Closed
Bug 1895430
Opened 11 months ago
Closed 11 months ago
AddressSanitizer: SEGV on unknown address [@ js::jit::MBasicBlock::setBranchHinting] or Crash [@ EmitIf]
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1894623
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox125 | --- | unaffected |
| firefox126 | --- | unaffected |
| firefox127 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(1 file)
|
4.99 KB,
text/plain
|
Details |
var x = wasmTextToBinary('\
(module (func $$dummy)(func $main(param i64)(result i64)local.get 0 i64.eq \
(@metadata.code.branch_hint "\\00") if)\
(export "_main"(func $main)))\
');
var y = [x, 79];
y[0][y[1]] = 0;
new WebAssembly.Module(x);
Debug build crashes at:
(gdb) bt
#0 EmitIf (f=...) at /home/yksubu/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:5009
#1 0x00005555586ba1c0 in EmitBodyExprs (f=...) at /home/yksubu/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:8088
#2 0x000055555869b77d in IonBuildMIR (d=..., moduleEnv=..., func=..., locals=..., mir=..., tryNotes=..., observedFeatures=0x7fffffff9d14, error=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:9354
#3 0x000055555869aa2e in js::wasm::IonCompileFunctions (moduleEnv=..., compilerEnv=..., lifo=..., inputs=..., code=0x7ffff66c03b0, error=error@entry=0x7fffffffcb00) at /home/yksubu/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:9425
#4 0x000055555867a26b in ExecuteCompileTask (task=0x7ffff66c0000, error=0x7fffffffcb00) at /home/yksubu/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:730
#5 0x000055555867b047 in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=0x7fffffffbaa0) at /home/yksubu/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:785
#6 js::wasm::ModuleGenerator::finishFuncDefs (this=0x7fffffffbaa0) at /home/yksubu/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:916
#7 0x00005555586524d1 in DecodeCodeSection<js::wasm::Decoder, js::wasm::ModuleGenerator> (env=..., d=..., mg=...) at /home/yksubu/trees/mozilla-central/js/src/wasm/WasmCompile.cpp:795
Opt ASan build crashes at:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3221446==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000012 (pc 0x5d8570624382 bp 0x7ffced7ffc90 sp 0x7ffced7ffb40 T0)
==3221446==The signal is caused by a WRITE memory access.
==3221446==Hint: address points to the zero page.
#0 0x5d8570624382 in js::jit::MBasicBlock::setBranchHinting(js::wasm::BranchHint) /home/yksubu/trees/mozilla-central/js/src/jit/MIRGraph.h:388:63
#1 0x5d8570624382 in EmitIf((anonymous namespace)::FunctionCompiler&) /home/yksubu/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:5009:22
#2 0x5d8570613e6c in EmitBodyExprs((anonymous namespace)::FunctionCompiler&) /home/yksubu/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:8088:9
#3 0x5d85705c542d in IonBuildMIR(js::wasm::Decoder&, js::wasm::ModuleEnvironment const&, js::wasm::FuncCompileInput const&, mozilla::Vector<js::wasm::PackedType<js::wasm::ValTypeTraits>, 16ul, js::SystemAllocPolicy> const&, js::jit::MIRGenerator&, mozilla::Vector<js::wasm::TryNote, 0ul, js::SystemAllocPolicy>&, js::wasm::FeatureUsage*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /home/yksubu/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:9354:8
#4 0x5d85705c2224 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /home/yksubu/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:9425:10
#5 0x5d857055be81 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /home/yksubu/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:730:12
#6 0x5d857055c35d in js::wasm::ModuleGenerator::locallyCompileCurrentTask() /home/yksubu/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:785:8
#7 0x5d857055dcfc in js::wasm::ModuleGenerator::finishFuncDefs() /home/yksubu/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:916:24
#8 0x5d8570507404 in bool DecodeCodeSection<js::wasm::Decoder, js::wasm::ModuleGenerator>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) /home/yksubu/trees/mozilla-central/js/src/wasm/WasmCompile.cpp:795:13
#9 0x5d8570506734 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) /home/yksubu/trees/mozilla-central/js/src/wasm/WasmCompile.cpp:817:8
#10 0x5d85705ddbf7 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) /home/yksubu/trees/mozilla-central/js/src/wasm/WasmJS.cpp:1514:7
#11 0x5d856dd32385 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:480:13
#12 0x5d856dd32385 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:496:8
#13 0x5d856dd32385 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:702:14
#14 0x5d856dd58a55 in js::ConstructFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:749:10
#15 0x5d856dd58a55 in js::Interpret(JSContext*, js::RunState&) /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:3056:16
#16 0x5d856dd2e259 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:394:10
#17 0x5d856dd2e259 in js::RunScript(JSContext*, js::RunState&) /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:452:13
#18 0x5d856dd33f1e in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:839:13
#19 0x5d856e037f18 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/yksubu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:494:10
#20 0x5d856e03833f in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/yksubu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:518:10
#21 0x5d856daf8d98 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/yksubu/trees/mozilla-central/js/src/shell/js.cpp:1196:10
#22 0x5d856daf7ace in Process(JSContext*, char const*, bool, FileKind) /home/yksubu/trees/mozilla-central/js/src/shell/js.cpp
#23 0x5d856da79adb in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/yksubu/trees/mozilla-central/js/src/shell/js.cpp:11147:10
#24 0x5d856da79adb in Shell(JSContext*, js::cli::OptionParser*) /home/yksubu/trees/mozilla-central/js/src/shell/js.cpp:11399:12
#25 0x5d856da6625d in main /home/yksubu/trees/mozilla-central/js/src/shell/js.cpp:11924:12
#26 0x73d7ce629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#27 0x73d7ce629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#28 0x5d856d975264 in _start (/home/yksubu/shell-cache/js-64-asan-linux-x86_64-bc38347cb224/js-64-asan-linux-x86_64-bc38347cb224+0x26cf264) (BuildId: 79c74a66000fd60089da0dd30a5f721f)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yksubu/trees/mozilla-central/js/src/jit/MIRGraph.h:388:63 in js::jit::MBasicBlock::setBranchHinting(js::wasm::BranchHint)
==3221446==ABORTING
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, (debug build) compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev bc38347cb224.
Setting s-s as a start. Initial bisection results seem to point to bug 1837683 but it's still running, so setting needinfo? from Julien.
Flags: sec-bounty?
Flags: needinfo?(jpages)
|
||
Comment 1•11 months ago
|
||
Set release status flags based on info from the regressing bug 1837683
status-firefox125:
--- → unaffected
status-firefox126:
--- → unaffected
status-firefox-esr115:
--- → unaffected
|
Reporter | |
Comment 2•11 months ago
|
||
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7ea9f1c02ee7
user: Julien Pages
date: Tue Apr 16 18:24:01 2024 +0000
summary: Bug 1837683 - wasm: First implementation of the branch hinting proposal. r=rhunt
Confirming bug 1837683 as the regressor.
|
||
Updated•11 months ago
|
Group: core-security → javascript-core-security
|
||
Updated•11 months ago
|
|
|
||
Updated•11 months ago
|
Flags: needinfo?(jpages)
|
|
||
Updated•11 months ago
|
Group: javascript-core-security
|
|
||
Updated•11 months ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•10 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•