1250959 - [wasm] Assertion failure: producer_ != nullptr, at js/src/jit/MIR.h:242

Status: RESOLVED DUPLICATE of bug 1250556

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The attached binary WebAssembly testcase crashes on mozilla-inbound revision 930c12a120ab+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests, run with ). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
wasmEval(data.buffer);


Backtrace:

==5405==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006be421 bp 0x7fff75aad4e0 sp 0x7fff75aad4d0 T0)
    #0 0x6be420 in js::jit::MDefinition::addUseUnchecked(js::jit::MUse*) js/src/jit/MIR.h:783:9
    #1 0x6d0f12 in js::jit::MAryInstruction<2ul>::initOperand(unsigned long, js::jit::MDefinition*) js/src/jit/MIR.h:1051:9
    #2 0x6d0f12 in js::jit::MBinaryInstruction::MBinaryInstruction(js::jit::MDefinition*, js::jit::MDefinition*) js/src/jit/MIR.h:1105
    #3 0x6d0f12 in js::jit::MAsmJSStoreHeap::MAsmJSStoreHeap(js::Scalar::Type, js::jit::MDefinition*, js::jit::MDefinition*, unsigned int, js::jit::MemoryBarrierBits, js::jit::MemoryBarrierBits) js/src/jit/MIR.h:13833
    #4 0x6d0f12 in js::jit::MAsmJSStoreHeap::New(js::jit::TempAllocator&, js::Scalar::Type, js::jit::MDefinition*, js::jit::MDefinition*, unsigned int, js::jit::MemoryBarrierBits, js::jit::MemoryBarrierBits) js/src/jit/MIR.h:13846
    #5 0x6d0f12 in FunctionCompiler::storeHeap(js::Scalar::Type, js::jit::MDefinition*, js::jit::MDefinition*) js/src/asmjs/WasmIonCompile.cpp:511
    #6 0x69f549 in EmitStore(FunctionCompiler&, js::Scalar::Type, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:1473:5
    #7 0x69f549 in EmitExpr(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**, mozilla::Vector<unsigned long, 1ul, js::SystemAllocPolicy>*) js/src/asmjs/WasmIonCompile.cpp:2935
    #8 0x694a08 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3093:18
    #9 0x65d51c in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:824:14
    #10 0x6146e5 in DecodeFunctionSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:1094:12
    #11 0x6146e5 in DecodeFunctionSections(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:1109
    #12 0x6146e5 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1236
    #13 0x60ba2a in js::wasm::Eval(JSContext*, JS::Handle<js::ArrayBufferObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1364:10
    #14 0x55c5c5 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5065:14
    #15 0x1babfc7 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #27 0x48a658 in _start (/home/ubuntu/build/build/js+0x48a658)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/jit/MIR.h:783 js::jit::MDefinition::addUseUnchecked(js::jit::MUse*)
==5405==ABORTING

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

I get a validation error.

The first good revision is:
changeset:   285219:6cd2ff3e8ee9
user:        Benjamin Bouvier <benj@benj.me>
date:        Tue Feb 23 19:45:38 2016 +0100
summary:     Bug 1250556: Require Store value expression to have the opcode's type; r=sunfish