[wasm] Crash [@ js::jit::MPopcnt::NewAsmJS]

RESOLVED DUPLICATE of bug 1305318

Status

()

--
critical
RESOLVED DUPLICATE of bug 1305318
2 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
ARM
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(firefox52 affected)

Details

(crash signature)

Attachments

(1 attachment)

132 bytes, application/octet-stream
Details
(Reporter)

Description

2 years ago
The attached binary WebAssembly testcase crashes on mozilla-inbound revision eb314c69ae72+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug --target=i686-pc-linux-gnu --enable-simulator=arm). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):

var data = os.file.readFile(file, 'binary');
new WebAssembly.Instance(new WebAssembly.Module(data.buffer));



Backtrace:

==21948==ERROR: AddressSanitizer: SEGV on unknown address 0x0000001c (pc 0x0b84c3b5 bp 0xfff591f8 sp 0xfff57adc T0)
    #0 0xb84c3b4 in js::jit::MPopcnt::NewAsmJS(js::jit::TempAllocator&, js::jit::MDefinition*) js/src/jit/MIR.h:6317:27
    #1 0xb84c3b4 in js::jit::MDefinition* (anonymous namespace)::FunctionCompiler::unary<js::jit::MPopcnt>(js::jit::MDefinition*) js/src/asmjs/WasmIonCompile.cpp:357
    #2 0xb84c3b4 in bool EmitUnary<js::jit::MPopcnt>((anonymous namespace)::FunctionCompiler&, js::wasm::ValType) js/src/asmjs/WasmIonCompile.cpp:2123
    #3 0xb84c3b4 in EmitExpr((anonymous namespace)::FunctionCompiler&) js/src/asmjs/WasmIonCompile.cpp:3216
    #4 0xb83b36d in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3753:18
    #5 0xb892018 in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3798:16
    #6 0xb7de8c8 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:946:14
    #7 0xb770fbc in DecodeFunctionBody(js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/WasmCompile.cpp:1074:12
    #8 0xb770fbc in DecodeCodeSection(js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/WasmCompile.cpp:1134
    #9 0xb770fbc in js::wasm::Compile(js::wasm::ShareableBytes const&, js::wasm::CompileArgs const&, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/asmjs/WasmCompile.cpp:1380
    #10 0x831d3b5 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/asmjs/WasmJS.cpp:361:27
    #11 0x823e11f in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5392:14
[...]
(Reporter)

Comment 1

2 years ago
Created attachment 8795403 [details]
Testcase
May be a duped of bug 1305318: we end up reading a MIR node which is nullptr after some control flow didn't yield a value (but validation passed).
Flags: needinfo?(bbouvier)
Confirmed dup of bug 1305318.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(bbouvier)
Resolution: --- → DUPLICATE
Duplicate of bug: 1305318
You need to log in before you can comment on or make changes to this bug.