Closed
Bug 1285198
Opened 9 years ago
Closed 9 years ago
Hit MOZ_CRASH(Compiler bug: expected double on stack) at js/src/asmjs/WasmBaselineCompile.cpp:1340
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1280927
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase)
Attachments
(1 file)
|
87 bytes,
application/octet-stream
|
Details |
The attached binary WebAssembly testcase crashes on mozilla-inbound revision ab8e9e4b893d+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):
var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));
Backtrace:
==4792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000029e37ea bp 0x7f21941e60f0 sp 0x7f21941e6040 T16)
#0 0x29e37e9 in js::wasm::BaseCompiler::popF64(js::wasm::BaseCompiler::Stk&, js::wasm::BaseCompiler::RegF64) js/src/asmjs/WasmBaselineCompile.cpp:1340:13
#1 0x2999f75 in js::wasm::BaseCompiler::popF64() js/src/asmjs/WasmBaselineCompile.cpp:1351:13
#2 0x2999f75 in js::wasm::BaseCompiler::emitAbsF64() js/src/asmjs/WasmBaselineCompile.cpp:4062
#3 0x29b7a1d in js::wasm::BaseCompiler::emitBody() js/src/asmjs/WasmBaselineCompile.cpp:5988:13
#4 0x29be945 in js::wasm::BaseCompiler::emitFunction() js/src/asmjs/WasmBaselineCompile.cpp:6228:10
#5 0x29c29a2 in js::wasm::BaselineCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmBaselineCompile.cpp:6495:10
#6 0x72d945 in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3477:16
#7 0x1e10af3 in js::HelperThread::handleWasmWorkload() js/src/vm/HelperThreads.cpp:1368:19
#8 0x1e0f7ea in js::HelperThread::threadLoop() js/src/vm/HelperThreads.cpp:1724:13
#9 0x20303a8 in nspr::Thread::ThreadRoutine(void*) js/src/vm/PosixNSPR.cpp:45:5
#10 0x7f2199b466f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
#11 0x7f21989b5b5c in clone /build/glibc-GKVZIf/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
This still seems to reproduce after the bunch of fixes we made for a similar class of bugs.
|
Reporter | |
Comment 1•9 years ago
|
||
|
||
Comment 2•9 years ago
|
||
I'll take a look but it won't be until next week probably.
QA Contact: lhansen
|
|
||
Comment 3•9 years ago
|
||
Can't reproduce on m-i tip, I get this error instead, both with --wasm-always-baseline and without:
test1285198.js:2:1 TypeError: wasm error: compile error at offset 73: function section byte size mismatch
The rev cited in comment 0 appears to predate an important fix to WasmBaselineCompile.cpp that deals with dead code. Can you repro with current m-i or m-c?
Flags: needinfo?(choller)
|
|
Reporter | |
Comment 4•9 years ago
|
||
Nope, this doesn't seem to appear in fuzzing anymore either. Closing as fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(choller)
Resolution: --- → FIXED
|
||
Comment 5•9 years ago
|
||
The first good revision is:
changeset: 303497:9c56c98ab5f9
user: Lars T Hansen <lhansen@mozilla.com>
date: Tue Jun 21 20:50:41 2016 +0200
summary: Bug 1280927 - skip unreachable code. r=luke
Resolution: FIXED → DUPLICATE
|
|
||
Updated•4 years ago
|
QA Contact: lhansen
You need to log in
before you can comment on or make changes to this bug.
Description
•