Closed Bug 1241886 Opened 5 years ago Closed 5 years ago

Crash [@ EmitExpr] or [@ js::wasm::IonCompileFunction]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox46 --- fixed

People

(Reporter: gkw, Assigned: bbouvier)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 7104d650a97d (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

(function() {
    "use asm";
    function f() {
        return 0;
        1 ? 1 : 1;
        return 0;
    }
})()

Backtrace:

0   js-dbg-64-dm-clang-darwin-7104d650a97d	0x0000000100114e1d EmitExpr(FunctionCompiler&, MaybeType, js::jit::MDefinition**, mozilla::Vector<unsigned long, 1ul, js::SystemAllocPolicy>*) + 21837 (MIR.h:646)
1   js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001000efada js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) + 538 (WasmIonCompile.cpp:2970)
2   js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001000ef828 js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) + 264 (WasmGenerator.cpp:476)
3   js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001000e67bd CheckModule(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, JS::MutableHandle<js::WasmModuleObject*>, unsigned int*, mozilla::Vector<js::wasm::SlowFunction, 0ul, js::TempAllocPolicy>*) + 9101 (AsmJS.cpp:6830)
4   js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001000e2e0e js::CompileAsmJS(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, bool*) + 3038 (AsmJS.cpp:8363)
5   js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010003f70f js::frontend::Parser<js::frontend::FullParseHandler>::asmJS(js::frontend::ParseNode*) + 143 (Parser.cpp:3351)
6   js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001000528cb js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective(js::frontend::ParseNode*, js::frontend::ParseNode*, bool*) + 347 (Parser.cpp:3426)
7   js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010004b026 js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 758 (Parser.cpp:3491)
8   js-dbg-64-dm-clang-darwin-7104d650a97d	0x0000000100052a43 js::frontend::Parser<js::frontend::FullParseHandler>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Parser<js::frontend::FullParseHandler>::FunctionBodyType) + 307 (Parser.cpp:1331)
9   js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001000540bc js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind) + 604 (Parser.cpp:3121)
10  js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001000423d2 js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody(js::frontend::InHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Directives, js::frontend::Directives*) + 802 (Parser.cpp:2926)
11  js-dbg-64-dm-clang-darwin-7104d650a97d	0x0000000100055a8f js::frontend::Parser<js::frontend::FullParseHandler>::functionDef(js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<js::PropertyName*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction, js::frontend::ParseNode**) + 735 (Parser.cpp:2755)
12  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005623f js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr(js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 447 (Parser.cpp:3278)
13  js-dbg-64-dm-clang-darwin-7104d650a97d	0x0000000100059edb js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1227 (Parser.cpp:9063)
14  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005c307 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 807 (Parser.cpp:8377)
15  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005bc49 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 809 (Parser.cpp:7897)
16  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005b5ac js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 92 (Parser.cpp:7421)
17  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005b38f js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7473)
18  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005331c js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 732 (Parser.cpp:7588)
19  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010004c6e2 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 34 (Parser.cpp:7289)
20  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005a067 js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1623 (Parser.cpp:9214)
21  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005c307 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 807 (Parser.cpp:8377)
22  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005bc49 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 809 (Parser.cpp:7897)
23  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005b5ac js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 92 (Parser.cpp:7421)
24  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005b38f js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7473)
25  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010005331c js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 732 (Parser.cpp:7588)
26  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010004c6e2 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 34 (Parser.cpp:7289)
27  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010004de23 js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 83 (Parser.cpp:5521)
28  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010004d4a7 js::frontend::Parser<js::frontend::FullParseHandler>::statement(js::frontend::YieldHandling, bool) + 1575 (Parser.cpp:7129)
29  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010004af6c js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 572 (Parser.cpp:3469)
30  js-dbg-64-dm-clang-darwin-7104d650a97d	0x0000000100044a8d js::frontend::Parser<js::frontend::FullParseHandler>::globalBody() + 77 (Parser.cpp:1073)
31  js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001008dc884 BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>) + 820 (BytecodeCompiler.cpp:527)
32  js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001008de74d js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, js::SourceCompressionTask*, js::ScriptSourceObject**) + 189 (BytecodeCompiler.cpp:738)
33  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010054ad94 Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) + 404 (RootingAPI.h:481)
34  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010054b11b Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, char const*, unsigned long, JS::MutableHandle<JSScript*>) + 267 (jsapi.cpp:3976)
35  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010054b26c JS::Compile(JSContext*, JS::ReadOnlyCompileOptions const&, __sFILE*, JS::MutableHandle<JSScript*>) + 108 (jsapi.cpp:4002)
36  js-dbg-64-dm-clang-darwin-7104d650a97d	0x000000010001e78a Process(JSContext*, char const*, bool, FileKind) + 3098 (js.cpp:513)
37  js-dbg-64-dm-clang-darwin-7104d650a97d	0x00000001000048b9 main + 11769 (js.cpp:6299)
38  js-dbg-64-dm-clang-darwin-7104d650a97d	0x0000000100000ea4 start + 52
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160121052620" and the hash "95a25c159a0ebe141f0c87ad2ba6cd0b7ac1d316".
The "bad" changeset has the timestamp "20160121052722" and the hash "9809139812ebe073b84d0fa12705062b1b50845b".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=95a25c159a0ebe141f0c87ad2ba6cd0b7ac1d316&tochange=9809139812ebe073b84d0fa12705062b1b50845b

Benjamin, is bug 1229399 a likely regressor?
Blocks: 1229399
Crash Signature: [@ EmitExpr] → [@ EmitExpr] [@ js::wasm::IonCompileFunction]
Flags: needinfo?(bbouvier)
Summary: Crash [@ EmitExpr] → Crash [@ EmitExpr] or [@ js::wasm::IonCompileFunction]
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Note that this is happening often to trigger [fuzzblocker].

(yes, there have been quite a few fuzzblockers related to wasm these few days)
Yes, it's a trivial assertion being trivially bad :/
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(bbouvier)
Comment on attachment 8711005 [details]
MozReview Request: Bug 1241886: Fix debug assertion if we're in dead code; r?luke

https://reviewboard.mozilla.org/r/31939/#review28679
Attachment #8711005 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/99f960e72e4d
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.