Closed Bug 1246935 Opened 8 years ago Closed 8 years ago

[wasm] Assertion failure: !producer->isDiscarded(), at js/src/jit/IonAnalysis.cpp:2224

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1246331
Tracking Flags:
Tracking Status
firefox47 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

Testcase
59 bytes, application/octet-stream
Details 
The attached binary WebAssembly testcase crashes on mozilla-central revision 815d689a6e1e+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests, run with ). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
wasmEval(data.buffer);


Backtrace:

==9991==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000df45f7 bp 0x7fff98a33bf0 sp 0x7fff98a33be0 T0)
    #0 0xdf45f6 in CheckOperand(js::jit::MNode const*, js::jit::MUse const*, int*) js/src/jit/IonAnalysis.cpp:2222:5
    #1 0xdc32c3 in js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&) js/src/jit/IonAnalysis.cpp:2326:17
    #2 0xdba372 in js::jit::OptimizeMIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1542:5
    #3 0x6775c0 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3021:14
    #4 0x6477d5 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:529:14
    #5 0x611023 in DecodeFunc(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:863:12
    #6 0x611023 in DecodeCodeSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:886
    #7 0x611023 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<js::wasm::ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1013
    #8 0x61cd02 in WasmEval(JSContext*, unsigned int, JS::Value*) js/src/asmjs/Wasm.cpp:1171:10
    #9 0x1baa6d7 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #23 0x489be8 in _start (js/src/debug64afl/js/src/shell/js+0x489be8)
Attached file Testcase 

    
    

    
  
Definitely a dup of bug 1246331 (F64Abs(Nop) in this case).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: