Closed Bug 1280926 Opened 8 years ago Closed 8 years ago

[wasm] Assertion failure: imm < 32, at js/src/jit/x86-shared/BaseAssembler-x86-shared.h:1433

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox50 --- fixed

People

(Reporter: decoder, Assigned: lth)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Testcase
76 bytes, application/octet-stream
Details
bug1280926-shift-counts.patch
2.20 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review 
The attached binary WebAssembly testcase crashes on mozilla-inbound revision e9723c6c6136+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):

var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));



Backtrace:

==8318==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000dbdd46 bp 0x7ffc6ed9e110 sp 0x7ffc6ed9e060 T0)
    #0 0xdbdd45 in MOZ_ReportAssertionFailure(char const*, char const*, int) /srv/jenkins/jobs/mozilla-inbound-build-wasm/workspace/arch/64/type/debug/dist/include/mozilla/Assertions.h:164:10
    #1 0xdbdd45 in js::jit::X86Encoding::BaseAssembler::X86InstructionFormatter::immediate8u(unsigned int) js/src/jit/x86-shared/BaseAssembler-x86-shared.h:4981
    #2 0xdbdd45 in js::jit::X86Encoding::BaseAssembler::sarl_ir(int, js::jit::X86Encoding::RegisterID) js/src/jit/x86-shared/BaseAssembler-x86-shared.h:1439
    #3 0x29c6519 in js::jit::AssemblerX86Shared::sarl(js::jit::Imm32, js::jit::Register) js/src/jit/x86-shared/Assembler-x86-shared.h:1678:9
    #4 0x29c6519 in js::wasm::BaseCompiler::rshiftI32(int, js::wasm::BaseCompiler::RegI32) js/src/asmjs/WasmBaselineCompile.cpp:2462
    #5 0x29c6519 in js::wasm::BaseCompiler::emitShrI32() js/src/asmjs/WasmBaselineCompile.cpp:3807
    #6 0x29e7f52 in js::wasm::BaseCompiler::emitBody() js/src/asmjs/WasmBaselineCompile.cpp:5789:13
    #7 0x29f0745 in js::wasm::BaseCompiler::emitFunction() js/src/asmjs/WasmBaselineCompile.cpp:6215:10
    #8 0x29f47a2 in js::wasm::BaselineCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmBaselineCompile.cpp:6482:10
    #9 0x72c845 in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3477:16
    #10 0x6afca0 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:824:14
    #11 0x645e3d in DecodeFunctionBody(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:940:12
    #12 0x645e3d in DecodeCodeSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:968
    #13 0x645e3d in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, js::wasm::ShareableBytes const&, JS::MutableHandle<js::ArrayBufferObject*>) js/src/asmjs/Wasm.cpp:1141
    #14 0x63bc72 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/asmjs/Wasm.cpp:1249:27
    #15 0x59a42e in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5226:14
    #16 0x1ea21d1 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #29 0x461088 in _start (/home/ubuntu/build/build/js+0x461088)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /srv/jenkins/jobs/mozilla-inbound-build-wasm/workspace/arch/64/type/debug/dist/include/mozilla/Assertions.h:164:10 in MOZ_ReportAssertionFailure(char const*, char const*, int)
==8318==ABORTING
Attached file Testcase 

    
  
Assignee: nobody → lhansen

    
    

    
  
Indeed.  I stumbled over this when I was working on the ARM code but forgot to backport the fix.

    
    

    
  


  
Fix + test case.

        Attachment #8764176 -
        Flags: review?(bbouvier)

    
    

    
  
Comment on attachment 8764176 [details] [diff] [review]
bug1280926-shift-counts.patch

Review of attachment 8764176 [details] [diff] [review]:
-----------------------------------------------------------------

Duh, thanks!

::: js/src/asmjs/WasmBaselineCompile.cpp
@@ +3765,5 @@
>  {
>      int32_t c;
>      if (popConstI32(c)) {
>          RegI32 r = popI32();
> +        lshiftI32(c & 31, r);

I'd put the masking directly in the lshiftI32 / rshiftI32 / rshiftU32, just in case they are reused later for other purpose.

        Attachment #8764176 -
        Flags: review?(bbouvier) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/f187b8181508
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox50:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: