Closed
Bug 1908631
Opened 1 year ago
Closed 1 year ago
Assertion failure: numval <= stk_.length(), at /js/src/wasm/WasmBCStkMgmt-inl.h:1276 or Hit MOZ_CRASH(Compiler bug: expected <type> on stack) at WasmBCStkMgmt-inl.h:737
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
VERIFIED
FIXED
130 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox128 | --- | unaffected |
| firefox129 | --- | unaffected |
| firefox130 | --- | fixed |
People
(Reporter: decoder, Assigned: bvisness)
References
(Regression)
Details
(5 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(4 files)
The attached testcase crashes on mozilla-central revision 20240718-c9dd3166c811 (build with fuzzing-debug, run with --no-threads --wasm-compiler=baseline test.js).
Backtrace:
[29912] Assertion failure: numval <= stk_.length(), at /js/src/wasm/WasmBCStkMgmt-inl.h:1276
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==29912==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d0d38fce07 bp 0x7ffc939350e0 sp 0x7ffc939350b0 T29912)
==29912==The signal is caused by a WRITE memory access.
==29912==Hint: address points to the zero page.
#0 0x55d0d38fce07 in js::wasm::BaseCompiler::stackConsumed(unsigned long) /js/src/wasm/WasmBCStkMgmt-inl.h:1276:3
#1 0x55d0d38e601f in js::wasm::BaseCompiler::emitInstanceCall(js::wasm::SymbolicAddressSignature const&) /js/src/wasm/WasmBaselineCompile.cpp:6177:23
#2 0x55d0d3938999 in js::wasm::BaseCompiler::emitTableFill() /js/src/wasm/WasmBaselineCompile.cpp:6659:10
#3 0x55d0d3963348 in js::wasm::BaseCompiler::emitBody() /js/src/wasm/WasmBaselineCompile.cpp:11456:13
#4 0x55d0d3994307 in emitFunction /js/src/wasm/WasmBaselineCompile.cpp:11853:8
#5 0x55d0d3994307 in js::wasm::BaselineCompileFunctions(js::wasm::CodeMetadata const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmBaselineCompile.cpp:12029:12
#6 0x55d0d3a7e62a in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmGenerator.cpp:503:12
#7 0x55d0d3a8107c in locallyCompileCurrentTask /js/src/wasm/WasmGenerator.cpp:586:8
#8 0x55d0d3a8107c in js::wasm::ModuleGenerator::finishFuncDefs() /js/src/wasm/WasmGenerator.cpp:723:24
#9 0x55d0d3a44ce8 in bool DecodeCodeSection<js::wasm::Decoder, js::wasm::ModuleGenerator>(js::wasm::CodeMetadata const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) /js/src/wasm/WasmCompile.cpp:818:13
#10 0x55d0d3a4440a in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) /js/src/wasm/WasmCompile.cpp:848:8
#11 0x55d0d3ac7cbc in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) /js/src/wasm/WasmJS.cpp:1539:7
#12 0x55d0d23f9494 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:491:13
[...]
|
Reporter | |
Comment 1•1 year ago
|
||
|
|
Reporter | |
Comment 2•1 year ago
|
||
|
|
Reporter | |
Comment 3•1 year ago
|
||
I'm also seeing numerous crashes of the form
Hit MOZ_CRASH(Compiler bug: expected <type> on stack) at wasm/WasmBCStkMgmt-inl.h:737
all going through [@ js::wasm::BaseCompiler::emitTableFill], I assume these are dups to this.
Summary: Assertion failure: numval <= stk_.length(), at /js/src/wasm/WasmBCStkMgmt-inl.h:1276 → Assertion failure: numval <= stk_.length(), at /js/src/wasm/WasmBCStkMgmt-inl.h:1276 or Hit MOZ_CRASH(Compiler bug: expected <type> on stack) at WasmBCStkMgmt-inl.h:737
|
Assignee | |
Comment 4•1 year ago
|
||
I'll take this one since it's seemingly related to tables.
Assignee: nobody → bvisness
Status: NEW → ASSIGNED
|
||
Updated•1 year ago
|
Severity: -- → S3
Priority: -- → P1
|
|
Assignee | |
Comment 5•1 year ago
|
||
|
||
Comment 6•1 year ago
|
||
This could lead to an underflow in reading from a Vector in our baseline compiler. Possibly some data structure corruption after that. This was regressed by bug 1893643, which is only in nightly right now.
Severity: S3 → S2
Regressed by: 1893643
|
|
Assignee | |
Comment 7•1 year ago
|
||
|
||
Comment 8•1 year ago
|
||
Set release status flags based on info from the regressing bug 1893643
status-firefox128:
--- → unaffected
status-firefox129:
--- → unaffected
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
Pushed by bvisness@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/716f69f3ff94
Add missing dead code check in table.fill. r=rhunt
|
||
Updated•1 year ago
|
Has STR: --- → yes
Keywords: csectype-bounds,
sec-high
|
||
Comment 11•1 year ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch
|
||
Comment 12•1 year ago
|
||
Pushed by bvisness@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/faa954bf9d42
Add test for dead code in table.fill. r=rhunt
|
|
||
Comment 13•1 year ago
|
||
Group: javascript-core-security → core-security-release
Flags: in-testsuite+
|
||
Updated•1 year ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
|
||
Updated•1 year ago
|
Group: core-security-release
|
||
Comment 14•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20240723211328-439d6b4d683a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•