Closed
Bug 1292563
Opened 8 years ago
Closed 8 years ago
Assertion failure: srcDest.low != ecx && srcDest.high != ecx, at js/src/jit/x86/MacroAssembler-x86-inl.h:420
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
People
(Reporter: decoder, Assigned: h4writer)
References
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
|
320 bytes,
application/octet-stream
|
Details | |
|
969 bytes,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The attached binary WebAssembly testcase crashes on mozilla-inbound revision c0c16cea7afa+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug --target=i686-pc-linux-gnu). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):
var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));
Backtrace:
==29593==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x097dec4d bp 0xffecff28 sp 0xffecfdc0 T0)
#0 0x97dec4c in js::oom::HadSimulatedOOM() /srv/jenkins/jobs/mozilla-inbound-build-wasm/workspace/arch/32/type/debug/dist/include/js/Utility.h:146:23
#1 0x97dec4c in js::jit::Label::~Label() js/src/jit/Label.h:92
#2 0x97dec4c in js::jit::MacroAssembler::rshift64(js::jit::Register, js::jit::Register64) js/src/jit/x86/MacroAssembler-x86-inl.h:435
#3 0x96db43b in js::jit::CodeGeneratorX86Shared::visitShiftI64(js::jit::LShiftI64*) js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:1880:9
#4 0x928f8a8 in js::jit::LShiftI64::accept(js::jit::LElementVisitor*) js/src/jit/shared/LIR-shared.h:3300:5
#5 0x8aa36b6 in js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:5139:13
#6 0x8b40604 in js::jit::CodeGenerator::generateWasm(js::wasm::SigIdDesc, js::wasm::FuncOffsets*) js/src/jit/CodeGenerator.cpp:8971:10
#7 0xb6bac46 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3484:14
#8 0xb6e8aa8 in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3499:16
#9 0xb653d98 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:864:14
#10 0xb5d7d7f in DecodeFunctionBody(js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/WasmCompile.cpp:1290:12
#11 0xb5d7d7f in DecodeCodeSection(js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/WasmCompile.cpp:1350
#12 0xb5d7d7f in js::wasm::Compile(js::wasm::ShareableBytes const&, js::wasm::CompileArgs&&, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/asmjs/WasmCompile.cpp:1631
#13 0x82e5d48 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/asmjs/WasmJS.cpp:238:27
#14 0x822079c in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5270:14
[...]
#29 0x80ae5d6 in _start (/home/ubuntu/build/build/js+0x80ae5d6)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /srv/jenkins/jobs/mozilla-inbound-build-wasm/workspace/arch/32/type/debug/dist/include/js/Utility.h:146:23 in js::oom::HadSimulatedOOM()
==29593==ABORTING
|
Reporter | |
Comment 1•8 years ago
|
||
|
||
Comment 2•8 years ago
|
||
looking at lowering on x86, it seems that we can have lhs == rhs, in which case lhs can use ecx as the low or high register, and trigger this assertion.
Flags: needinfo?(hv1989)
|
Assignee | |
Comment 3•8 years ago
|
||
That should solve it. I'll add a testcase too.
|
|
Assignee | |
Comment 4•8 years ago
|
||
Comment on attachment 8778329 [details] [diff] [review] Patch Review of attachment 8778329 [details] [diff] [review]: ----------------------------------------------------------------- Moving review since I just missed Benjamin for this review. He is now on PTO.
Attachment #8778329 -
Flags: review?(bbouvier) → review?(nicolas.b.pierron)
|
||
Comment 5•8 years ago
|
||
Comment on attachment 8778329 [details] [diff] [review] Patch Review of attachment 8778329 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/x86-shared/Lowering-x86-shared.cpp @@ +104,2 @@ > use.setVirtualRegister(rhs->virtualRegister()); > ins->setOperand(INT64_PIECES, use); existing nit: static const size_t Rhs = INT64_PIECES; // ShiftI64, RotateI64 rhs operand. and maybe add a static assert to ensure this comment remains valid.
Attachment #8778329 -
Flags: review?(nicolas.b.pierron) → review+
Pushed by hv1989@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/99892fb5de39 Wasm Baseline Compiler: Make sure input and shift doesn't overlap in shift instructions, r=nbp
|
|
Assignee | |
Comment 7•8 years ago
|
||
needinfo myself to uplift to 50 after my PTO.
Flags: needinfo?(hv1989)
|
||
Comment 8•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/99892fb5de39
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox51:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
|
|
Assignee | |
Comment 9•8 years ago
|
||
No need to uplift. This is now scheduled to be enabled on FF51 instead of FF50
Flags: needinfo?(hv1989)
You need to log in
before you can comment on or make changes to this bug.
Description
•