1280929 - [wasm] Hit MOZ_CRASH(Compiler bug: expected long on stack) at js/src/asmjs/WasmBaselineCompile.cpp:1283

Status: RESOLVED DUPLICATE of bug 1280927

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The attached binary WebAssembly testcase crashes on mozilla-inbound revision e9723c6c6136+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):

var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));



Backtrace:

==28419==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000002a0ffd0 bp 0x7ffdf7a28150 sp 0x7ffdf7a28140 T0)
    #0 0x2a0ffcf in js::wasm::BaseCompiler::popI64(js::wasm::BaseCompiler::Stk&, js::wasm::BaseCompiler::RegI64) js/src/asmjs/WasmBaselineCompile.cpp:1271:13
    #1 0x29f4f25 in js::wasm::BaseCompiler::popI64() js/src/asmjs/WasmBaselineCompile.cpp:1294:13
    #2 0x29f4f25 in js::wasm::BaseCompiler::pop2xI64(js::wasm::BaseCompiler::RegI64*, js::wasm::BaseCompiler::RegI64*) js/src/asmjs/WasmBaselineCompile.cpp:3096
    #3 0x29c544a in js::wasm::BaseCompiler::emitXorI64() js/src/asmjs/WasmBaselineCompile.cpp:3755:5
    #4 0x29e7b7c in js::wasm::BaseCompiler::emitBody() js/src/asmjs/WasmBaselineCompile.cpp:5855:13
    #5 0x29f0745 in js::wasm::BaseCompiler::emitFunction() js/src/asmjs/WasmBaselineCompile.cpp:6215:10
    #6 0x29f47a2 in js::wasm::BaselineCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmBaselineCompile.cpp:6482:10
    #7 0x72c845 in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3477:16
    #8 0x6afca0 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:824:14
    #9 0x645e3d in DecodeFunctionBody(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:940:12
    #10 0x645e3d in DecodeCodeSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:968
    #11 0x645e3d in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, js::wasm::ShareableBytes const&, JS::MutableHandle<js::ArrayBufferObject*>) js/src/asmjs/Wasm.cpp:1141
    #12 0x63bc72 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/asmjs/Wasm.cpp:1249:27
    #13 0x59a42e in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5226:14
    #14 0x1ea21d1 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #27 0x461088 in _start (/home/ubuntu/build/build/js+0x461088)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/asmjs/WasmBaselineCompile.cpp:1271:13 in js::wasm::BaseCompiler::popI64(js::wasm::BaseCompiler::Stk&, js::wasm::BaseCompiler::RegI64)
==28419==ABORTING

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Lars T Hansen [:lth]]

Test case uploaded incorrectly?  I get a validation error with both compilers:

Process 23971 launched: '/Users/lhansen/moz/mozilla-wasm/js/src/build-debug/dist/bin/js' (x86_64)
test1280929.wasm.js:2:7 TypeError: wasm validation error at offset 124: function section byte size mismatch
Stack:
  @test1280929.wasm.js:2:7
Process 23971 exited with status = 3 (0x00000003)

Comment 3

[Lars T Hansen [:lth]]

I can repro now.  The problem here was that I had a wasmBinaryToText call that doesn't handle the code correctly and it was masking the problem; I did not realize this until I ran into the same problem with a later test case.

Comment 4

[Lars T Hansen [:lth]]

This is almost certainly the unreachable-code problem of bug 1280927 again.