Closed Bug 1895837 Opened 3 months ago Closed 2 months ago

[clang-18] AddressSanitizer: SEGV .../dec_group.cc:415:11 in jxl::N_AVX3::DecodeGroupImpl

Categories

(Core :: Sanitizers, defect)

defect

Tracking

()

RESOLVED FIXED
128 Branch
Tracking Status
firefox128 --- fixed

People

(Reporter: glandium, Assigned: glandium)

References

Details

Attachments

(1 file)

[task 2024-05-04T21:36:37.788Z] 21:36:37     INFO -  AddressSanitizer:DEADLYSIGNAL
[task 2024-05-04T21:36:37.788Z] 21:36:37     INFO -  =================================================================
[task 2024-05-04T21:36:37.788Z] 21:36:37    ERROR -  ==1003==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f9734c44223 bp 0x7f96e4b0df10 sp 0x7f96e4b0d7e0 T141173)
[task 2024-05-04T21:36:37.788Z] 21:36:37     INFO -  ==1003==The signal is caused by a READ memory access.
[task 2024-05-04T21:36:37.788Z] 21:36:37     INFO -  ==1003==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
[task 2024-05-04T21:36:38.626Z] 21:36:38     INFO -      #0 0x7f9734c44223 in jxl::N_AVX3::DecodeGroupImpl(jxl::FrameHeader const&, jxl::GetBlock*, jxl::GroupDecCache*, jxl::PassesDecoderState*, unsigned long, unsigned long, jxl::RenderPipelineInput&, jxl::ImageBundle*, jxl::DrawMode) /builds/worker/checkouts/gecko/third_party/jpeg-xl/lib/jxl/dec_group.cc:415:11
[task 2024-05-04T21:36:38.627Z] 21:36:38     INFO -      #1 0x7f9734c78011 in jxl::DecodeGroup(jxl::FrameHeader const&, jxl::BitReader* restrict*, unsigned long, unsigned long, jxl::PassesDecoderState*, jxl::GroupDecCache*, unsigned long, jxl::RenderPipelineInput&, jxl::ImageBundle*, unsigned long, bool, bool, bool*) /builds/worker/checkouts/gecko/third_party/jpeg-xl/lib/jxl/dec_group.cc:778:3
[task 2024-05-04T21:36:38.636Z] 21:36:38     INFO -      #2 0x7f9734bfd77f in jxl::FrameDecoder::ProcessACGroup(unsigned long, jxl::BitReader* restrict*, unsigned long, unsigned long, bool, bool) /builds/worker/checkouts/gecko/third_party/jpeg-xl/lib/jxl/dec_frame.cc:492:5
[task 2024-05-04T21:36:38.636Z] 21:36:38     INFO -      #3 0x7f9734c0bdae in operator() /builds/worker/checkouts/gecko/third_party/jpeg-xl/lib/jxl/dec_frame.cc:712:5
[task 2024-05-04T21:36:38.637Z] 21:36:38     INFO -      #4 0x7f9734c0bdae in jxl::ThreadPool::RunCallState<jxl::FrameDecoder::ProcessSections(jxl::FrameDecoder::SectionInfo const*, unsigned long, jxl::FrameDecoder::SectionStatus*)::$_1, jxl::FrameDecoder::ProcessSections(jxl::FrameDecoder::SectionInfo const*, unsigned long, jxl::FrameDecoder::SectionStatus*)::$_2>::CallDataFunc(void*, unsigned int, unsigned long) /builds/worker/checkouts/gecko/third_party/jpeg-xl/lib/jxl/base/data_parallel.h:94:14
[task 2024-05-04T21:36:38.638Z] 21:36:38     INFO -      #5 0x7f9734fcb0cd in RunRange /builds/worker/checkouts/gecko/third_party/jpeg-xl/lib/threads/thread_parallel_runner_internal.cc:145:7
[task 2024-05-04T21:36:38.638Z] 21:36:38     INFO -      #6 0x7f9734fcb0cd in jpegxl::ThreadParallelRunner::ThreadFunc(jpegxl::ThreadParallelRunner*, int) /builds/worker/checkouts/gecko/third_party/jpeg-xl/lib/threads/thread_parallel_runner_internal.cc:175:9
[task 2024-05-04T21:36:38.638Z] 21:36:38     INFO -      #7 0x7f974e037a4f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xbda4f) (BuildId: f2119a44a99758114620c8e9d8e243d7094f77f6)
[task 2024-05-04T21:36:38.639Z] 21:36:38     INFO -      #8 0x55ce5af5bb88 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
[task 2024-05-04T21:36:38.639Z] 21:36:38     INFO -      #9 0x7f974e30a6da in start_thread /tmp/glibc/nptl/pthread_create.c:463
[task 2024-05-04T21:36:38.639Z] 21:36:38     INFO -      #10 0x7f974d0cda3e in __clone /tmp/glibc/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
[task 2024-05-04T21:36:38.639Z] 21:36:38     INFO -  AddressSanitizer can not provide additional info.
[task 2024-05-04T21:36:38.640Z] 21:36:38     INFO -  SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/third_party/jpeg-xl/lib/jxl/dec_group.cc:415:11 in jxl::N_AVX3::DecodeGroupImpl(jxl::FrameHeader const&, jxl::GetBlock*, jxl::GroupDecCache*, jxl::PassesDecoderState*, unsigned long, unsigned long, jxl::RenderPipelineInput&, jxl::ImageBundle*, jxl::DrawMode)
[task 2024-05-04T21:36:38.640Z] 21:36:38     INFO -  Thread T141173 created by T0 here:
[task 2024-05-04T21:36:38.640Z] 21:36:38     INFO -      #0 0x55ce5af45591 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
[task 2024-05-04T21:36:38.640Z] 21:36:38     INFO -      #1 0x7f974e037b63 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xbdb63) (BuildId: f2119a44a99758114620c8e9d8e243d7094f77f6)
[task 2024-05-04T21:36:38.640Z] 21:36:38     INFO -  ==1003==ABORTING

