The following testcase crashes on mozilla-central revision d58901c5036f (build with --32 --enable-debug --enable-simulator=arm, run with --fuzzing-safe --no-threads --no-baseline --no-ion --ion-gvn=off w191-out.wrapper w191-out.wasm): Backtrace: #0 CompareExchange64<js::jit::BaseIndex> (masm=..., access=0xf66b90a8, sync=..., mem=..., expect=..., replace=..., output=...) at js/src/jit/arm/MacroAssembler-arm.cpp:5333 #1 js::jit::MacroAssembler::wasmCompareExchange64 (this=0xfffd45c8, access=..., mem=..., expect=..., replace=..., output=...) at js/src/jit/arm/MacroAssembler-arm.cpp:5384 #2 0x57f13383 in js::jit::CodeGenerator::visitWasmCompareExchangeI64 (this=0xfffd4d40, lir=0xf6314a90) at js/src/jit/arm/CodeGenerator-arm.cpp:3004 #3 0x57ffcee3 in js::jit::CodeGenerator::generateBody (this=0xfffd4d40) at js/src/jit/CodeGenerator.cpp:5964 #4 0x5802a596 in js::jit::CodeGenerator::generateWasm (this=0xfffd4d40, funcTypeId=..., trapOffset=..., offsets=0xfffd5900) at js/src/jit/CodeGenerator.cpp:10176 #5 0x582e5762 in js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=0xf65d9d70, error=0xfffd6568) at js/src/wasm/WasmIonCompile.cpp:4091 #6 0x582d6960 in ExecuteCompileTask (task=<optimized out>, error=0xfffd6568) at js/src/wasm/WasmGenerator.cpp:713 /snip For detailed crash information, see attachment. # Full configuration command with needed environment variables is: # PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig 'CC="clang -m32 -msse2 -mfpmath=sse"' AR=ar 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' sh /home/ubuntu/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-simulator=arm --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift # python3 -u -m funfuzz.js.compile_shell -b "--32 --enable-debug --enable-simulator=arm" -r d58901c5036f Setting s-s as I don't know how bad this is. This seems restricted to ARM-specific shells only. Trying to get a bisection now...
Bug 1524692 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
The following testcase crashes on mozilla-central revision d58901c5036f (build with --32 --enable-debug --enable-simulator=arm, run with --fuzzing-safe --no-threads --no-baseline --no-ion --ion-gvn=off w191-out.wrapper w191-out.wasm): Backtrace: #0 CompareExchange64<js::jit::BaseIndex> (masm=..., access=0xf66b90a8, sync=..., mem=..., expect=..., replace=..., output=...) at js/src/jit/arm/MacroAssembler-arm.cpp:5333 #1 js::jit::MacroAssembler::wasmCompareExchange64 (this=0xfffd45c8, access=..., mem=..., expect=..., replace=..., output=...) at js/src/jit/arm/MacroAssembler-arm.cpp:5384 #2 0x57f13383 in js::jit::CodeGenerator::visitWasmCompareExchangeI64 (this=0xfffd4d40, lir=0xf6314a90) at js/src/jit/arm/CodeGenerator-arm.cpp:3004 #3 0x57ffcee3 in js::jit::CodeGenerator::generateBody (this=0xfffd4d40) at js/src/jit/CodeGenerator.cpp:5964 #4 0x5802a596 in js::jit::CodeGenerator::generateWasm (this=0xfffd4d40, funcTypeId=..., trapOffset=..., offsets=0xfffd5900) at js/src/jit/CodeGenerator.cpp:10176 #5 0x582e5762 in js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=0xf65d9d70, error=0xfffd6568) at js/src/wasm/WasmIonCompile.cpp:4091 #6 0x582d6960 in ExecuteCompileTask (task=<optimized out>, error=0xfffd6568) at js/src/wasm/WasmGenerator.cpp:713 /snip For detailed crash information, see attachment. Full configuration command with needed environment variables is: PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig 'CC="clang -m32 -msse2 -mfpmath=sse"' AR=ar 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' sh /home/ubuntu/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-simulator=arm --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift python3 -u -m funfuzz.js.compile_shell -b "--32 --enable-debug --enable-simulator=arm" -r d58901c5036f Setting s-s as I don't know how bad this is. This seems restricted to ARM-specific shells only. Trying to get a bisection now...
The following testcase crashes on mozilla-central revision d58901c5036f (build with --32 --enable-debug --enable-simulator=arm, run with --fuzzing-safe --no-threads --no-baseline --no-ion --ion-gvn=off w191-out.wrapper w191-out.wasm): ``` Backtrace: #0 CompareExchange64<js::jit::BaseIndex> (masm=..., access=0xf66b90a8, sync=..., mem=..., expect=..., replace=..., output=...) at js/src/jit/arm/MacroAssembler-arm.cpp:5333 #1 js::jit::MacroAssembler::wasmCompareExchange64 (this=0xfffd45c8, access=..., mem=..., expect=..., replace=..., output=...) at js/src/jit/arm/MacroAssembler-arm.cpp:5384 #2 0x57f13383 in js::jit::CodeGenerator::visitWasmCompareExchangeI64 (this=0xfffd4d40, lir=0xf6314a90) at js/src/jit/arm/CodeGenerator-arm.cpp:3004 #3 0x57ffcee3 in js::jit::CodeGenerator::generateBody (this=0xfffd4d40) at js/src/jit/CodeGenerator.cpp:5964 #4 0x5802a596 in js::jit::CodeGenerator::generateWasm (this=0xfffd4d40, funcTypeId=..., trapOffset=..., offsets=0xfffd5900) at js/src/jit/CodeGenerator.cpp:10176 #5 0x582e5762 in js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=0xf65d9d70, error=0xfffd6568) at js/src/wasm/WasmIonCompile.cpp:4091 #6 0x582d6960 in ExecuteCompileTask (task=<optimized out>, error=0xfffd6568) at js/src/wasm/WasmGenerator.cpp:713 /snip ``` For detailed crash information, see attachment. ``` Full configuration command with needed environment variables is: PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig 'CC="clang -m32 -msse2 -mfpmath=sse"' AR=ar 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' sh /home/ubuntu/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-simulator=arm --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift ``` python3 -u -m funfuzz.js.compile_shell -b "--32 --enable-debug --enable-simulator=arm" -r d58901c5036f Setting s-s as I don't know how bad this is. This seems restricted to ARM-specific shells only. Trying to get a bisection now...