85ad51385ad.

Julian, is bug 1846474 a likely regressor? Setting s-s just-in-case for now.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1846474

Comment 2

[Julian Seward [:jseward]]

Gary, thanks for finding this. What happened is, bug 1846474 added machinery
to perform some checks on the generated code after compilation has finished.
The assertion failed because the checker failed to identify one of the
instructions that the code generator created. The problem is with the
checker, not the code generator.

There is no error in the generated code or metadata, hence no security issue.

Comment 3

[Jan de Mooij [:jandem]]

Unhiding as requested.

Comment 4

[Julian Seward [:jseward]]

Attachment: Bug 1859116 - arm64: unhandled load-unscaled-signed-halfword (LDURSH) in js::wasm::SummarizeTrapInstruction. r=yury

On arm64, the instruction summarizer failed to handle
LDURSH Wt, [Xn|SP, #imm9] and LDURSH Xt, [Xn|SP, #imm9].
This patch fixes it.

tests/wasm/gc/signal-null-check.js is slightly extended to add suitable test
cases.

As a ridealong, in that test file, some assertDerefenceNulls are renamed to
assertDereferenceNull.

Comment 5

[Pulsebot]

Pushed by jseward@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/18c9138dd733
arm64: unhandled load-unscaled-signed-halfword (LDURSH) in js::wasm::SummarizeTrapInstruction.  r=yury

Comment 6

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/18c9138dd733