Closed
Bug 1298805
Opened 9 years ago
Closed 9 years ago
[wasm] Assertion failure: offset <= (2147483647), at js/src/jit/arm/CodeGenerator-arm.cpp:2569
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase)
Attachments
(1 file)
|
176 bytes,
application/octet-stream
|
Details |
The attached binary WebAssembly testcase crashes on mozilla-inbound revision 0de811b52c94+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug --target=i686-pc-linux-gnu --enable-simulator=arm). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):
var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));
Backtrace:
==3224==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x09806fc7 bp 0xffe3aa38 sp 0xffe3a840 T0)
#0 0x9806fc6 in js::jit::MWasmStore* js::jit::MDefinition::to<js::jit::MWasmStore>() js/src/jit/MIR.h:891:9
#1 0x9806fc6 in js::jit::MDefinition::toWasmStore() js/src/jit/MIR.h:908
#2 0x9806fc6 in js::jit::details::LWasmUnalignedStoreBase<2u>::mir() const js/src/jit/arm/LIR-arm.h:659
#3 0x9806fc6 in void js::jit::CodeGeneratorARM::emitWasmUnalignedStore<js::jit::LWasmUnalignedStore>(js::jit::LWasmUnalignedStore*) js/src/jit/arm/CodeGenerator-arm.cpp:2564
#4 0x9855518 in js::jit::LWasmUnalignedStore::accept(js::jit::LElementVisitor*) js/src/jit/arm/LIR-arm.h:674:5
#5 0x8b014e0 in js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:5148:13
#6 0x8b94c30 in js::jit::CodeGenerator::generateWasm(js::wasm::SigIdDesc, js::wasm::FuncOffsets*) js/src/jit/CodeGenerator.cpp:9048:10
#7 0xb6ed621 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3602:14
#8 0xb71ab78 in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3617:16
#9 0xb68c1f8 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:871:14
#10 0xb615be8 in DecodeFunctionBody(js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/WasmCompile.cpp:1267:12
#11 0xb615be8 in DecodeCodeSection(js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/WasmCompile.cpp:1327
#12 0xb615be8 in js::wasm::Compile(js::wasm::ShareableBytes const&, js::wasm::CompileArgs const&, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/asmjs/WasmCompile.cpp:1608
#13 0x8307c41 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/asmjs/WasmJS.cpp:240:27
#14 0x82309bf in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5341:14
[...]
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/jit/MIR.h:891:9 in js::jit::MWasmStore* js::jit::MDefinition::to<js::jit::MWasmStore>()
==3224==ABORTING
|
Reporter | |
Comment 1•9 years ago
|
||
|
||
Comment 2•9 years ago
|
||
Fun, I spotted there was a missed case in bug 1293312 (only loads are handled there) when updating the patch in bug 1290421, which fixed this issue (tested verified locally on m-i:019c4896543a).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•