Firefox crashes when built with LLVM 21, due to llvm/llvm-project#129889

[steven-michaud]

I've already commented several times at #129889, so I'll keep my comments here brief.

As promised, I'm submitting copies (lightly edited) of two lldb sessions. One was made running a local trunk build of Firefox made with LLVM 21.1.6 (current code on the release/21.x branch). It shows the crash, and how it was caused by this commit. The second was made running a local trunk build of Firefox made with a patched LLVM 21.1.6 that disables copy propagation, using the first of the three patches here. Everything was done on an M1 Mac Mini running macOS 26.1.

lldb-session-bad.txt
lldb-session-good.txt

The "bad" session crashes. The "good" session doesn't. The only relevant difference between the two builds is that in the "good" one, the stp x8, x9, [sp, #0x28] instruction is preceded by the following two instructions, while in the bad one it isn't. In the "bad" build these two instructions were removed by the copy propagation commit.

mov    w9, w9
mov    w8, w8

The x8 register ends up being used as x in the following code (located here on the Firefox trunk). The nsPNGEncoder::ConvertHostARGBRow() method is inlined inside nsPNGEncoder::AddImageFrame().

for (uint32_t x = 0; x < aPixelWidth; x++) {
  const uint32_t& pixelIn = ((const uint32_t*)(aSrc))[x];
  uint8_t* pixelOut = &aDest[x * pixelStride];

  uint8_t alpha = (pixelIn & 0xff000000) >> 24;
  pixelOut[pixelStride - 1] = alpha;  // overwritten below if pixelStride == 3

  ...

}

In the bad build x8 has junk in its top 32 bits (0x00000030). In the good build it doesn't. The junk makes x8 much larger than it should be, and causes a buffer overflow.

[steven-michaud]

The Github UI doesn't allow you to view added files directly, so I'll paste them in here.

The "bad" session:

Process 97073 stopped
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x0000000115cded08 XUL`nsPNGEncoder::AddImageFrame(this=0x0000000140d101c0, aData="", aLength=<unavailable>, aWidth=48, aHeight=48, aStride=192, aInputFormat=2, aFrameOptions=0x000000016fdf99e0) at nsPNGEncoder.cpp:0:5 [opt]
   29  	      mIsAnimation(false),
   30  	      mFinished(false),
   31  	      mImageBuffer(nullptr),
-> 32  	      mImageBufferSize(0),
   33  	      mImageBufferUsed(0),
   34  	      mImageBufferHash(0),
   35  	      mImageBufferReadPoint(0),
Note: this address is compiler-generated code in function nsPNGEncoder::AddImageFrame(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsTSubstring<char16_t> const&) that has no source code associated with it.
Target 0: (firefox) stopped.
warning: XUL was compiled with optimization - stepping may behave oddly; variables may not be available.
(lldb) disassemble -m -pc
XUL`nsPNGEncoder::AddImageFrame:
->  0x115cded08 <+680>: stp    x8, x9, [sp, #0x28]
    0x115cded0c <+684>: mov    w28, #0x0 ; =0 
    0x115cded10 <+688>: mov    x27, x23
    0x115cded14 <+692>: b      0x115cded38    ; <+728> at nsPNGEncoder.cpp:300:35
(lldb) register read x8 x9
      x8 = 0x0000000000000030
      x9 = 0x0000003000000030
(lldb) c
Process 97073 resuming
Process 97073 stopped
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x0000000115cded44 XUL`nsPNGEncoder::AddImageFrame(this=0x0000000140d101c0, aData="", aLength=<unavailable>, aWidth=48, aHeight=48, aStride=192, aInputFormat=2, aFrameOptions=0x000000016fdf99e0) at nsPNGEncoder.cpp:0:35 [opt]
   29  	      mIsAnimation(false),
   30  	      mFinished(false),
   31  	      mImageBuffer(nullptr),
-> 32  	      mImageBufferSize(0),
   33  	      mImageBufferUsed(0),
   34  	      mImageBufferHash(0),
   35  	      mImageBufferReadPoint(0),
Note: this address is compiler-generated code in function nsPNGEncoder::AddImageFrame(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsTSubstring<char16_t> const&) that has no source code associated with it.
Target 0: (firefox) stopped.
(lldb) disassemble -m -s 0x115cded3c
XUL`nsPNGEncoder::AddImageFrame:
    0x115cded3c <+732>: mov    w9, #0x0 ; =0 
    0x115cded40 <+736>: ldr    x8, [sp, #0x30]
->  0x115cded44 <+740>: b      0x115cded6c    ; <+780> [inlined] nsPNGEncoder::ConvertHostARGBRow(unsigned char const*, unsigned char*, unsigned int, bool) + 36 at nsPNGEncoder.cpp:731:26
    0x115cded48 <+744>: mov    x13, x12

   734 	    pixelOut[pixelStride - 1] = alpha;  // overwritten below if pixelStride == 3
   735 	    if (alpha == 255) {
** 736 	      pixelOut[0] = (pixelIn & 0xff0000) >> 16;

(lldb) register read x8
      x8 = 0x0000003000000030
(lldb) c
Process 97073 resuming
Process 97073 stopped
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
    frame #0: 0x0000000115cded68 XUL`nsPNGEncoder::ConvertHostARGBRow(this=0x0000000140d101c0, aSrc="", aDest="", aPixelWidth=<unavailable>, aUseTransparency=<unavailable>) at nsPNGEncoder.cpp:729:3 [opt] [inlined]
   726 	                                      uint32_t aPixelWidth,
   727 	                                      bool aUseTransparency) {
   728 	  uint32_t pixelStride = aUseTransparency ? 4 : 3;
-> 729 	  for (uint32_t x = 0; x < aPixelWidth; x++) {
   730 	    const uint32_t& pixelIn = ((const uint32_t*)(aSrc))[x];
   731 	    uint8_t* pixelOut = &aDest[x * pixelStride];
   732 	
Target 0: (firefox) stopped.
(lldb) disassemble -m -s 0x115cded60
XUL`nsPNGEncoder::ConvertHostARGBRow:
    0x115cded60 <+768>: add    w9, w9, w27
    0x115cded64 <+772>: subs   x8, x8, #0x1

-> 727 	                                      bool aUseTransparency) {
-> 728 	  uint32_t pixelStride = aUseTransparency ? 4 : 3;
-> 729 	  for (uint32_t x = 0; x < aPixelWidth; x++) {
-> 730 	    const uint32_t& pixelIn = ((const uint32_t*)(aSrc))[x];

->  0x115cded68 <+776>: b.eq   0x115cded18    ; <+696> at nsPNGEncoder.cpp:302:21

(lldb) register read x8
      x8 = 0x000000300000002f
(lldb) c
Process 97073 resuming
Process 97073 stopped
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x1402fc003)
    frame #0: 0x0000000115cded7c XUL`nsPNGEncoder::ConvertHostARGBRow(this=0x0000000140d101c0, aSrc="", aDest="", aPixelWidth=<unavailable>, aUseTransparency=<unavailable>) at nsPNGEncoder.cpp:734:31 [opt]
   731 	    uint8_t* pixelOut = &aDest[x * pixelStride];
   732 	
   733 	    uint8_t alpha = (pixelIn & 0xff000000) >> 24;
-> 734 	    pixelOut[pixelStride - 1] = alpha;  // overwritten below if pixelStride == 3
   735 	    if (alpha == 255) {
   736 	      pixelOut[0] = (pixelIn & 0xff0000) >> 16;
   737 	      pixelOut[1] = (pixelIn & 0x00ff00) >> 8;
Target 0: (firefox) stopped.
(lldb) register read x8
      x8 = 0x0000002fffffeb50
(lldb) kill

The "good" session:

Process 97182 stopped
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000015e6aed48 XUL`nsPNGEncoder::AddImageFrame(this=0x00000003091d7ac0, aData="", aLength=<unavailable>, aWidth=48, aHeight=48, aStride=192, aInputFormat=2, aFrameOptions=0x000000016fdf99b0) at nsPNGEncoder.cpp:0:5 [opt]
   29  	      mIsAnimation(false),
   30  	      mFinished(false),
   31  	      mImageBuffer(nullptr),
-> 32  	      mImageBufferSize(0),
   33  	      mImageBufferUsed(0),
   34  	      mImageBufferHash(0),
   35  	      mImageBufferReadPoint(0),
Note: this address is compiler-generated code in function nsPNGEncoder::AddImageFrame(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsTSubstring<char16_t> const&) that has no source code associated with it.
Target 0: (firefox) stopped.
warning: XUL was compiled with optimization - stepping may behave oddly; variables may not be available.
(lldb) disassemble -m -pc
XUL`nsPNGEncoder::AddImageFrame:
->  0x15e6aed48 <+680>: mov    w9, w9

   297 	      return NS_ERROR_OUT_OF_MEMORY;
   298 	    }
** 299 	    for (uint32_t y = 0; y < aHeight; y++) {
   300 	      ConvertHostARGBRow(&aData[y * aStride], row.get(), aWidth,
   301 	                         useTransparency);

