Closed Bug 1278183 Opened 8 years ago Closed 8 years ago

Hit MOZ_CRASH(Bad type) at js/src/jit/Lowering.cpp:932

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox49 --- affected
firefox50 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Testcase
104 bytes, application/octet-stream
Details
testi64.patch
8.54 KB, patch
lth
: review+
Details | Diff | Splinter Review 
The attached binary WebAssembly testcase crashes on mozilla-inbound revision 6862e8f62027+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));



Backtrace:

==10226==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000010d09ab bp 0x7ffd2a973df0 sp 0x7ffd2a973b20 T0)
    #0 0x10d09aa in js::jit::LNode::LNode() js/src/jit/LIR.h:665:9
    #1 0x10d09aa in js::jit::LInstruction::LInstruction() js/src/jit/LIR.h:803
    #2 0x10d09aa in js::jit::details::LInstructionFixedDefsTempsHelper<0ul, 0ul>::LInstructionFixedDefsTempsHelper() js/src/jit/LIR.h:1047
    #3 0x10d09aa in js::jit::LInstructionHelper<0ul, 2ul, 0ul>::LInstructionHelper() js/src/jit/LIR.h:1105
    #4 0x10d09aa in js::jit::LControlInstructionHelper<2ul, 2ul, 0ul>::LControlInstructionHelper() js/src/jit/shared/LIR-shared.h:835
    #5 0x10d09aa in js::jit::LCompareDAndBranch::LCompareDAndBranch(js::jit::MCompare*, js::jit::LAllocation const&, js::jit::LAllocation const&, js::jit::MBasicBlock*, js::jit::MBasicBlock*) js/src/jit/shared/LIR-shared.h:2486
    #6 0x10d09aa in js::jit::LIRGenerator::visitTest(js::jit::MTest*) js/src/jit/Lowering.cpp:859
    #7 0x115be44 in js::jit::LIRGenerator::visitInstruction(js::jit::MInstruction*) js/src/jit/Lowering.cpp:4735:5
    #8 0x115d139 in js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) js/src/jit/Lowering.cpp:4839:10
    #9 0x115d7ee in js::jit::LIRGenerator::generate() js/src/jit/Lowering.cpp:4861:14
    #10 0xe6d667 in js::jit::GenerateLIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1896:14
    #11 0x70bdbc in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3451:25
    #12 0x6bcf84 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:825:14
    #13 0x647fea in DecodeFunctionBody(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:940:12
    #14 0x647fea in DecodeCodeSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:968
    #15 0x647fea in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1067
    #16 0x63c4fd in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1224:10
    #17 0x59920e in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5189:14
    #18 0x1e8da51 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #31 0x460e58 in _start (/home/ubuntu/build/build/js+0x460e58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/jit/LIR.h:665:9 in js::jit::LNode::LNode()
==10226==ABORTING
Attached file Testcase 
Flags: needinfo?(bbouvier)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        testi64.patchSplinter Review
      

    


  
MTest(MNot(x), ifTrue, ifFalse) gets folded into MTest(x, ifFalse, ifTrue). MNot(int64) has result type i32, so MTest sees an int32 input; but when we fold the MNot, the MTest sees an int64 input that is not a comparison, KABOUM.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(bbouvier)

        Attachment #8761492 -
        Flags: review?(lhansen)

        Attachment #8761492 -
        Flags: review?(lhansen) → review+

    
    

    
  
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ed8f19f31b54
Implement MTest for int64 inputs; r=lth

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/ed8f19f31b54
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox50:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: