[llvm-bugs] [Bug 166870] Firefox crashes when built with LLVM 21, due to llvm/llvm-project#129889

Thu, 06 Nov 2025 15:54:35 -0800

Issue 166870
Summary Firefox crashes when built with LLVM 21, due to llvm/llvm-project#129889
Labels new issue
Assignees
Reporter steven-michaud 
    I've already commented several times at https://github.com/llvm/llvm-project/pull/129889, so I'll keep my comments here brief.

As promised, I'm submitting copies (lightly edited) of two `lldb` sessions. One was made running a local trunk build of Firefox made with LLVM 21.6 (current code on the `release/21.x` branch). It shows the crash, and how it was caused by this commit. The second was made running a local trunk build of Firefox made with a patched LLVM 21.6 that disables copy propagation, using the first of the three patches [here](https://bugzilla.mozilla.org/show_bug.cgi?id=1995582#c20). Everything was done on an M1 Mac Mini running macOS 26.1.

[lldb-session-bad.txt](https://github.com/user-attachments/files/23404321/lldb-session-bad.txt)
[lldb-session-good.txt](https://github.com/user-attachments/files/23404322/lldb-session-good.txt)

The "bad" session crashes. The "good" session doesn't. The only relevant difference between the two builds is that in the "good" one, the `stp x8, x9, [sp, #0x28]` instruction is preceded by the following two instructions, while in the bad one it isn't. In the "bad" build these two instructions were removed by the copy propagation commit.

```
mov    w9, w9
mov    w8, w8
``` 

The `x8` register ends up being used as `y` in the following code (located [here](https://searchfox.org/firefox-main/source/image/encoders/png/nsPNGEncoder.cpp#299) on the Firefox trunk). The `nsPNGEncoder::ConvertHostARGBRow()` method is inlined inside `nsPNGEncoder::AddImageFrame()`.

```
for (uint32_t y = 0; y < aHeight; y++) {
  ConvertHostARGBRow(&aData[y * aStride], row.get(), aWidth,
                     useTransparency);
  png_write_row(mPNG, row.get());
}
```

In the bad build `x8` has junk in its top 32 bits (`0x00000030`). In the good build it doesn't. The junk makes `x8` much larger than it should be, and causes a buffer overflow.


_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to