Closed
Bug 1250955
Opened 8 years ago
Closed 8 years ago
[wasm] Hit MOZ_CRASH(NYI) at js/src/asmjs/WasmIonCompile.cpp:3046
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
Tracking | Status | |
---|---|---|
firefox47 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
Details
(4 keywords)
Attachments
(2 files)
55 bytes,
application/octet-stream
|
Details | |
4.92 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The attached binary WebAssembly testcase crashes on mozilla-inbound revision 930c12a120ab+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests, run with ). To reproduce, you can run the following code in the JS shell: var data = os.file.readFile(file, 'binary'); wasmEval(data.buffer); Backtrace: ==4712==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006aa9de bp 0x7ffe20cb1590 sp 0x7ffe20cae9c0 T0) #0 0x6aa9dd in js::LifoAlloc::ensureUnusedApproximate(unsigned long) js/src/ds/LifoAlloc.h:305:33 #1 0x6aa9dd in js::jit::TempAllocator::ensureBallast() js/src/jit/JitAllocPolicy.h:69 #2 0x6aa9dd in js::jit::MIRGenerator::ensureBallast() js/src/jit/MIRGenerator.h:58 #3 0x6aa9dd in EmitExpr(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**, mozilla::Vector<unsigned long, 1ul, js::SystemAllocPolicy>*) js/src/asmjs/WasmIonCompile.cpp:2698 #4 0x694a08 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3093:18 #5 0x65d51c in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:824:14 #6 0x6146e5 in DecodeFunctionSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:1094:12 #7 0x6146e5 in DecodeFunctionSections(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:1109 #8 0x6146e5 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1236 #9 0x60ba2a in js::wasm::Eval(JSContext*, JS::Handle<js::ArrayBufferObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1364:10 #10 0x55c5c5 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5065:14 #11 0x1babfc7 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15 [...] #23 0x48a658 in _start (/home/ubuntu/build/build/js+0x48a658) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV js/src/ds/LifoAlloc.h:305 js::LifoAlloc::ensureUnusedApproximate(unsigned long) ==4712==ABORTING
Reporter | ||
Comment 1•8 years ago
|
||
Assignee | ||
Comment 2•8 years ago
|
||
Comment 3•8 years ago
|
||
Comment on attachment 8723165 [details] [diff] [review] bug1250955.patch Review of attachment 8723165 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8723165 -
Flags: review?(jdemooij) → review+
Comment 5•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/583d2cb7c78a
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•