[Regression] Zettlr crashes with illegal instruction

[kxxt]

Zettlr crashes on start by some chance.

Steps to reproduce

• Download zettlr build for riscv64: zettlr.zip
  • The build script is available in updpatch: zettlr 3.4.1-1 felixonmars/archriscv-packages#4393
• Download electron v33.3.0 for riscv64: https://github.com/riscv-forks/electron-riscv-releases/releases/download/v33.3.0.riscv1/electron-v33.3.0-linux-riscv64.zip
  • Debug info available: https://github.com/riscv-forks/electron-riscv-releases/releases/download/v33.3.0.riscv1/electron-v33.3.0-linux-riscv64-debug.tar.zst
• Extract both zips
• Run electron zettlr/app.asar

Expected behavior

Zettlr starts. (This can happen sometimes)

Current behavior

Zettlr crashes on start sometimes.

With ASLR disabled:

Received signal 4 <unknown> 000034e81ce0
#0 0x000000000000 <unknown>
#1 0x002aae183836 (/home/kxxt/electron_as_node/33.3.0/electron+0x36d9835)
#2 0x002ab03425b4 (/home/kxxt/electron_as_node/33.3.0/electron+0x58985b3)
#3 0x000c0073fed0 ([anon:partition_alloc]+0xc0073fecf)
#4 0x003ff7fd7800 ([vdso]+0x7ff)
#5 0x000037197274 <unknown>
#6 0x002aacb9d3f0 (/home/kxxt/electron_as_node/33.3.0/electron+0x20f33ef)
#7 0x002aacb9d3f0 (/home/kxxt/electron_as_node/33.3.0/electron+0x20f33ef)
#8 0x002aacb9d3f0 (/home/kxxt/electron_as_node/33.3.0/electron+0x20f33ef)
#9 0x002aacb9d3f0 (/home/kxxt/electron_as_node/33.3.0/electron+0x20f33ef)
#10 0x002aacc006e0 (/home/kxxt/electron_as_node/33.3.0/electron+0x21566df)
#11 0x002aacd34dec (/home/kxxt/electron_as_node/33.3.0/electron+0x228adeb)
#12 0x002aacbea310 (/home/kxxt/electron_as_node/33.3.0/electron+0x214030f)
#13 0x002aacb9a60c (/home/kxxt/electron_as_node/33.3.0/electron+0x20f060b)
#14 0x408f400000000000 <unknown>
#15 0x002aae1ce2e6 (/home/kxxt/electron_as_node/33.3.0/electron+0x37242e5)
#16 0x000c00128000 ([anon:partition_alloc]+0xc00127fff)
#17 0x002aae1cef88 (/home/kxxt/electron_as_node/33.3.0/electron+0x3724f87)
#18 0x002aae1f554c (/home/kxxt/electron_as_node/33.3.0/electron+0x374b54b)
#19 0x002aae717a0c (/home/kxxt/electron_as_node/33.3.0/electron+0x3c6da0b)
#20 0x000c001a0c00 ([anon:partition_alloc]+0xc001a0bff)
#21 0x002aace9a724 (/home/kxxt/electron_as_node/33.3.0/electron+0x23f0723)
#22 0x002ab4d92500 (/home/kxxt/electron_as_node/33.3.0/electron+0xa2e84ff)
#23 0x000c000e0000 ([anon:partition_alloc]+0xc000dffff)
#24 0x002ab0250fcc (/home/kxxt/electron_as_node/33.3.0/electron+0x57a6fcb)
#25 0x0008000c4d20 ([anon:partition_alloc]+0x8000c4d1f)
#26 0xaaaaaaaaaaaa0000 <unknown>
[end of stack trace]

When putting a breakpoint on 0x002aae183836, the backtrace is:

(gdb) bt
#0  begin () at ../../third_party/libc++/src/include/__split_buffer:124
#1  end () at ../../third_party/libc++/src/include/deque:710
#2  erase () at ../../third_party/libc++/src/include/deque:2453
#3  0x0000002aae183644 in RemoveDuplicates () at ../../v8/src/codegen/safepoint-table.cc:314
#4  0x0000002aae182fb4 in Emit () at ../../v8/src/codegen/safepoint-table.cc:174
#5  0x0000002aae8b1ee6 in AssembleCode () at ../../v8/src/compiler/backend/code-generator.cc:451
#6  0x0000002aaea5856e in Run () at ../../v8/src/compiler/pipeline.cc:2037
#7  Run<v8::internal::compiler::AssembleCodePhase> () at ../../v8/src/compiler/pipeline.cc:917
#8  0x0000002aaea54198 in AssembleCode () at ../../v8/src/compiler/pipeline.cc:4102
#9  0x0000002aaea50ef0 in SelectInstructionsAndAssemble () at ../../v8/src/compiler/pipeline.cc:4188
#10 ExecuteJobImpl () at ../../v8/src/compiler/pipeline.cc:2384
#11 0x0000002aae149f44 in ExecuteJob () at ../../v8/src/codegen/compiler.cc:485
#12 0x0000002aae6fa53c in Execute () at ../../v8/src/wasm/function-compiler.cc:250
#13 CompileJSToWasmWrapper () at ../../v8/src/wasm/function-compiler.cc:297
#14 0x0000002aae7c14c0 in GetOrCreateExternal () at ../../v8/src/wasm/wasm-objects.cc:1799
#15 0x0000002aae72ab66 in ProcessExports () at ../../v8/src/wasm/module-instantiate.cc:2693
#16 0x0000002aae7287f4 in Build () at ../../v8/src/wasm/module-instantiate.cc:1425
#17 0x0000002aae727982 in InstantiateToInstanceObject () at ../../v8/src/wasm/module-instantiate.cc:1026
#18 0x0000002aae795b0c in SyncInstantiate () at ../../v8/src/wasm/wasm-engine.cc:735
#19 AsyncInstantiate () at ../../v8/src/wasm/wasm-engine.cc:752
#20 0x0000002aae7ab656 in WebAssemblyInstantiateImpl () at ../../v8/src/wasm/wasm-js.cc:1176
#21 WebAssemblyInstantiate () at ../../v8/src/wasm/wasm-js.cc:2989
#22 0x0000002aacb9fe48 in Builtins_CallApiCallbackGeneric ()
Backtrace stopped: frame did not save the PC

