Closed Bug 1259911 Opened 4 years ago Closed 4 years ago

[wasm] Assertion failure: predecessors_[j] != old, at js/src/jit/MIRGraph.cpp:1465

Categories

(Core :: JavaScript Engine, defect, critical)

ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files, 1 obsolete file)

The attached binary WebAssembly testcase crashes on mozilla-inbound revision 0fad49a543ea+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug --target=i686-pc-linux-gnu --enable-simulator=arm). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));



Backtrace:

==32121==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x08fe067c bp 0xfff98568 sp 0xfff98530 T0)
==32121==The signal is caused by a WRITE memory access.
==32121==Hint: address points to the zero page.
    #0 0x8fe067b in js::jit::MBasicBlock::replacePredecessor(js::jit::MBasicBlock*, js::jit::MBasicBlock*) js/src/jit/MIRGraph.cpp:1465:17
    #1 0x8fdc08a in js::jit::MBasicBlock::NewSplitEdge(js::jit::MIRGraph&, js::jit::CompileInfo const&, js::jit::MBasicBlock*, unsigned int, js::jit::MBasicBlock*) js/src/jit/MIRGraph.cpp:405:5
    #2 0x8bef570 in SplitCriticalEdgesForBlock(js::jit::MIRGraph&, js::jit::MBasicBlock*) js/src/jit/IonAnalysis.cpp:426:30
    #3 0x8bef570 in js::jit::SplitCriticalEdges(js::jit::MIRGraph&) js/src/jit/IonAnalysis.cpp:441
    #4 0x8b96809 in js::jit::OptimizeMIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1494:14
    #5 0x8364517 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3122:14
    #6 0x832ff79 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:815:14
    #7 0x82c5123 in DecodeFunctionBody(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:1359:12
    #8 0x82c5123 in DecodeFunctionBodies(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:1387
    #9 0x82c5123 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0u, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1486
    #10 0x82b8791 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1643:10
    #11 0x8221ad8 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5212:14
    #12 0x9e577e1 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #24 0x80ab2c8 in _start (/home/ubuntu/build/build/js+0x80ab2c8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/jit/MIRGraph.cpp:1465:17 in js::jit::MBasicBlock::replacePredecessor(js::jit::MBasicBlock*, js::jit::MBasicBlock*)
==32121==ABORTING


This bug appears to be ARM only.
Attached file Testcase
Attached patch 1259911.patch (obsolete) — Splinter Review
We should make sure that we don't add a block as the predecessor of another block several times, which can easily happen with br_table. Nice find, AFL!
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8735914 - Flags: review?(sunfish)
Attached patch 1259911.patchSplinter Review
Simpler patch that doesn't use a malloc'd hash set.
Attachment #8735914 - Attachment is obsolete: true
Attachment #8735914 - Flags: review?(sunfish)
Attachment #8735931 - Flags: review?(sunfish)
Comment on attachment 8735931 [details] [diff] [review]
1259911.patch

Review of attachment 8735931 [details] [diff] [review]:
-----------------------------------------------------------------

Good idea to use the mark flag!
Attachment #8735931 - Flags: review?(sunfish) → review+
https://hg.mozilla.org/mozilla-central/rev/f53dbc1c638a
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.