Closed Bug 1927178 Opened 1 year ago Closed 9 months ago

Crash [@ vixl::MacroAssembler::LoadStoreMacro] on aarch64

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox133 --- wontfix
firefox134 --- wontfix
firefox135 --- wontfix
firefox136 --- fixed

People

(Reporter: decoder, Assigned: nbp)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect])

Crash Data

Attachments

(3 files)

Detailed Crash Information
1.97 KB, text/plain
Details
Testcase
888 bytes, text/plain
Details
Bug 1927178 - Disable experimental frame-pointer experiment while fuzzing on arm64.
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20241025-be024277429a (opt build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --fast-warmup --ion-osr=off --ion-gvn=off):

var xLogBuffer = `
setJitCompilerOption("base-reg-for-locals", 1);
let hasFunction = {};
function doRegexStuff(xSrc, xExc, xRewriteSet) {
    let regRedeclaration = /redeclaration of (let) (.+?)/
    let result;
    let varType;
    let varName;
    result = regRedeclaration.exec(xExc.toString())
    varType = result[1];
    varName = result[2];
    xRewriteSet.has(varName)
    let srcParts = xSrc.split("\\n");
    let regReplace = new RegExp("let\\\\s+" + varName);
    for (let xIdx = 0; xIdx < srcParts.length; ++xIdx)
      srcParts[xIdx] = srcParts[xIdx].replace(regReplace, varName);
}
`;
while(true)
  xload(xLogBuffer);
function xload(xVarx, xSet = new Set()) {
    try {
        evaluate(xVarx);
    } catch (xVare) {
        doRegexStuff(xVarx, xVare, xSet);
    }
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000aaaaac98ee50 in vixl::MacroAssembler::LoadStoreMacro(vixl::CPURegister const&, vixl::MemOperand const&, vixl::LoadStoreOp) ()
#1  0x0000aaaaac979080 in js::jit::MoveEmitterARM64::emit(js::jit::MoveResolver const&) ()
#2  0x0000aaaaaca01954 in js::jit::CodeGenerator::generateBody() ()
#3  0x0000aaaaaca52ab8 in js::jit::CodeGenerator::generate() ()
#4  0x0000aaaaaca8c204 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#5  0x0000aaaaaca8e9b8 in js::jit::IonCompileScriptForBaselineAtEntry(JSContext*, js::jit::BaselineFrame*) ()
#6  0x0000223951962ebc in ?? ()
#7  0x0000ffffffffc5a8 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
x0	0x1	1
x1	0xffffbc30	281474976693296
x2	0xffffbc70	281474976693360
x3	0xc0400000	3225419776
x4	0xf3eb21c8	281474774016456
x5	0x4b000000	1258291200
x6	0x0	0
x7	0x0	0
x8	0x0	0
x9	0x7ee	2030
x10	0xabb13813	187650001680403
x11	0x4000000	67108864
x12	0x3	3
x13	0x0	0
x14	0x0	0
x15	0x63	99
x16	0x62	98
x17	0xffffffc9	-55
x18	0x0	0
x19	0xf4749c10	281474783026192
x20	0xffffbc70	281474976693360
x21	0xc0400000	3225419776
x22	0xffffbc30	281474976693296
x23	0xf4749c10	281474783026192
x24	0xfffffef8	-264
x25	0x0	0
x26	0x20000	131072
x27	0xf4716000	281474782814208
x28	0xf474a430	281474783028272
x29	0xffffbba0	281474976693152
x30	0xac98ea18	187650016864792
sp	0xffffbb40	281474976693056
pc	0xaaaaac98ee50 <vixl::MacroAssembler::LoadStoreMacro(vixl::CPURegister const&, vixl::MemOperand const&, vixl::LoadStoreOp)+1152>
cpsr	[ EL=0 C N ]
fpcsr	void
fpcr	0x0	0
=> 0xaaaaac98ee50 <_ZN4vixl14MacroAssembler14LoadStoreMacroERKNS_11CPURegisterERKNS_10MemOperandENS_11LoadStoreOpE+1152>:	str	w9, [x8]
   0xaaaaac98ee54 <_ZN4vixl14MacroAssembler14LoadStoreMacroERKNS_11CPURegisterERKNS_10MemOperandENS_11LoadStoreOpE+1156>:	bl	0xaaaaac513728 <abort>

Found on native aarch64 hardware, requires both osr and gvn to be off. Test is stable but hard to reduce further. Marking s-s until triaged.

Attached file Testcase

"base-reg-for-locals" is only exposed in the shell, and not in about:config. Setting it to 1 implies to use the frame pointer for looking local registers. (edit: fix extra negation)

The following might be relevant here:
https://searchfox.org/mozilla-central/rev/4ac5b1f6cc9d8c186986f52369a2d9a537d10474/js/src/jit/JitOptions.cpp#315-332

Unable to reproduce bug 1927178 using build mozilla-central 20241025041043-be024277429a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Severity: -- → S3
Priority: -- → P3
Group: javascript-core-security

We keep on finding this bug and it potentially masks other bugs. If base-reg-for-locals is not safe, should the shell ignore it when --fuzzing-safe is set, or do we actually want this to work properly?

(In reply to Christian Holler (:decoder) from comment #5)

We keep on finding this bug and it potentially masks other bugs. If base-reg-for-locals is not safe, should the shell ignore it when --fuzzing-safe is set, or do we actually want this to work properly?

Ignoring it on arm64 with --fuzzing-safe works for me. I'll write a patch this week.

Flags: needinfo?(jdemooij)
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Attachment #9445530 - Attachment description: Bug 1927178 - Disable experimental frame-pointer experiment while fuzzing. → Bug 1927178 - Disable experimental frame-pointer experiment while fuzzing on arm64.
Flags: needinfo?(jdemooij)
Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0498598458d8 Disable experimental frame-pointer experiment while fuzzing on arm64. r=jandem

https://hg.mozilla.org/mozilla-central/rev/0498598458d8

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox136: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: