Closed
Bug 1259911
Opened 8 years ago
Closed 8 years ago
[wasm] Assertion failure: predecessors_[j] != old, at js/src/jit/MIRGraph.cpp:1465
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
Details
(Keywords: assertion, testcase)
Attachments
(2 files, 1 obsolete file)
104 bytes,
application/octet-stream
|
Details | |
2.32 KB,
patch
|
dgohman
:
review+
|
Details | Diff | Splinter Review |
The attached binary WebAssembly testcase crashes on mozilla-inbound revision 0fad49a543ea+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug --target=i686-pc-linux-gnu --enable-simulator=arm). To reproduce, you can run the following code in the JS shell: var data = os.file.readFile(file, 'binary'); Wasm.instantiateModule(new Uint8Array(data.buffer)); Backtrace: ==32121==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x08fe067c bp 0xfff98568 sp 0xfff98530 T0) ==32121==The signal is caused by a WRITE memory access. ==32121==Hint: address points to the zero page. #0 0x8fe067b in js::jit::MBasicBlock::replacePredecessor(js::jit::MBasicBlock*, js::jit::MBasicBlock*) js/src/jit/MIRGraph.cpp:1465:17 #1 0x8fdc08a in js::jit::MBasicBlock::NewSplitEdge(js::jit::MIRGraph&, js::jit::CompileInfo const&, js::jit::MBasicBlock*, unsigned int, js::jit::MBasicBlock*) js/src/jit/MIRGraph.cpp:405:5 #2 0x8bef570 in SplitCriticalEdgesForBlock(js::jit::MIRGraph&, js::jit::MBasicBlock*) js/src/jit/IonAnalysis.cpp:426:30 #3 0x8bef570 in js::jit::SplitCriticalEdges(js::jit::MIRGraph&) js/src/jit/IonAnalysis.cpp:441 #4 0x8b96809 in js::jit::OptimizeMIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1494:14 #5 0x8364517 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3122:14 #6 0x832ff79 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:815:14 #7 0x82c5123 in DecodeFunctionBody(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:1359:12 #8 0x82c5123 in DecodeFunctionBodies(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:1387 #9 0x82c5123 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0u, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1486 #10 0x82b8791 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1643:10 #11 0x8221ad8 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5212:14 #12 0x9e577e1 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15 [...] #24 0x80ab2c8 in _start (/home/ubuntu/build/build/js+0x80ab2c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV js/src/jit/MIRGraph.cpp:1465:17 in js::jit::MBasicBlock::replacePredecessor(js::jit::MBasicBlock*, js::jit::MBasicBlock*) ==32121==ABORTING This bug appears to be ARM only.
Reporter | ||
Comment 1•8 years ago
|
||
Assignee | ||
Comment 2•8 years ago
|
||
We should make sure that we don't add a block as the predecessor of another block several times, which can easily happen with br_table. Nice find, AFL!
Assignee | ||
Comment 3•8 years ago
|
||
Simpler patch that doesn't use a malloc'd hash set.
Attachment #8735914 -
Attachment is obsolete: true
Attachment #8735914 -
Flags: review?(sunfish)
Attachment #8735931 -
Flags: review?(sunfish)
Comment on attachment 8735931 [details] [diff] [review] 1259911.patch Review of attachment 8735931 [details] [diff] [review]: ----------------------------------------------------------------- Good idea to use the mark flag!
Attachment #8735931 -
Flags: review?(sunfish) → review+
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f53dbc1c638a
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•