1277408 - Assertion failure: reinterpret_cast<Instruction*>(jump)->is<InstNOP>(), at js/src/jit/arm/MacroAssembler-arm.cpp:4848

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 25321494921c (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --no-threads --baseline-eager --arm-asm-nop-fill=1):

enableSPSProfiling("in");
(function(stdlib) {
    "use asm";
    function f() {}
    return f;
})(this)();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x084a0966 in js::jit::MacroAssembler::patchNopToNearJump (jump=jump@entry=0xf7fc1040 "\377\377\377", <incomplete sequence \352>, target=target@entry=0xf7fc100c "\004\340", <incomplete sequence \345>) at js/src/jit/arm/MacroAssembler-arm.cpp:4848
#0  0x084a0966 in js::jit::MacroAssembler::patchNopToNearJump (jump=jump@entry=0xf7fc1040 "\377\377\377", <incomplete sequence \352>, target=target@entry=0xf7fc100c "\004\340", <incomplete sequence \345>) at js/src/jit/arm/MacroAssembler-arm.cpp:4848
#1  0x08215d97 in js::wasm::ToggleProfiling (module=..., codeRange=..., enabled=enabled@entry=true) at js/src/asmjs/WasmFrameIterator.cpp:782
#2  0x08220106 in js::wasm::Module::setProfilingEnabled (this=this@entry=0xf5f6c500, cx=cx@entry=0xf794b500, enabled=true) at js/src/asmjs/WasmModule.cpp:819
#3  0x08229119 in js::wasm::Module::callExport (this=this@entry=0xf5f6c500, cx=cx@entry=0xf794b500, exportIndex=0, args=...) at js/src/asmjs/WasmModule.cpp:1316
#4  0x082295b8 in WasmCall (cx=0xf794b500, argc=0, vp=0xf64ffee0) at js/src/asmjs/WasmModule.cpp:1121
#5  0x086cf3aa in js::CallJSNative (cx=0xf794b500, native=0x82294f0 <WasmCall(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#27 main (argc=6, argv=0xffffcc24, envp=0xffffcc40) at js/src/shell/js.cpp:7466
eax	0x0	0
ebx	0x98c8ce4	160206052
ecx	0xf7d97864	-136742812
edx	0x0	0
esi	0xf7fc1040	-134475712
edi	0xf7fc1000	-134475776
ebp	0xffffb748	4294948680
esp	0xffffb730	4294948656
eip	0x84a0966 <js::jit::MacroAssembler::patchNopToNearJump(unsigned char*, unsigned char*)+198>
=> 0x84a0966 <js::jit::MacroAssembler::patchNopToNearJump(unsigned char*, unsigned char*)+198>:	movl   $0x12f0,0x0
   0x84a0970 <js::jit::MacroAssembler::patchNopToNearJump(unsigned char*, unsigned char*)+208>:	call   0x810c1f0 <abort()>

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d21a912dfd85
user:        Luke Wagner
date:        Mon May 30 10:09:53 2016 -0500
summary:     Bug 1271010 - Baldr: add real heterogeneous function table (r=bbouvier)

This iteration took 224.217 seconds to run.

Comment 2

[Luke Wagner [:luke]]

Attachment: auto-forbid-pools

D'oh, should've read my own comment when hoisting this code.  This would've been caught by today's test suite by running:
  jit_test.py ../obj/arm32/dist/bin/js --args="--arm-asm-nop-fill=1" wasm/profiling.js

I should remember to do that :)

Comment 3

[Pulsebot]

Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0df235f3ea95
Odin: don't forget to AutoForbidPools in the prologue nop either (r=bbouvier)

Comment 4

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/0df235f3ea95