    0x15e6aed4c <+684>: mov    w8, w8
    0x15e6aed50 <+688>: stp    x8, x9, [sp, #0x28]
    0x15e6aed54 <+692>: mov    w28, #0x0 ; =0 
(lldb) register read x8 x9
      x8 = 0x0000000000000030
      x9 = 0x0000003000000030
(lldb) c
Process 97182 resuming
Process 97182 stopped
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x000000015e6aed50 XUL`nsPNGEncoder::AddImageFrame(this=0x00000003091d7ac0, aData="", aLength=<unavailable>, aWidth=48, aHeight=48, aStride=192, aInputFormat=2, aFrameOptions=0x000000016fdf99b0) at nsPNGEncoder.cpp:299:28 [opt]
   296 	    if (NS_WARN_IF(!row)) {
   297 	      return NS_ERROR_OUT_OF_MEMORY;
   298 	    }
-> 299 	    for (uint32_t y = 0; y < aHeight; y++) {
   300 	      ConvertHostARGBRow(&aData[y * aStride], row.get(), aWidth,
   301 	                         useTransparency);
   302 	      png_write_row(mPNG, row.get());
Target 0: (firefox) stopped.
(lldb) disassemble -m -pc
XUL`nsPNGEncoder::AddImageFrame:
->  0x15e6aed50 <+688>: stp    x8, x9, [sp, #0x28]
    0x15e6aed54 <+692>: mov    w28, #0x0 ; =0 
    0x15e6aed58 <+696>: mov    x27, x23
    0x15e6aed5c <+700>: b      0x15e6aed80    ; <+736> at nsPNGEncoder.cpp:300:35
(lldb) register read x8 x9
      x8 = 0x0000000000000030
      x9 = 0x0000000000000030
(lldb) c
Process 97182 resuming
Process 97182 stopped
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
    frame #0: 0x000000015e6aed8c XUL`nsPNGEncoder::AddImageFrame(this=0x00000003091d7ac0, aData="", aLength=<unavailable>, aWidth=48, aHeight=48, aStride=192, aInputFormat=2, aFrameOptions=0x000000016fdf99b0) at nsPNGEncoder.cpp:0:35 [opt]
   29  	      mIsAnimation(false),
   30  	      mFinished(false),
   31  	      mImageBuffer(nullptr),
-> 32  	      mImageBufferSize(0),
   33  	      mImageBufferUsed(0),
   34  	      mImageBufferHash(0),
   35  	      mImageBufferReadPoint(0),
Note: this address is compiler-generated code in function nsPNGEncoder::AddImageFrame(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsTSubstring<char16_t> const&) that has no source code associated with it.
Target 0: (firefox) stopped.
(lldb) disassemble -m -s 0x15e6aed84
XUL`nsPNGEncoder::AddImageFrame:
    0x15e6aed84 <+740>: mov    w9, #0x0 ; =0 
    0x15e6aed88 <+744>: ldr    x8, [sp, #0x30]
->  0x15e6aed8c <+748>: b      0x15e6aedb4    ; <+788> [inlined] nsPNGEncoder::ConvertHostARGBRow(unsigned char const*, unsigned char*, unsigned int, bool) + 36 at nsPNGEncoder.cpp:731:26
    0x15e6aed90 <+752>: mov    x13, x12

   734 	    pixelOut[pixelStride - 1] = alpha;  // overwritten below if pixelStride == 3
   735 	    if (alpha == 255) {
** 736 	      pixelOut[0] = (pixelIn & 0xff0000) >> 16;

(lldb) register read x8
      x8 = 0x0000000000000030
(lldb) c
Process 97182 resuming
Process 97182 stopped
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = breakpoint 4.1
    frame #0: 0x000000015e6aedb0 XUL`nsPNGEncoder::ConvertHostARGBRow(this=0x00000003091d7ac0, aSrc="", aDest="", aPixelWidth=<unavailable>, aUseTransparency=<unavailable>) at nsPNGEncoder.cpp:729:3 [opt] [inlined]
   726 	                                      uint32_t aPixelWidth,
   727 	                                      bool aUseTransparency) {
   728 	  uint32_t pixelStride = aUseTransparency ? 4 : 3;
-> 729 	  for (uint32_t x = 0; x < aPixelWidth; x++) {
   730 	    const uint32_t& pixelIn = ((const uint32_t*)(aSrc))[x];
   731 	    uint8_t* pixelOut = &aDest[x * pixelStride];
   732 	
Target 0: (firefox) stopped.
(lldb) disassemble -m -s 0x15e6aeda8
XUL`nsPNGEncoder::ConvertHostARGBRow:
    0x15e6aeda8 <+776>: add    w9, w9, w27
    0x15e6aedac <+780>: subs   x8, x8, #0x1

-> 727 	                                      bool aUseTransparency) {
-> 728 	  uint32_t pixelStride = aUseTransparency ? 4 : 3;
-> 729 	  for (uint32_t x = 0; x < aPixelWidth; x++) {
-> 730 	    const uint32_t& pixelIn = ((const uint32_t*)(aSrc))[x];

->  0x15e6aedb0 <+784>: b.eq   0x15e6aed60    ; <+704> at nsPNGEncoder.cpp:302:21

(lldb) register read x8
      x8 = 0x000000000000002f
(lldb) br dis

[steven-michaud]

Here's the MIR code[?] corresponding to the two instructions removed from the "bad" build. It's part of the output from my debug logging patch (third of three patches here).

renamable $w9 = ORRWrs $wzr, killed renamable $w9, 0
renamable $x9 = KILL killed renamable $w9
renamable $w8 = ORRWrs $wzr, killed renamable $w8, 0, debug-location !11642; image/encoders/png/nsPNGEncoder.cpp:299:28
renamable $x8 = KILL killed renamable $w8, debug-location !11642; image/encoders/png/nsPNGEncoder.cpp:299:28
STPXi killed renamable $x8, killed renamable $x9, $sp, 5 :: (store (s64) into %stack.20), (store (s64) into %stack.21)

[llvmbot]

@llvm/issue-subscribers-backend-aarch64

Author: Steven Michaud (steven-michaud)

I've already commented several times at https://github.com//pull/129889, so I'll keep my comments here brief.

As promised, I'm submitting copies (lightly edited) of two lldb sessions. One was made running a local trunk build of Firefox made with LLVM 21.6 (current code on the release/21.x branch). It shows the crash, and how it was caused by this commit. The second was made running a local trunk build of Firefox made with a patched LLVM 21.6 that disables copy propagation, using the first of the three patches here. Everything was done on an M1 Mac Mini running macOS 26.1.

lldb-session-bad.txt
lldb-session-good.txt

The "bad" session crashes. The "good" session doesn't. The only relevant difference between the two builds is that in the "good" one, the stp x8, x9, [sp, #<!-- -->0x28] instruction is preceded by the following two instructions, while in the bad one it isn't. In the "bad" build these two instructions were removed by the copy propagation commit.

mov    w9, w9
mov    w8, w8

The x8 register ends up being used as x in the following code (located [here](https://searchfox.org/firefox-main/source/image/encoders/png/nsPNGEncoder.cpp#729) on the Firefox trunk). The nsPNGEncoder::ConvertHostARGBRow() method is inlined inside nsPNGEncoder::AddImageFrame().

for (uint32_t x = 0; x < aPixelWidth; x++) {
  const uint32_t& pixelIn = ((const uint32_t*)(aSrc))[x];
  uint8_t* pixelOut = &aDest[x * pixelStride];

  uint8_t alpha = (pixelIn & 0xff000000) >> 24;
  pixelOut[pixelStride - 1] = alpha;  // overwritten below if pixelStride == 3

  ...

}

In the bad build x8 has junk in its top 32 bits (0x00000030). In the good build it doesn't. The junk makes x8 much larger than it should be, and causes a buffer overflow.

[mstorsjo]

So, @davemgreen did try to fix this in #137348, and that did fix the issues I had - but apparently that fix wasn't enough. Are you able to provide a standalone source file (preprocessed source, or IR with -mllvm -disable-llvm-optzns i presume) that can reproduce the object files where the essential mov instructions are removed?

[davemgreen]

Yeah many things could be going wrong. Are you able to provide the IR going into the backend? Either for this function or the whole module. -emit-llvm is usually enough if you are compiling with clang. If it is using LTO then it might need to use -save-temps, possibly as a LTO linker option.

[davemgreen]

Something where we can run llc <file> and see the problem would be ideal. godbolt.org can be a good way to show the issue. As in https://godbolt.org/z/f1so95E3c (which actually has the opposite problem - a few mov's that could be removed but we don't).

[steven-michaud]

Remember that I don't have a reduced testcase, and probably never will. So I don't have something I can run llc on or put in godbolt.

Are you able to provide the IR going into the backend?

Can I add -emit-llvm to CFLAGS and/or CPPFLAGS for a Firefox build and know that it will "do the right thing"? Will it just produce the output you want without making any other changes?

A more promising approach may be to alter my debug logging patch (third patch of three here). In fact it may already be doing what you want. Let me know.

Also, it'd help to know what "going into the backend" means.