Closed Bug 1349871 Opened 7 years ago Closed 7 years ago

[wasm] Assertion failure: profilingReturn_ < end_, at js/src/wasm/WasmCode.cpp:350

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox52 --- disabled
firefox-esr52 --- disabled
firefox53 --- disabled
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: gkw, Assigned: bbouvier)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:])

Attachments

(2 files)

Detailed Crash Information
13.11 KB, text/plain
Details
Bug 1349871: Check for masm OOM at the end of baseline codegen;
59 bytes, text/x-review-board-request
lth
: review+
gchang
: approval-mozilla-aurora+
Details 
The following testcase crashes on mozilla-central revision 7513b3f42058 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-always-baseline):

oomTest(Function(`
    new WebAssembly.Module(wasmTextToBinary(\`
        (module (func (result i32) (param f64) (param f32)
            i64.const 0
            get_local 0
            drop
            i32.wrap/i64
            f64.const 0
            f64.const 0
            i32.const 0
            select
            f32.const 0
            f32.const 0
            f32.const 0
            i32.const 0
            select
            i32.const 0
            i32.const 0
            i32.const 0
            select
            select
            drop
            drop
        ))
    \`))
`))

Backtrace:

/snip

For detailed crash information, see attachment.
Backtrace:

#0  0x0000000000cdc448 in js::wasm::CodeRange::CodeRange (this=<optimized out>, funcIndex=<optimized out>, funcLineOrBytecode=<optimized out>, offsets=...) at js/src/wasm/WasmCode.cpp:350
#1  0x0000000000d54195 in mozilla::detail::VectorImpl<js::wasm::CodeRange, 0ul, js::SystemAllocPolicy, true>::new_<unsigned int, unsigned int, js::wasm::FuncOffsets&>(js::wasm::CodeRange*, unsigned int&&, unsigned int&&, js::wasm::FuncOffsets&) (aDst=<optimized out>) at /home/skydbootxps/shell-cache/js-dbg-64-linux-7513b3f42058/objdir-js/dist/include/mozilla/Vector.h:171
#2  mozilla::Vector<js::wasm::CodeRange, 0ul, js::SystemAllocPolicy>::emplaceBack<unsigned int, unsigned int, js::wasm::FuncOffsets&>(unsigned int&&, unsigned int&&, js::wasm::FuncOffsets&) (this=<optimized out>) at /home/skydbootxps/shell-cache/js-dbg-64-linux-7513b3f42058/objdir-js/dist/include/mozilla/Vector.h:697
#3  js::wasm::ModuleGenerator::finishTask (this=this@entry=0x7ffe99786ab0, task=0x7f4aa9240000) at js/src/wasm/WasmGenerator.cpp:472
#4  0x0000000000d54c47 in js::wasm::ModuleGenerator::launchBatchCompile (this=this@entry=0x7ffe99786ab0) at js/src/wasm/WasmGenerator.cpp:960
#5  0x0000000000d54d0d in js::wasm::ModuleGenerator::finishFuncDefs (this=this@entry=0x7ffe99786ab0) at js/src/wasm/WasmGenerator.cpp:1005
/snip
Summary: Assertion failure: profilingReturn_ < end_, at js/src/wasm/WasmCode.cpp:350 → [wasm] Assertion failure: profilingReturn_ < end_, at js/src/wasm/WasmCode.cpp:350
This is the first bug found from the experimental combination of the jsfunfuzz and awsm fuzzers. :)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/958074f3b830
user:        Dan Gohman
date:        Fri Sep 23 09:13:15 2016 -0500
summary:     Bug 1287220 - Baldr: update to binary version 0xc (r=luke)

Not sure if this is directly related. Benjamin, is bug 1287220 a likely regressor?
Flags: needinfo?(bbouvier)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> autoBisect shows this is probably related to the following changeset:
> 
> The first bad revision is:
> changeset:   https://hg.mozilla.org/mozilla-central/rev/958074f3b830
> user:        Dan Gohman
> date:        Fri Sep 23 09:13:15 2016 -0500
> summary:     Bug 1287220 - Baldr: update to binary version 0xc (r=luke)
> 
> Not sure if this is directly related. Benjamin, is bug 1287220 a likely
> regressor?

No, this commit introduces binary format changes, unrelated to this bug. I think the issue gets back to the start of the baseline compiler, which is trunk only at the moment.
Flags: needinfo?(bbouvier)
Comment on attachment 8850450 [details]
Bug 1349871: Check for masm OOM at the end of baseline codegen;

https://reviewboard.mozilla.org/r/123042/#review125342

I'm suprised that this is not caught higher up, but I've no objections to placing the check in the baseline compiler.  If it were me, I'd probably place it in emitFunction(), though, not in endFunction().
Attachment #8850450 - Flags: review?(lhansen) → review+
Comment on attachment 8850450 [details]
Bug 1349871: Check for masm OOM at the end of baseline codegen;

https://reviewboard.mozilla.org/r/123042/#review125342

Thanks for the review! If the location of the check is just personal preference, I'll keep it in endFunction() where all the other final references to masm are; masm doesn't appear at all in emitFunction().
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
> This is the first bug found from the experimental combination of the
> jsfunfuzz and awsm fuzzers. :)

https://www.youtube.com/watch?v=9nazm3_OXac
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/88cb0385ced6
Check for masm OOM at the end of baseline codegen; r=lth
https://hg.mozilla.org/mozilla-central/rev/88cb0385ced6
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Can we please backport this to aurora? It will be nice to fix it for fuzzing reasons.
Flags: needinfo?(bbouvier)
Comment on attachment 8850450 [details]
Bug 1349871: Check for masm OOM at the end of baseline codegen;

Approval Request Comment
[Feature/Bug causing the regression]: wasm baseline compiler (bug 1232205)
[User impact if declined]: harder fuzzing
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: nope
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not much
[Why is the change risky/not risky?]: conservative 1 line fix
[String changes made/needed]: none
Flags: needinfo?(bbouvier)
Attachment #8850450 - Flags: approval-mozilla-aurora?
Comment on attachment 8850450 [details]
Bug 1349871: Check for masm OOM at the end of baseline codegen;

Fix an assertion failure related to wasm. Aurora54+.
Attachment #8850450 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: