Open
Bug 1793929
Opened 3 years ago
Updated 8 months ago
Crash [@ vixl::UseScratchRegisterScope::AcquireNextAvailable]
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox105 | --- | wontfix |
| firefox106 | --- | wontfix |
| firefox107 | --- | wontfix |
| firefox108 | --- | wontfix |
People
(Reporter: gkw, Unassigned)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Crash Data
setJitCompilerOption("base-reg-for-locals", 1);
let y = -217654270;
function f() {
return y ^ ((y << 15) & 4022730752);
};
function g() {
return (f() >>> 0) % 3;
}
(function () {
let a;
let b;
let c;
let d;
let e;
let p;
let x = [];
function q() {};
for (let i = 0; i < 2; ++i) {
f();
f();
if (g() === 1) {
let m = [];
var n = (function () {})();
let o = (function () {})();
if (f()) {}
[y] = [0];
x.push(f());
x.push(g(Math.max(0, 1)));
x.push(0);
}
}
})();
vixl::UseScratchRegisterScope::AcquireNextAvailable (available=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MacroAssembler-vixl.cpp:1998
1998 VIXL_CHECK(!available->IsEmpty());
(gdb) bt
#0 vixl::UseScratchRegisterScope::AcquireNextAvailable (available=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MacroAssembler-vixl.cpp:1998
#1 vixl::UseScratchRegisterScope::AcquireSameSizeAs (reg=..., this=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MacroAssembler-vixl.cpp:1881
#2 vixl::MacroAssembler::LoadStoreMacro (this=0x7ffff66fe018, rt=..., addr=..., op=vixl::LDR_x) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MacroAssembler-vixl.cpp:1204
#3 0x00005555570d799f in js::jit::MoveEmitterARM64::emitGeneralMove (this=0x7fffffffafc8, this@entry=0x7ffff66fe908, from=..., to=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/MoveEmitter-arm64.cpp:202
#4 0x00005555570d6694 in js::jit::MoveEmitterARM64::emitMove (this=0xfffffffffffffff8, this@entry=0x7fffffffafc8, move=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/MoveEmitter-arm64.cpp:78
#5 0x00005555570d255e in js::jit::MoveEmitterARM64::emit (this=0x7fffffffafc8, moves=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/MoveEmitter-arm64.cpp:37
#6 0x0000555557224041 in js::jit::CodeGenerator::visitMoveGroup (this=this@entry=0x7ffff66fe000, group=group@entry=0x7ffff6229c28) at /home/skygentoo/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:3863
#7 0x00005555572338c2 in js::jit::CodeGenerator::generateBody (this=0xfffffffffffffff8, this@entry=0x7ffff66fe000) at /home/skygentoo/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:6635
#8 0x000055555725f36e in js::jit::CodeGenerator::generate (this=0x7ffff66fe000) at /home/skygentoo/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:12942
#9 0x0000555557288694 in js::jit::GenerateCode (mir=0x7ffff66de128, lir=0x7ffff66f4d40) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1494
#10 js::jit::CompileBackEnd (mir=mir@entry=0x7ffff66de128, snapshot=snapshot@entry=0x7ffff66dee60) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1523
#11 0x000055555728910f in js::jit::IonCompile (cx=0x7ffff6c1d100, script=..., osrPc=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1644
#12 js::jit::Compile (cx=cx@entry=0x7ffff6c1d100, script=script@entry=..., osrFrame=osrFrame@entry=0x7ffff6a7fd18, osrPc=osrPc@entry=0x7ffff6684583 "\224\001") at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1811
#13 0x00005555572895f3 in IonCompileScriptForBaseline (cx=<optimized out>, frame=0x7ffff6a7fd18, pc=0x7ffff6684583 "\224\001") at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:2012
#14 0x00005555572897ac in js::jit::IonCompileScriptForBaselineOSR (cx=0x7ffff6c1d100, frame=0x3, frameSize=168, pc=0x555557939930 <gMozCrashReason> "\027\070uUUU", infoPtr=0x0) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:2175
#15 0x000055555713976a in vixl::Simulator::VisitCallRedirection (this=this@entry=0x7ffff6c27100, instr=instr@entry=0x7ffff6cc8368) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:747
#16 0x0000555557139457 in vixl::Simulator::VisitException (this=0x7ffff6c27100, instr=0x7ffff6cc8368) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:447
#17 0x00005555570f9195 in vixl::Decoder::VisitException (this=<optimized out>, instr=0x7ffff6cc8368) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Decoder-vixl.cpp:876
#18 vixl::Decoder::DecodeBranchSystemException (this=<optimized out>, instr=0x7ffff6cc8368) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Decoder-vixl.cpp:218
#19 0x0000555557138dff in vixl::Decoder::Decode (this=0xfffffffffffffff8, instr=0x3) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Decoder-vixl.h:158
#20 vixl::Simulator::ExecuteInstruction (this=0x7ffff6c27100) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:239
#21 0x0000555557141608 in vixl::Simulator::Run (this=0x7ffff6c27100) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Simulator-vixl.cpp:70
#22 0x000055555713928d in vixl::Simulator::call (this=0x7ffff6c27100, entry=0x34d1c5344570 "\375{\277\251\375\003", argument_count=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:327
#23 0x00005555572a629e in EnterJit (cx=0x7ffff6c1d100, state=..., code=0x555557939930 <gMozCrashReason> "\027\070uUUU") at /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:107
#24 js::jit::MaybeEnterJit (cx=cx@entry=0x7ffff6c1d100, state=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:205
#25 0x00005555569f0536 in js::RunScript (cx=cx@entry=0x7ffff6c1d100, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:421
#26 0x00005555569fe941 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6c1d100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:579
#27 0x00005555569fee5e in InternalCall (cx=0xfffffffffffffff8, cx@entry=0x7ffff6c1d100, args=..., reason=1469290800, reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:614
#28 0x0000555556fb5782 in js::jit::DoCallFallback (cx=0x7ffff6c1d100, frame=0x7ffff6a7fed8, stub=0x7ffff6731bf0, argc=0, vp=<optimized out>, res=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineIC.cpp:1584
#29 0x0000555557139abd in vixl::Simulator::VisitCallRedirection (this=this@entry=0x7ffff6c27100, instr=instr@entry=0x7ffff6c2ff28) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:752
#30 0x0000555557139457 in vixl::Simulator::VisitException (this=0x7ffff6c27100, instr=0x7ffff6c2ff28) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:447
#31 0x00005555570f9195 in vixl::Decoder::VisitException (this=<optimized out>, instr=0x7ffff6c2ff28) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Decoder-vixl.cpp:876
#32 vixl::Decoder::DecodeBranchSystemException (this=<optimized out>, instr=0x7ffff6c2ff28) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Decoder-vixl.cpp:218
#33 0x0000555557138dff in vixl::Decoder::Decode (this=0xfffffffffffffff8, instr=0x3) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Decoder-vixl.h:158
#34 vixl::Simulator::ExecuteInstruction (this=0x7ffff6c27100) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:239
#35 0x0000555557141608 in vixl::Simulator::Run (this=0x7ffff6c27100) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Simulator-vixl.cpp:70
#36 0x000055555713928d in vixl::Simulator::call (this=0x7ffff6c27100, entry=0x34d1c5344570 "\375{\277\251\375\003", argument_count=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:327
#37 0x00005555572a629e in EnterJit (cx=0x7ffff6c1d100, state=..., code=0x555557939930 <gMozCrashReason> "\027\070uUUU") at /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:107
#38 js::jit::MaybeEnterJit (cx=cx@entry=0x7ffff6c1d100, state=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:205
#39 0x00005555569f0536 in js::RunScript (cx=cx@entry=0x7ffff6c1d100, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:421
#40 0x00005555569ffa8d in js::ExecuteKernel (cx=0x7ffff6c1d100, script=..., envChainArg=..., evalInFrame=..., result=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:825
#41 js::Execute (cx=0x7ffff6c1d100, cx@entry=0x3413d6900580, script=..., script@entry=..., envChain=..., envChain@entry=..., rval=..., rval@entry=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:857
#42 0x0000555556a933f8 in ExecuteScript (cx=0xfffffffffffffff8, cx@entry=0x7ffff6c1d100, envChain=..., envChain@entry=..., script=..., script@entry=..., rval=..., rval@entry=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:467
#43 0x0000555556a934fd in JS_ExecuteScript (cx=0xfffffffffffffff8, cx@entry=0x7ffff6c1d100, scriptArg=..., scriptArg@entry=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:491
#44 0x0000555556972385 in RunFile (cx=cx@entry=0x7ffff6c1d100, filename=filename@entry=0x7fffffffdf68 "testcase.js", file=file@entry=0x7ffff7863020, compileMethod=compileMethod@entry=CompileUtf8::DontInflate, compileOnly=false) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1050
#45 0x0000555556971f94 in Process (cx=0xfffffffffffffff8, cx@entry=0x7ffff6c1d100, filename=0x7fffffffdf68 "testcase.js", forceTTY=<optimized out>, kind=kind@entry=FileScript) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1638
#46 0x0000555556951718 in ProcessArgs (cx=0x7ffff6c1d100, op=0x7fffffffd848) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:10499
#47 Shell (cx=0x7ffff6c1d100, op=op@entry=0x7fffffffd848) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11178
#48 0x000055555694c6aa in main (argc=<optimized out>, argv=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12278
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/49b19abe314d
user: Jan de Mooij
date: Tue Jul 05 07:10:00 2022 +0000
summary: Bug 1773434 part 8 - Use frame pointer to access local slots and passed-argument slots on x86/x64. r=iain
Run with --fuzzing-safe --no-threads --ion-eager --ion-gvn=off, compile with AR=ar sh ./configure --enable-simulator=arm64 --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev b240ded22d26. A less-reduced version had also showed the crash on macOS M1 systems.
Setting s-s just-in-case. Jan, is bug 1773434 a likely regressor?
Flags: sec-bounty?
Flags: needinfo?(jdemooij)
|
||
Comment 1•3 years ago
|
||
Set release status flags based on info from the regressing bug 1773434
status-firefox105:
--- → affected
status-firefox106:
--- → affected
status-firefox-esr102:
--- → unaffected
|
||
Updated•3 years ago
|
Group: core-security → javascript-core-security
|
||
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
I do not see any existing crashes with this signature nor this crash reason.
|
||
Comment 3•3 years ago
|
||
The problem is that on ARM64, the move emitter can run out of scratch registers.
The move emitter uses one temp for cycleGeneralReg_ and in emitGeneralMove we use the other one for memory => memory moves. This means there's no scratch register left for Ldr to deal with an offset that doesn't fit as immediate.
In this case it requires using the frame pointer instead of stack pointer as base register, which isn't the default behavior on ARM64, but I wonder if this also affects SP in more pathological cases where the offset is larger.
This isn't security sensitive because it requires a non-standard flag and all builds hit a MOZ_CRASH.
Group: javascript-core-security
|
|
||
Updated•3 years ago
|
Severity: S3 → S4
|
|
||
Comment 4•3 years ago
|
||
Set release status flags based on info from the regressing bug 1773434
status-firefox108:
--- → affected
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Flags: needinfo?(jdemooij)
|
||
Updated•3 years ago
|
Priority: P1 → P2
|
||
Updated•2 years ago
|
Flags: sec-bounty? → sec-bounty-
|
Reporter | |
Updated•2 years ago
|
Blocks: gkw-js-fuzzing
|
||
Updated•1 year ago
|
Keywords: reporter-external
|
|
Reporter | |
Comment 5•9 months ago
|
||
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/0498598458d8
user: Nicolas B. Pierron
date: Thu Jan 16 17:15:53 2025 +0000
summary: Bug 1927178 - Disable experimental frame-pointer experiment while fuzzing on arm64. r=jandem
Nicolas, is bug 1927178 a likely fix?
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 6•9 months ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) from comment #5)
Nicolas, is bug 1927178 a likely fix?
No, but this point out that this is an issue in the experiment.
Flags: needinfo?(nicolas.b.pierron)
You need to log in
before you can comment on or make changes to this bug.
Description
•