Closed Bug 1280921 Opened 8 years ago Closed 8 years ago

[wasm] Hit MOZ_CRASH(select type) at js/src/asmjs/WasmBaselineCompile.cpp:5428

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox50 --- fixed

People

(Reporter: decoder, Assigned: lth)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

Testcase
70 bytes, application/octet-stream
Details
bug1280921-select-any.patch
1.87 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review 
The attached binary WebAssembly testcase crashes on mozilla-inbound revision e9723c6c6136+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):

var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));



Backtrace:

==31025==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000029e30ed bp 0x7fff2fc39df0 sp 0x7fff2fc39be0 T0)
    #0 0x29e30ec in js::oom::HadSimulatedOOM() dist/include/js/Utility.h:146:23
    #1 0x29e30ec in js::jit::Label::~Label() js/src/jit/Label.h:92
    #2 0x29e30ec in js::wasm::BaseCompiler::emitSelect() js/src/asmjs/WasmBaselineCompile.cpp:5415
    #3 0x29e7c25 in js::wasm::BaseCompiler::emitBody() js/src/asmjs/WasmBaselineCompile.cpp:5729:13
    #4 0x29f0745 in js::wasm::BaseCompiler::emitFunction() js/src/asmjs/WasmBaselineCompile.cpp:6215:10
    #5 0x29f47a2 in js::wasm::BaselineCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmBaselineCompile.cpp:6482:10
    #6 0x72c845 in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3477:16
    #7 0x6afca0 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:824:14
    #8 0x645e3d in DecodeFunctionBody(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:940:12
    #9 0x645e3d in DecodeCodeSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:968
    #10 0x645e3d in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, js::wasm::ShareableBytes const&, JS::MutableHandle<js::ArrayBufferObject*>) js/src/asmjs/Wasm.cpp:1141
    #11 0x63bc72 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/asmjs/Wasm.cpp:1249:27
    #12 0x59a42e in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5226:14
    #13 0x1ea21d1 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #26 0x461088 in _start (/home/ubuntu/build/build/js+0x461088)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV dist/include/js/Utility.h:146:23 in js::oom::HadSimulatedOOM()
==31025==ABORTING
Attached file Testcase 

    
    

    
  
This is a frequent issue, marking as fuzzblocker.
Whiteboard: [fuzzblocker]

    
    

    
  
In one sense this is arguably a simple bug: the SELECT operator allows the types of the arms of the select to unify as ANY so long as the condition does not yield a value (in this case it is UNREACHABLE), but the implementation of SELECT in the compiler does not handle ANY.

On the other hand, this is a case like in bug 1280927 where we do not handle unreachable code properly.  Leaving this open as a separate bug since it is arguably a separate case.
Assignee: nobody → lhansen

    
    

    
  


  
Fix and test case.

        Attachment #8764224 -
        Flags: review?(bbouvier)

    
    

    
  
Comment on attachment 8764224 [details] [diff] [review]
bug1280921-select-any.patch

Review of attachment 8764224 [details] [diff] [review]:
-----------------------------------------------------------------

OK, but this should be fixed by the other bug tracking whether we're in dead code, right? In any case, r=me for this one, but if the dead code tracking of the other bug fixes it, let's prefer that and just keep the test of this bug.

::: js/src/jit-test/tests/wasm/regress/select-any.js
@@ +7,5 @@
> +`(module
> +  (type $type0 (func))
> +  (func $func0
> +   (select (unreachable) (return (nop)) (loop (i32.const 1)))
> +   (select (i32.const 26) (unreachable) (i32.const 3))))`);

Could you make it run in a try/catch and assert that we hit the unreachable target?

        Attachment #8764224 -
        Flags: review?(bbouvier) → review+

    
    

    
  
(In reply to Benjamin Bouvier [:bbouvier] from comment #5)
> Comment on attachment 8764224 [details] [diff] [review]
> bug1280921-select-any.patch
> 
> Review of attachment 8764224 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> OK, but this should be fixed by the other bug tracking whether we're in dead
> code, right? 

I believe so.
 
> Could you make it run in a try/catch and assert that we hit the unreachable
> target?

Yes.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/29a921093680
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox50:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: