Hit MOZ_CRASH(Unable to disassemble instruction) at js/src/jit/x86-shared/Disassembler-x86-shared.cpp:513 or Assertion failure: e == end, at jit/Disassembler.h

RESOLVED FIXED in Firefox 51

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks 3 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla51
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox51 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(3 attachments)

The following testcase crashes on mozilla-central revision 33e7ae9b3104 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

oomTest(function(y) {
    eval("\
        mathy3 = (function(stdlib, foreign, heap) {\
            \"use asm\";\
            var Float32ArrayView = new stdlib.Float32Array(heap);\
            function f(i0, d1) {\
                i0 = i0 | 0;\
                d1 = +d1;\
                var d3 = -140737488355328.0;\
                Float32ArrayView[2] = +s(d1) % (i0 ? d1 : d3);\
                return (9 + (13 >> 11331693 > 145057223 >> 145384174 ? 999999999 + 9999999 ^ 99999999 - 999999999 : 08)+i0)|0\
            }\
        }, new ArrayBuffer(4096));\
    ");
})


Backtrace:

0   js-dbg-64-dm-clang-darwin-33e7ae9b3104	0x0000000104f64169 js::jit::Disassembler::DisassembleHeapAccess(unsigned char*, js::jit::Disassembler::HeapAccess*) + 3129 (Disassembler-x86-shared.cpp:513)
1   js-dbg-64-dm-clang-darwin-33e7ae9b3104	0x000000010548277f js::jit::AssemblerX86Shared::verifyHeapAccessDisassembly(unsigned int, unsigned int, js::jit::Disassembler::HeapAccess const&) + 85 (Disassembler.h:268)
2   js-dbg-64-dm-clang-darwin-33e7ae9b3104	0x000000010546ffab js::jit::CodeGeneratorShared::verifyHeapAccessDisassembly(unsigned int, unsigned int, bool, bool, js::Scalar::Type, unsigned int, js::jit::Operand const&, js::jit::LAllocation) + 795 (CodeGenerator-shared-inl.h:417)
3   js-dbg-64-dm-clang-darwin-33e7ae9b3104	0x0000000105464bd5 js::jit::CodeGeneratorX64::visitAsmJSStoreHeap(js::jit::LAsmJSStoreHeap*) + 373 (CodeGenerator-x64.cpp:888)
4   js-dbg-64-dm-clang-darwin-33e7ae9b3104	0x0000000105175ccb js::jit::CodeGenerator::generateBody() + 1179 (LIR.h:752)
/snip

For detailed crash information, see attachment.
The testcase sometimes asserts at:

Assertion failure: e == end, at jit/Disassembler.h
Summary: Hit MOZ_CRASH(Unable to disassemble instruction) at js/src/jit/x86-shared/Disassembler-x86-shared.cpp:513 → Hit MOZ_CRASH(Unable to disassemble instruction) at js/src/jit/x86-shared/Disassembler-x86-shared.cpp:513 or Assertion failure: e == end, at jit/Disassembler.h
autoBisect points to when oomTest was added (unreliable), so I will attach an OOM_VERBOSE stack. There is wasm stuff on the OOM_VERBOSE stack, so setting needinfo? from Luke and Benjamin as a start.
Flags: needinfo?(luke)
Flags: needinfo?(bbouvier)
Posted patch add-oom-checkSplinter Review
Looks like we just need an OOM check before verifying the instructions we won't have emitted on OOM.
Assignee: nobody → luke
Flags: needinfo?(luke)
Flags: needinfo?(bbouvier)
Attachment #8789233 - Flags: review?(bbouvier)
Attachment #8789233 - Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/90f8edf13ee4
Baldr: don't verify instructions if there was an oom (r=bbouvier)
https://hg.mozilla.org/mozilla-central/rev/90f8edf13ee4
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.