1286193 - Assertion failure: kind_ == DefinitionKind::Function, at js/src/asmjs/WasmAST.h:540

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 1bee8d2da23e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe):

const textToBinary = str => wasmTextToBinary(str, textToBinary[gcstate]);
const code = textToBinary('(module (import "x" "y" (memory 1 1)))');


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x08450003 in js::wasm::AstImport::funcSig (this=0xf7990290) at js/src/asmjs/WasmAST.h:540
#0  0x08450003 in js::wasm::AstImport::funcSig (this=0xf7990290) at js/src/asmjs/WasmAST.h:540
#1  EncodeImport (imp=..., newFormat=false, e=...) at js/src/asmjs/WasmTextToBinary.cpp:3455
#2  EncodeImportSection (module=..., newFormat=<optimized out>, e=...) at js/src/asmjs/WasmTextToBinary.cpp:3504
#3  EncodeModule (bytes=<optimized out>, newFormat=<optimized out>, module=...) at js/src/asmjs/WasmTextToBinary.cpp:3757
#4  js::wasm::TextToBinary (text=0xf4b0d400 u"(module (import \"x\" \"y\" (memory 1 1)))", newFormat=false, bytes=0xffffc8f8, error=0xffffc8cc) at js/src/asmjs/WasmTextToBinary.cpp:3794
#5  0x088ab72d in WasmTextToBinary (cx=0xf7934000, argc=2, vp=0xf4b550b0) at js/src/builtin/TestingFunctions.cpp:561
#6  0x0871104b in js::CallJSNative (cx=0xf7934000, native=0x88ab510 <WasmTextToBinary(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232
[...]
#25 main (argc=3, argv=0xffffd8e4, envp=0xffffd8f4) at js/src/shell/js.cpp:7518
eax	0x0	0
ebx	0xf7990290	-140967280
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0xffffc58c	-14964
edi	0x1	1
ebp	0xffffc888	4294953096
esp	0xffffc490	4294952080
eip	0x8450003 <js::wasm::TextToBinary(char16_t const*, bool, mozilla::Vector<unsigned char, 0u, js::SystemAllocPolicy>*, mozilla::UniquePtr<char [], JS::FreePolicy>*)+10387>
=> 0x8450003 <js::wasm::TextToBinary(char16_t const*, bool, mozilla::Vector<unsigned char, 0u, js::SystemAllocPolicy>*, mozilla::UniquePtr<char [], JS::FreePolicy>*)+10387>:	movl   $0x0,0x0
   0x845000d <js::wasm::TextToBinary(char16_t const*, bool, mozilla::Vector<unsigned char, 0u, js::SystemAllocPolicy>*, mozilla::UniquePtr<char [], JS::FreePolicy>*)+10397>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160708152625" and the hash "13d57f57a6dd54e033b61f5b2bc0d5f3d8e0d853".
The "bad" changeset has the timestamp "20160708153426" and the hash "4a1ad717fe1dadf05bc0328a40877c514ce6d03e".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=13d57f57a6dd54e033b61f5b2bc0d5f3d8e0d853&tochange=4a1ad717fe1dadf05bc0328a40877c514ce6d03e

Comment 2

[Luke Wagner [:luke]]

Attachment: fix-assert

Oops, the parser was generating newFormat AST nodes in !newFormat mode.  Not adding a test since this is inherently a temporary thing until there is no newFormat mode.

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8770123 [details] [diff] [review]
fix-assert

Review of attachment 8770123 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!

Comment 4

[Pulsebot]

Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/34f2373b3499
Baldr: don't parse newFormat AST nodes when not newFormat (r=bbouvier)

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/34f2373b3499