Closed
Bug 1275225
Opened 8 years ago
Closed 8 years ago
[wasm] Hit MOZ_CRASH(NYI) at js/src/jit/arm/Lowering-arm.cpp:170
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1275224
Tracking | Status | |
---|---|---|
firefox49 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
78 bytes,
application/octet-stream
|
Details |
The attached binary WebAssembly testcase crashes on mozilla-inbound revision 3b45aeb5288a+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug --target=i686-pc-linux-gnu --enable-simulator=arm). To reproduce, you can run the following code in the JS shell: var data = os.file.readFile(file, 'binary'); Wasm.instantiateModule(new Uint8Array(data.buffer)); Backtrace: ==3625==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x09793379 bp 0xffc00a78 sp 0xffc00a50 T0) #0 0x9793378 in js::jit::LIRGeneratorARM::lowerForALUInt64(js::jit::LInstructionHelper<2u, 4u, 0u>*, js::jit::MDefinition*, js::jit::MDefinition*, js::jit::MDefinition*) js/src/jit/arm/Lowering-arm.cpp:170:5 #1 0x9161e69 in js::jit::LIRGenerator::lowerBitOp(JSOp, js::jit::MInstruction*) js/src/jit/Lowering.cpp:1134:9 #2 0x9164206 in js::jit::LIRGenerator::visitBitAnd(js::jit::MBitAnd*) js/src/jit/Lowering.cpp:1210:9 #3 0x966fad7 in js::jit::MBitAnd::accept(js::jit::MDefinitionVisitor*) js/src/jit/MIR.h:5860:5 #4 0x91fa04f in js::jit::LIRGenerator::visitInstruction(js::jit::MInstruction*) js/src/jit/Lowering.cpp:4733:5 #5 0x91fb617 in js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) js/src/jit/Lowering.cpp:4810:14 #6 0x91fc22c in js::jit::LIRGenerator::generate() js/src/jit/Lowering.cpp:4859:14 #7 0x8de1434 in js::jit::GenerateLIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1881:14 #8 0x83d0522 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3455:25 #9 0x837f1c4 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:823:14 #10 0x82eeebf in DecodeFunctionBody(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:966:12 #11 0x82eeebf in DecodeCodeSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:994 #12 0x82eeebf in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0u, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1093 #13 0x82e0dfb in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1250:10 #14 0x8217bbc in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5220:14 [...] #29 0x80aae3c in _start (/home/ubuntu/build/build/js+0x80aae3c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV js/src/jit/arm/Lowering-arm.cpp:170:5 in js::jit::LIRGeneratorARM::lowerForALUInt64(js::jit::LInstructionHelper<2u, 4u, 0u>*, js::jit::MDefinition*, js::jit::MDefinition*, js::jit::MDefinition*) ==3625==ABORTING
Reporter | ||
Comment 1•8 years ago
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•