Closed
Bug 1356068
Opened 7 years ago
Closed 7 years ago
Crash [@ ??] involving asm.js (more-deterministic only)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox54 | --- | unaffected |
| firefox55 | --- | fixed |
People
(Reporter: gkw, Assigned: bbouvier)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
1.96 KB,
text/plain
|
Details | |
|
1.42 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision fac2c174087f (build with --32 --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
f = (function (stdlib, foreign, heap) {
"use asm";
var ff = foreign.ff;
function f(x) {
x = +x;
+ff(x);
}
return f;
})(this, {
ff: Math.sin
},
Array
);
f();
Backtrace:
#0 0x2f39e225 in ?? ()
#1 0xf625f000 in ?? ()
#2 0xf625f000 in ?? ()
/snip
For detailed crash information, see attachment.
Setting s-s because only memory addresses are on the stack.
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/291cfed3e754 user: Benjamin Bouvier date: Mon Apr 10 13:43:59 2017 +0200 summary: Bug 1340219: Baldr: Make calls to builtin imports fast in wasm; r=luke Benjamin, is bug 1340219 a likely regressor?
Blocks: 1340219
Flags: needinfo?(luke)
|
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(luke) → needinfo?(bbouvier)
|
Assignee | |
Comment 3•7 years ago
|
||
Another more-deterministic only bug; I guess that since the builtin thunk can have move of FP constants, some canonicalizeIfDeterministic calls are in there, implying we create constant pools. These are never flushed in the code! That would be better to do anyway, so the fix should be hopefully trivial.
|
|
Assignee | |
Comment 4•7 years ago
|
||
With a few more assertions, to make our intents clearer here.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(bbouvier)
Attachment #8857899 -
Flags: review?(luke)
|
|
Assignee | |
Updated•7 years ago
|
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
Summary: Crash [@ ??] involving asm.js → Crash [@ ??] involving asm.js (more-deterministic only)
|
|
||
Comment 5•7 years ago
|
||
Comment on attachment 8857899 [details] [diff] [review] processcodelabels.patch Review of attachment 8857899 [details] [diff] [review]: ----------------------------------------------------------------- Good fix
Attachment #8857899 -
Flags: review?(luke) → review+
|
||
Comment 6•7 years ago
|
||
Can we unhide this? Does it only affect a debugging mode?
|
|
Assignee | |
Comment 7•7 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #6) > Can we unhide this? Does it only affect a debugging mode? Yes, it only affects the more-deterministic mode, which is a special build mode for fuzzers that we don't use otherwise. I can't be able to unhide it myself, though.
|
|
Assignee | |
Comment 8•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d312e03e3f5eb49939409095abad057abf3eb4d4
|
|
||
Updated•7 years ago
|
Group: javascript-core-security
|
||
Comment 9•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/d312e03e3f5e
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Updated•7 years ago
|
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•