[wasm] Assertion failure: type() == MIRType_Int32, at js/src/jit/MIR.h:1443

RESOLVED FIXED in Firefox 47

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks 1 bug, {assertion, regression, testcase})

Trunk
mozilla47
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 fixed)

Details

Attachments

(2 attachments)

The attached binary WebAssembly testcase crashes on mozilla-inbound revision faa614e2ad4e+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests --enable-debug, run with ). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
wasmEval(data.buffer);


Backtrace:

==26294==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000013dd7b1 bp 0x7ffd7c92f9d0 sp 0x7ffd7c92f8a0 T0)
    #0 0x13dd7b0 in MOZ_ReportAssertionFailure(char const*, char const*, int) js/src/debug64afl/dist/include/mozilla/Assertions.h:164:10
    #1 0x13dd7b0 in js::jit::Register::encoding() const js/src/jit/Registers.h:53
    #2 0x13dd7b0 in js::jit::Assembler::shlq(js::jit::Imm32, js::jit::Register) js/src/jit/x64/Assembler-x64.h:557
    #3 0x13dd7b0 in js::jit::CodeGeneratorX64::visitShiftI64(js::jit::LShiftI64*) js/src/jit/x64/CodeGenerator-x64.cpp:293
    #4 0xc5eaa9 in js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:4691:13
    #5 0xcb81ce in js::jit::CodeGenerator::generateAsmJS(js::wasm::FuncOffsets*) js/src/jit/CodeGenerator.cpp:8305:10
    #6 0x694d29 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3151:14
    #7 0x65d57c in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:824:14
    #8 0x614685 in DecodeFunctionSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:1094:12
    #9 0x614685 in DecodeFunctionSections(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:1109
    #10 0x614685 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1236
    #11 0x60b9ca in js::wasm::Eval(JSContext*, JS::Handle<js::ArrayBufferObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1364:10
    #12 0x55c475 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5077:14
    #13 0x1bb8397 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #25 0x48a658 in _start (/home/ubuntu/build/build/js+0x48a658)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/debug64afl/dist/include/mozilla/Assertions.h:164 MOZ_ReportAssertionFailure(char const*, char const*, int)
==26294==ABORTING
Posted file Testcase
Probably i64 fallout.
Flags: needinfo?(jdemooij)
Minimal test case:

(module (func (result i64) (i64.shl (i64.const 0) (i64.const 0))))

It'd be nice that the enum in MConstant::printOpcode (MIR.cpp) could handle Int64, for iongraph.
Posted patch PatchSplinter Review
Oops, we should call ToInt64 instead of ToInt32 to get the LShiftI RHS.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8725151 - Flags: review?(bbouvier)
Comment on attachment 8725151 [details] [diff] [review]
Patch

Review of attachment 8725151 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!
Attachment #8725151 - Flags: review?(bbouvier) → review+
https://hg.mozilla.org/mozilla-central/rev/df6847768408
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.