Closed
Bug 1291293
Opened 8 years ago
Closed 8 years ago
[wasm] Assertion failure: has(reg), at js/src/jit/RegisterSets.h:742
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
People
(Reporter: decoder, Assigned: bbouvier)
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
The attached binary WebAssembly testcase crashes on mozilla-inbound revision c0c16cea7afa+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug --target=i686-pc-linux-gnu). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):
var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));
Backtrace:
==20968==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x09a2c18a bp 0xfff26178 sp 0xfff25e40 T0)
#0 0x9a2c189 in js::jit::SpecializedRegSet<js::jit::AllocatableSetAccessors<js::jit::TypedRegisterSet<js::jit::Register> >, js::jit::TypedRegisterSet<js::jit::Register> >::take(js::jit::Register) js/src/jit/RegisterSets.h:742:9
#1 0x9a2c189 in js::jit::SpecializedRegSet<js::jit::AllocatableSetAccessors<js::jit::TypedRegisterSet<js::jit::Register> >, js::jit::TypedRegisterSet<js::jit::Register> >::takeAny() js/src/jit/RegisterSets.h:768
#2 0x9a2c189 in js::jit::CodeGeneratorX86::visitDivOrModI64(js::jit::LDivOrModI64*) js/src/jit/x86/CodeGenerator-x86.cpp:1431
#3 0x9b51c98 in js::jit::LDivOrModI64::accept(js::jit::LElementVisitor*) js/src/jit/x86/LIR-x86.h:115:5
#4 0x8aa36b6 in js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:5139:13
#5 0x8b40604 in js::jit::CodeGenerator::generateWasm(js::wasm::SigIdDesc, js::wasm::FuncOffsets*) js/src/jit/CodeGenerator.cpp:8971:10
#6 0xb6bac46 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3484:14
#7 0xb6e8aa8 in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3499:16
#8 0xb653d98 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:864:14
#9 0xb5d7d7f in DecodeFunctionBody(js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/WasmCompile.cpp:1290:12
#10 0xb5d7d7f in DecodeCodeSection(js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/WasmCompile.cpp:1350
#11 0xb5d7d7f in js::wasm::Compile(js::wasm::ShareableBytes const&, js::wasm::CompileArgs&&, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/asmjs/WasmCompile.cpp:1631
#12 0x82e5d48 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/asmjs/WasmJS.cpp:238:27
#13 0x822079c in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5270:14
#14 0xa5501bd in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:232:15
[...]
#28 0x80ae5d6 in _start (/home/ubuntu/build/build/js+0x80ae5d6)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/jit/RegisterSets.h:742:9 in js::jit::SpecializedRegSet<js::jit::AllocatableSetAccessors<js::jit::TypedRegisterSet<js::jit::Register> >, js::jit::TypedRegisterSet<js::jit::Register> >::take(js::jit::Register)
==20968==ABORTING
|
Reporter | |
Comment 1•8 years ago
|
||
|
||
Comment 2•8 years ago
|
||
Note, x86 is currently disabled, see bug 1290453.
|
||
Comment 3•8 years ago
|
||
From the callstack, this seems to be Ion compilation of i64.
|
|
||
Comment 4•8 years ago
|
||
Ah, indeed it is so. This had better be reproducible without --wasm-always-baseline then.
No longer blocks: 1290453
|
Assignee | |
Comment 5•8 years ago
|
||
Reproduced on x86 with --no-threads (on the regular ion backend).
|
|
Assignee | |
Comment 7•8 years ago
|
||
Actually a simple fix.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(hv1989)
Attachment #8777507 -
Flags: review?(hv1989)
|
||
Comment 8•8 years ago
|
||
Comment on attachment 8777507 [details] [diff] [review] fix.patch Review of attachment 8777507 [details] [diff] [review]: ----------------------------------------------------------------- Good find, thanks for stealing. Don't we need to do that on ARM too?
Attachment #8777507 -
Flags: review?(hv1989) → review+
|
|
Assignee | |
Comment 9•8 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #8) > Comment on attachment 8777507 [details] [diff] [review] > fix.patch > > Review of attachment 8777507 [details] [diff] [review]: > ----------------------------------------------------------------- > > Good find, thanks for stealing. > Don't we need to do that on ARM too? Good catch, thanks.
|
||
Comment 10•8 years ago
|
||
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/498fd4aae629 Don't take the same register twice in i64 mod/umod on x86/ARM; r=h4writer
|
||
Comment 11•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/498fd4aae629
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox51:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•