from: https://treeherder.mozilla.org/logviewer?job_id=456978735&repo=autoland

Whatever issues there were with detect_stack_use_after_return during the
clang trunk cycle for clang 15 seem to be gone.

On the other hand, changes in clang 18 trigger a bug[1] that causes stack
misalignment in AVX-512 code when detect_stack_use_after_return is
disabled.

  1. https://github.com/llvm/llvm-project/issues/91565

Heads up, this bug will re-enable stack-use-after-return detection. You might see this in fuzzing. Let us know if this causes any issues.

It's worth noting that stack-use-after-return was never enabled for fuzzing builds. It was disabled when it became the default in clang trunk.

Backed out for causing for causing SM bustages in 1659595.js.

[task 2024-05-09T08:07:21.007Z] TEST-PASS | check_vanilla_allocations.py | ok
[task 2024-05-09T08:07:21.029Z] make[2]: Leaving directory '/builds/worker/workspace/obj-spider/js/src/build'
[task 2024-05-09T08:07:21.029Z] make[1]: Leaving directory '/builds/worker/workspace/obj-spider'
[task 2024-05-09T08:07:21.029Z] in directory /builds/worker/workspace/obj-spider, running ['make', 'check-jit-test']
[task 2024-05-09T08:07:21.035Z] make -C js/src check-jit-test
[task 2024-05-09T08:07:21.040Z] make[1]: Entering directory '/builds/worker/workspace/obj-spider/js/src'
[task 2024-05-09T08:07:21.040Z] ASAN_SYMBOLIZER_PATH='/builds/worker/fetches/llvm-symbolizer/bin/llvm-symbolizer' ../../dist/bin/run-mozilla.sh /builds/worker/.mozbuild/srcdirs/gecko-8a5b87fe5d69/_virtualenvs/build/bin/python -u /builds/worker/checkouts/gecko/js/src/jit-test/jit_test.py \
[task 2024-05-09T08:07:21.040Z]         --no-slow --no-progress --format=automation --jitflags=all \
[task 2024-05-09T08:07:21.040Z] 		 \
[task 2024-05-09T08:07:21.040Z] 		--show-slow --jitflags=none \
[task 2024-05-09T08:07:21.040Z]         ../../dist/bin/js 
[task 2024-05-09T08:07:21.549Z] Over recursed
[task 2024-05-09T08:07:21.549Z] Exit code: 1
[task 2024-05-09T08:07:21.549Z] FAIL - 1659595.js
[task 2024-05-09T08:07:21.549Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/1659595.js | Over recursed (code 1, args "") [0.0 s]
[task 2024-05-09T08:07:21.549Z] INFO exit-status     : 1
[task 2024-05-09T08:07:21.549Z] INFO timed-out       : False
[task 2024-05-09T08:07:21.549Z] INFO stderr         2> Over recursed
[task 2024-05-09T08:07:21.585Z] Can't open self-hosted stencil XDR file.
[task 2024-05-09T08:07:21.585Z] Falling back on parsing source.
[task 2024-05-09T08:07:21.586Z] Over recursed
[task 2024-05-09T08:07:21.586Z] Exit code: 1
[task 2024-05-09T08:07:21.586Z] FAIL - bug1323854-2.js
[task 2024-05-09T08:07:21.586Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/bug1323854-2.js | Can't open self-hosted stencil XDR file. (code 1, args "--ion-gvn=off") [0.0 s]
[task 2024-05-09T08:07:21.586Z] INFO exit-status     : 1
[task 2024-05-09T08:07:21.586Z] INFO timed-out       : False
[task 2024-05-09T08:07:21.586Z] INFO stderr         2> Can't open self-hosted stencil XDR file.
[task 2024-05-09T08:07:21.586Z] INFO stderr         2> Falling back on parsing source.
[task 2024-05-09T08:07:21.586Z] INFO stderr         2> Over recursed
[task 2024-05-09T08:07:21.586Z] Can't open self-hosted stencil XDR file.
[task 2024-05-09T08:07:21.586Z] Falling back on parsing source.
[task 2024-05-09T08:07:21.586Z] Over recursed
[task 2024-05-09T08:07:21.586Z] Exit code: 1
[task 2024-05-09T08:07:21.586Z] FAIL - bug1366925.js
[task 2024-05-09T08:07:21.586Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/bug1366925.js | Can't open self-hosted stencil XDR file. (code 1, args "") [0.0 s]
[task 2024-05-09T08:07:21.586Z] INFO exit-status     : 1
[task 2024-05-09T08:07:21.586Z] INFO timed-out       : False
[task 2024-05-09T08:07:21.586Z] INFO stderr         2> Can't open self-hosted stencil XDR file.
[task 2024-05-09T08:07:21.587Z] INFO stderr         2> Falling back on parsing source.
[task 2024-05-09T08:07:21.587Z] INFO stderr         2> Over recursed
[task 2024-05-09T08:07:21.588Z] Can't open self-hosted stencil XDR file.
[task 2024-05-09T08:07:21.588Z] Falling back on parsing source.
[task 2024-05-09T08:07:21.588Z] Over recursed
[task 2024-05-09T08:07:21.588Z] Exit code: 1
[task 2024-05-09T08:07:21.588Z] FAIL - backup-point-bug1315634.js
[task 2024-05-09T08:07:21.588Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/backup-point-bug1315634.js | Can't open self-hosted stencil XDR file. (code 1, args "") [0.0 s]
[task 2024-05-09T08:07:21.589Z] INFO exit-status     : 1
[task 2024-05-09T08:07:21.589Z] INFO timed-out       : False
[task 2024-05-09T08:07:21.589Z] INFO stderr         2> Can't open self-hosted stencil XDR file.
[task 2024-05-09T08:07:21.589Z] INFO stderr         2> Falling back on parsing source.
[task 2024-05-09T08:07:21.589Z] INFO stderr         2> Over recursed
[task 2024-05-09T08:07:21.589Z] Can't open self-hosted stencil XDR file.
[task 2024-05-09T08:07:21.589Z] Falling back on parsing source.
[task 2024-05-09T08:07:21.589Z] Over recursed
[task 2024-05-09T08:07:21.589Z] Exit code: 1
[task 2024-05-09T08:07:21.589Z] FAIL - bug1213574.js
<...>
Flags: needinfo?(mh+mozilla)
See Also: → 1057551
Depends on: 1896052
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
Flags: needinfo?(mh+mozilla)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: