Closed Bug 1250952 Opened 6 years ago Closed 6 years ago

[wasm] Assertion failure: hasLastIns(), at js/src/jit/MIRGraph.h:375

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla47
Tracking Status
firefox47 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files, 1 obsolete file)

The attached binary WebAssembly testcase crashes on mozilla-inbound revision 930c12a120ab+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests, run with ). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
wasmEval(data.buffer);


Backtrace:

==16115==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006eea3b bp 0x7fff847997f0 sp 0x7fff847997e0 T0)
    #0 0x6eea3a in MOZ_ReportAssertionFailure(char const*, char const*, int) js/src/debug64afl/dist/include/mozilla/Assertions.h:164:10
    #1 0x6eea3a in js::jit::MDefinition::toControlInstruction() js/src/jit/MIR.h:14318
    #2 0x6eea3a in js::jit::MBasicBlock::lastIns() const js/src/jit/MIRGraph.h:376
    #3 0x117719e in js::jit::MBasicBlock::numSuccessors() const js/src/jit/MIRGraph.cpp:1343:5
    #4 0xd8fc4b in js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&) js/src/jit/IonAnalysis.cpp:2312:32
    #5 0xd87802 in js::jit::OptimizeMIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1516:5
    #6 0x694c47 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3113:14
    #7 0x65d51c in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:824:14
    #8 0x6146e5 in DecodeFunctionSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:1094:12
    #9 0x6146e5 in DecodeFunctionSections(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:1109
    #10 0x6146e5 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1236
    #11 0x60ba2a in js::wasm::Eval(JSContext*, JS::Handle<js::ArrayBufferObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1364:10
    #12 0x55c5c5 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5065:14
    #13 0x1babfc7 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #25 0x48a658 in _start (/home/ubuntu/build/build/js+0x48a658)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/debug64afl/dist/include/mozilla/Assertions.h:164 MOZ_ReportAssertionFailure(char const*, char const*, int)
==16115==ABORTING
Attached patch bug1250952.patch (obsolete) — Splinter Review
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8723158 - Flags: review?(luke)
Attached patch bug1250952.patchSplinter Review
For the record, after IRL discussion: return can have any type and does not yield the expression it's returning. So if we end up in dead code after the condition (which we now can in wasm, but not in asm.js) in a chain of if/else, then we need to create a joinBlock if we have at least one thenBlock. It's very similar to what joinIfElse does, so it ends up calling it after resetting the curBlock_ (whether it's null or not, joinIfElse will do The Right Thing).
Attachment #8723158 - Attachment is obsolete: true
Attachment #8723158 - Flags: review?(luke)
Attachment #8723326 - Flags: review?(luke)
Attachment #8723326 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/ac848037025e
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.