Closed Bug 1293312 Opened 7 years ago Closed 7 years ago

Assertion failure: offset <= (2147483647), at js/src/jit/arm/CodeGenerator-arm.cpp:2425

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox50 --- affected
firefox51 --- fixed

People

(Reporter: decoder, Assigned: luke)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Testcase
112 bytes, application/octet-stream
Details
fix-big-offset
3.24 KB, patch
sunfish
: review+
Details | Diff | Splinter Review 
The attached binary WebAssembly testcase crashes on mozilla-inbound revision aa4472559aa9+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug --target=i686-pc-linux-gnu --enable-simulator=arm). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):

var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));



Backtrace:

==28958==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x09790a15 bp 0xffd05a98 sp 0xffd057a0 T0)
    #0 0x9790a14 in js::jit::MWasmLoad* js::jit::MDefinition::to<js::jit::MWasmLoad>() js/src/jit/MIR.h:891:9
    #1 0x9790a14 in js::jit::MDefinition::toWasmLoad() js/src/jit/MIR.h:908
    #2 0x9790a14 in js::jit::details::LWasmLoadBase<1u, 4u>::mir() const js/src/jit/shared/LIR-shared.h:7797
    #3 0x9790a14 in void js::jit::CodeGeneratorARM::emitWasmUnalignedLoad<js::jit::LWasmUnalignedLoad>(js::jit::LWasmUnalignedLoad*) js/src/jit/arm/CodeGenerator-arm.cpp:2420
    #4 0x97e2108 in js::jit::LWasmUnalignedLoad::accept(js::jit::LElementVisitor*) js/src/jit/arm/LIR-arm.h:626:5
    #5 0x8aa0600 in js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:5146:13
    #6 0x8b33680 in js::jit::CodeGenerator::generateWasm(js::wasm::SigIdDesc, js::wasm::FuncOffsets*) js/src/jit/CodeGenerator.cpp:9005:10
    #7 0xb5b85f1 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3602:14
    #8 0xb5e5a58 in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3617:16
    #9 0xb557d48 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:866:14
    #10 0xb4de7fb in DecodeFunctionBody(js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/WasmCompile.cpp:1299:12
    #11 0xb4de7fb in DecodeCodeSection(js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/WasmCompile.cpp:1359
    #12 0xb4de7fb in js::wasm::Compile(js::wasm::ShareableBytes const&, js::wasm::CompileArgs&&, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/asmjs/WasmCompile.cpp:1640
    #13 0x82f2918 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/asmjs/WasmJS.cpp:238:27
    #14 0x8222f8c in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5271:14
    #15 0xa46d89d in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #29 0x80aea21 in _start (/home/ubuntu/build/build/js+0x80aea21)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/jit/MIR.h:891:9 in js::jit::MWasmLoad* js::jit::MDefinition::to<js::jit::MWasmLoad>()
==28958==ABORTING
Attached file Testcase 

    
    

    
  
Ah hah, bug 1283126 added an assert which I think caught an existing bug that we don't validate that offsets are <= INT32_MAX.

    
    

    
  
Actually, strike that, everywhere else dynamically checks for offset() > INT32_MAX and, under the assumption that the bounds check will necessarily fail, returns early, inserting a breakpoint.  It seems like this site should do likewise.  I'll write a patch since bbouvier is on PTO.
Blocks: 1283126

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix-big-offsetSplinter Review
      

    


  
Assignee: nobody → luke
Status: NEW → ASSIGNED

        Attachment #8779155 -
        Flags: review?(sunfish)

    
    

    
  
Comment on attachment 8779155 [details] [diff] [review]
fix-big-offset

Review of attachment 8779155 [details] [diff] [review]:
-----------------------------------------------------------------

lgtm. I'll add a comment to 1290421 to cover this case as well.

        Attachment #8779155 -
        Flags: review?(sunfish) → review+

    
    

    
  
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b31cd488ed6e
Baldr: handle big offsets in unaligned loads/stores (r=sunfish)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b31cd488ed6e
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox51:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51

          You need to log in
          before you can comment on or make changes to this bug.