If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

[wasm] Assertion failure: f.localType(slot) == type, at asmjs/WasmIonCompile.cpp:1407

RESOLVED FIXED in Firefox 47

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla47
x86_64
Linux
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox47 fixed)

Details

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The attached binary WebAssembly testcase crashes on mozilla-inbound revision 930c12a120ab+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests, run with ). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
wasmEval(data.buffer);


Backtrace:

==20049==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006b01a8 bp 0x7ffef5aa09d0 sp 0x7ffef5a9de00 T0)
    #0 0x6b01a7 in EmitStoreGlobal(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:1525:5
    #1 0x6b01a7 in EmitExpr(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**, mozilla::Vector<unsigned long, 1ul, js::SystemAllocPolicy>*) js/src/asmjs/WasmIonCompile.cpp:2752
    #2 0x69f4ed in EmitStore(FunctionCompiler&, js::Scalar::Type, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:1467:14
    #3 0x69f4ed in EmitExpr(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**, mozilla::Vector<unsigned long, 1ul, js::SystemAllocPolicy>*) js/src/asmjs/WasmIonCompile.cpp:2935
    #4 0x694a08 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3093:18
    #5 0x65d51c in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:824:14
    #6 0x6146e5 in DecodeFunctionSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:1094:12
    #7 0x6146e5 in DecodeFunctionSections(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:1109
    #8 0x6146e5 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1236
    #9 0x60ba2a in js::wasm::Eval(JSContext*, JS::Handle<js::ArrayBufferObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1364:10
    #10 0x55c5c5 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5065:14
    #11 0x1babfc7 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #23 0x48a658 in _start (/home/ubuntu/build/build/js+0x48a658)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/asmjs/WasmIonCompile.cpp:1525 EmitStoreGlobal(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**)
==20049==ABORTING
(Reporter)

Comment 1

2 years ago
Created attachment 8722542 [details]
Testcase
Created attachment 8722587 [details]
MozReview Request: Bug 1250556: Require Store value expression to have the opcode's type; r?sunfish

Review commit: https://reviewboard.mozilla.org/r/36109/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/36109/
Attachment #8722587 - Flags: review?(sunfish)
Comment on attachment 8722587 [details]
MozReview Request: Bug 1250556: Require Store value expression to have the opcode's type; r?sunfish

https://reviewboard.mozilla.org/r/36109/#review32751
Attachment #8722587 - Flags: review?(sunfish) → review+

Comment 4

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/6cd2ff3e8ee9

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/6cd2ff3e8ee9
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox47: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Duplicate of this bug: 1250959
Duplicate of this bug: 1250960
You need to log in before you can comment on or make changes to this bug.