continuing 50 ~ 60 times from here leads to the SIGILL.

GDB shows a valid instruction >0x4c1d5ce0 li t3,8. (Probably this is related to JIT and gdb doesn't show it correctly?)

The address is in v8's memory map [anon:v8] .

System Information

• Arch Linux riscv64 on SG2042 kernel 6.1.80-2-sophgo-11457-g83ab3eda46e6
• Arch Linux riscv64 on unmatched kernel 6.11.2-arch1-1

Other electron versions

electron 31.4.0(v8 12.6.228.30-electron.0),32.2.7(v8 12.8.374.38-electron.0 ) is also affected.

electron 30.3.1(v8 12.4.254.20-electron.0) appears to be fine.

[kxxt]

With --js-flags="--print-wasm-code", it is clear that the faulting code comes from wasm.

...
--- WebAssembly code ---
name: wasm-function[17]
index: 17
kind: wasm function
compiler: TurboFan
Body (size = 352 = 336 + 16 padding)
Instructions (size = 324, 0x3ff7fabce0-0x3ff7fabe24)
--- End code ---
Received signal 4 <unknown> 003ff7fabce0
#0 0x000000000000 <unknown>
#1 0x002aae183836 (/home/kxxt/electron_as_node/33.3.0/electron+0x36d9835)
#2 0x002ab03425b4 (/home/kxxt/electron_as_node/33.3.0/electron+0x58985b3)
#3 0x003ff67a5356 (/usr/lib/libc.so.6+0x53355)
#4 0x003ff7fd7800 ([vdso]+0x7ff)
#5 0x000023b55594 <unknown>
#6 0x002aacb9d3f0 (/home/kxxt/electron_as_node/33.3.0/electron+0x20f33ef)
#7 0x002aacb9d3f0 (/home/kxxt/electron_as_node/33.3.0/electron+0x20f33ef)
#8 0x002aacb9d3f0 (/home/kxxt/electron_as_node/33.3.0/electron+0x20f33ef)
#9 0x002aacb9d3f0 (/home/kxxt/electron_as_node/33.3.0/electron+0x20f33ef)
#10 0x002aacc006e0 (/home/kxxt/electron_as_node/33.3.0/electron+0x21566df)
#11 0x002aacd34dec (/home/kxxt/electron_as_node/33.3.0/electron+0x228adeb)
#12 0x002aacbea310 (/home/kxxt/electron_as_node/33.3.0/electron+0x214030f)
#13 0x002aacb9a60c (/home/kxxt/electron_as_node/33.3.0/electron+0x20f060b)
#14 0x408f400000000000 <unknown>
#15 0x002aae1ce2e6 (/home/kxxt/electron_as_node/33.3.0/electron+0x37242e5)
#16 0x000c00134000 ([anon:partition_alloc]+0xc00133fff)
#17 0x002aae1cef88 (/home/kxxt/electron_as_node/33.3.0/electron+0x3724f87)
#18 0x002aae1f554c (/home/kxxt/electron_as_node/33.3.0/electron+0x374b54b)
#19 0x002aae717a0c (/home/kxxt/electron_as_node/33.3.0/electron+0x3c6da0b)
#20 0x000c001acc00 ([anon:partition_alloc]+0xc001acbff)
#21 0x002aace9a724 (/home/kxxt/electron_as_node/33.3.0/electron+0x23f0723)
#22 0x002ab4d92500 (/home/kxxt/electron_as_node/33.3.0/electron+0xa2e84ff)
#23 0x000c000ec000 ([anon:partition_alloc]+0xc000ebfff)
#24 0x002ab0250fcc (/home/kxxt/electron_as_node/33.3.0/electron+0x57a6fcb)
#25 0x0008000c4d20 ([anon:partition_alloc]+0x8000c4d1f)
#26 0xaaaaaaaaaaaa0000 <unknown>
[end of stack trace]
Illegal instruction (core dumped)

[kxxt]

[riscv] Flush icache in both local and remote harts (https://chromium-review.googlesource.com/c/v8/v8/+/6080611) fixed this bug. Tested on SG2042 and unmatched board.

Thanks to @luyahan

Fixed in electron v33.3.0.riscv2

[kxxt]

Fixed in electron v33.3.0.riscv2, v32.2.7.riscv2, v31.7.6.riscv2.

In practice v30.x seems unaffected but looking at the code it seems that it could also use this patch. Since it is already EOL, no fix is made for it.