[wasm] Hit MOZ_CRASH(NYI) at js/src/jit/arm/Lowering-arm.cpp:170

RESOLVED DUPLICATE of bug 1256633

Status

()

--
critical
RESOLVED DUPLICATE of bug 1256633
2 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
ARM
Linux
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox48 fixed)

Details

Attachments

(1 attachment)

152 bytes, application/octet-stream
Details
(Reporter)

Description

2 years ago
The attached binary WebAssembly testcase crashes on mozilla-inbound revision f788142ec96f+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests --target=i686-pc-linux-gnu --enable-simulator=arm --enable-debug). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));



Backtrace:

==23960==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x093a5b16 bp 0xff9c5478 sp 0xff9c5470 T0)
==23960==The signal is caused by a WRITE memory access.
==23960==Hint: address points to the zero page.
    #0 0x93a5b15 in js::jit::LIRGeneratorARM::lowerForALUInt64(js::jit::LInstructionHelper<2u, 4u, 0u>*, js::jit::MDefinition*, js::jit::MDefinition*, js::jit::MDefinition*) js/src/jit/arm/Lowering-arm.cpp:170:5
    #1 0x8e6f6d9 in js::jit::LIRGenerator::lowerBitOp(JSOp, js::jit::MInstruction*) js/src/jit/Lowering.cpp:1134:9
    #2 0x8e7165c in js::jit::LIRGenerator::visitBitXor(js::jit::MBitXor*) js/src/jit/Lowering.cpp:1222:5
    #3 0x92a2407 in js::jit::MBitXor::accept(js::jit::MDefinitionVisitor*) js/src/jit/MIR.h:5769:5
    #4 0x8ee60ae in js::jit::LIRGenerator::visitInstruction(js::jit::MInstruction*) js/src/jit/Lowering.cpp:4639:5
    #5 0x8ee74a7 in js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) js/src/jit/Lowering.cpp:4699:14
    #6 0x8ee83ba in js::jit::LIRGenerator::generate() js/src/jit/Lowering.cpp:4769:14
    #7 0x8b9aac7 in js::jit::GenerateLIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1827:14
    #8 0x836227f in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3120:25
    #9 0x832dbac in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:815:14
    #10 0x82c2bd0 in DecodeFunctionBody(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:1313:12
    #11 0x82c2bd0 in DecodeFunctionBodies(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:1341
    #12 0x82c2bd0 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0u, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1440
    #13 0x82b5f34 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1597:10
    #14 0x821fd9f in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5104:14
[...]
    #27 0x80aa558 in _start (/home/ubuntu/build/build/js+0x80aa558)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/jit/arm/Lowering-arm.cpp:170:5 in js::jit::LIRGeneratorARM::lowerForALUInt64(js::jit::LInstructionHelper<2u, 4u, 0u>*, js::jit::MDefinition*, js::jit::MDefinition*, js::jit::MDefinition*)
==23960==ABORTING
(Reporter)

Comment 1

2 years ago
Created attachment 8730673 [details]
Testcase
Same issue as bug 1256633.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1256633
status-firefox48: affected → fixed
You need to log in before you can comment on or make changes to this bug.