Closed Bug 1240524 Opened 4 years ago Closed 4 years ago

Assertion failure: (*def)->type() == type, at js/src/asmjs/WasmIonCompile.cpp:1335

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 8cb42e7a16b4 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):

(function(m) {
    "use asm"
    var k = m.SIMD.Bool32x4
    function f() {
        var x = k(0, 0, 0, 0)
        frd(x);
    }
});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000554f9a in EmitGetLocal (f=..., type=..., def=0x7fffffff8070) at js/src/asmjs/WasmIonCompile.cpp:1335
#0  0x0000000000554f9a in EmitGetLocal (f=..., type=..., def=0x7fffffff8070) at js/src/asmjs/WasmIonCompile.cpp:1335
#1  0x000000000057f2e6 in EmitF32X4Expr (f=..., def=def@entry=0x7fffffff8070) at js/src/asmjs/WasmIonCompile.cpp:2945
#2  0x000000000057dfc0 in EmitCallArgs (f=..., sig=..., call=call@entry=0x7fffffff80e0) at js/src/asmjs/WasmIonCompile.cpp:1563
#3  0x000000000057eb1f in EmitInternalCall (f=..., ret=ret@entry=js::wasm::Void, def=def@entry=0x7fffffff8240) at js/src/asmjs/WasmIonCompile.cpp:1584
#4  0x000000000057a57e in EmitStatement (f=..., stmt=<optimized out>, maybeLabels=0x0) at js/src/asmjs/WasmIonCompile.cpp:2577
#5  0x000000000057a800 in EmitStatement (maybeLabels=0x0, stmt=<optimized out>, f=...) at js/src/asmjs/WasmIonCompile.cpp:2596
#6  EmitStatement (f=..., maybeLabels=0x0) at js/src/asmjs/WasmIonCompile.cpp:2595
#7  0x00000000005840f5 in js::wasm::IonCompileFunction (task=0x7ffff6990000) at js/src/asmjs/WasmIonCompile.cpp:3069
#8  0x0000000000584b49 in js::wasm::ModuleGenerator::finishFunc (this=0x7fffffff9cf0, funcIndex=<optimized out>, sig=..., bytecode=..., generateTime=<optimized out>, fg=fg@entry=0x7fffffff9720) at js/src/asmjs/WasmGenerator.cpp:412
#9  0x000000000058c57c in finish (generateTime=<optimized out>, sig=..., funcIndex=<optimized out>, this=0x7fffffff9710) at js/src/asmjs/AsmJS.cpp:2589
#10 CheckFunction (m=...) at js/src/asmjs/AsmJS.cpp:6947
#11 CheckFunctions (m=...) at js/src/asmjs/AsmJS.cpp:6978
#12 CheckModule (cx=cx@entry=0x7ffff6907800, parser=..., stmtList=stmtList@entry=0x7ffff69cb188, moduleObj=..., moduleObj@entry=..., time=time@entry=0x7fffffffaa40, slowFuncs=slowFuncs@entry=0x7fffffffaae0) at js/src/asmjs/AsmJS.cpp:7187
#13 0x000000000058d347 in js::CompileAsmJS (cx=0x7ffff6907800, parser=..., stmtList=stmtList@entry=0x7ffff69cb188, validated=validated@entry=0x7fffffffad00) at js/src/asmjs/AsmJS.cpp:8479
[...]
#51 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6985
rax	0x0	0
rbx	0x45	69
rcx	0x7ffff6ca53b0	140737333842864
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffff7fb0	140737488322480
rsp	0x7fffffff7fa0	140737488322464
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffff7d60	140737488321888
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffff8070	140737488322672
r13	0x7fffffff8070	140737488322672
r14	0x7ffff6992020	140737330618400
r15	0x0	0
rip	0x554f9a <EmitGetLocal(FunctionCompiler&, mozilla::DebugOnly<js::jit::MIRType> const&, js::jit::MDefinition**)+170>
=> 0x554f9a <EmitGetLocal(FunctionCompiler&, mozilla::DebugOnly<js::jit::MIRType> const&, js::jit::MDefinition**)+170>:	movl   $0x537,0x0
   0x554fa5 <EmitGetLocal(FunctionCompiler&, mozilla::DebugOnly<js::jit::MIRType> const&, js::jit::MDefinition**)+181>:	callq  0x4a2e10 <abort()>
Attached patch asm.patchSplinter Review
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8709070 - Flags: review?(luke)
Attachment #8709070 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/6ea1cb521fc5
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.