Closed
Bug 1357053
Opened 7 years ago
Closed 7 years ago
Assertion failure: offsetInCode >= codeRange->begin(), at js/src/wasm/WasmFrameIterator.cpp:613 with enableGeckoProfiling and asm.js
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox54 | --- | unaffected |
| firefox55 | --- | fixed |
People
(Reporter: decoder, Assigned: luke)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
|
3.42 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision ce69b6e1773e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --ion-offthread-compile=off --arm-asm-nop-fill=1):
const USE_ASM = '"use asm";';
function asmCompile() {
var f = Function.apply(null, arguments);
return f;
}
function asmLink(f) {
return f.apply(null, Array.slice(arguments, 1));
}
enableGeckoProfiling();
function testBuiltinF2F(name) {
var m = asmCompile('g', USE_ASM + "var tof=g.Math.fround; var fun=g.Math." + name + "; function f(d) { d=tof(d); return tof(fun(d)) } return f");
var f = asmLink(m, this);
enableSingleStepProfiling();
assertEq(f(.1), eval("Math.fround(Math." + name + "(Math.fround(.1)))"));
}
for (name of ['ceil', 'floor']) testBuiltinF2F(name);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x08923dc6 in js::wasm::ProfilingFrameIterator::ProfilingFrameIterator (this=0xffffbc1c, activation=..., state=...) at js/src/wasm/WasmFrameIterator.cpp:613
#0 0x08923dc6 in js::wasm::ProfilingFrameIterator::ProfilingFrameIterator (this=0xffffbc1c, activation=..., state=...) at js/src/wasm/WasmFrameIterator.cpp:613
#1 0x087cbe90 in JS::ProfilingFrameIterator::iteratorConstruct (this=0xffffbc0c, state=...) at js/src/vm/Stack.cpp:1874
#2 0x087cce05 in JS::ProfilingFrameIterator::ProfilingFrameIterator (this=0xffffbc0c, cx=0xf791d000, state=..., sampleBufferGen=4294967295) at js/src/vm/Stack.cpp:1822
#3 0x080a1099 in SingleStepCallback (arg=0xf791d000, sim=<optimized out>, pc=<optimized out>) at js/src/shell/js.cpp:5332
#4 0x08513ee0 in js::jit::Simulator::execute<false> (this=0xf796f000) at js/src/jit/arm/Simulator-arm.cpp:4799
#5 js::jit::Simulator::callInternal (this=0xf796f000, entry=0x318e30d0 "\377\377\377\352\004\340-\345\377\377\377\352\360\037-\351\377\377\377\352\020\212-\355\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4886
#6 0x08514141 in js::jit::Simulator::call (this=<optimized out>, entry=0x318e30d0 "\377\377\377\352\004\340-\345\377\377\377\352\360\037-\351\377\377\377\352\020\212-\355\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4969
#7 0x08930ec0 in js::wasm::Instance::callExport (this=0xf51986a0, cx=0xf791d000, funcIndex=4097, args=...) at js/src/wasm/WasmInstance.cpp:784
#8 0x08931918 in WasmCall (cx=0xf791d000, argc=1, vp=0xf50690e8) at js/src/wasm/WasmJS.cpp:1114
#9 0x0817a7e6 in js::CallJSNative (cx=0xf791d000, native=0x8931870 <WasmCall(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
[...]
eax 0x0 0
ebx 0xffffbc1c -17380
ecx 0xf7da4864 -136689564
edx 0x0 0
esi 0xffffbbe8 -17432
edi 0x8cf1ff4 147791860
ebp 0xffffbb18 4294949656
esp 0xffffbae0 4294949600
eip 0x8923dc6 <js::wasm::ProfilingFrameIterator::ProfilingFrameIterator(js::WasmActivation const&, JS::ProfilingFrameIterator::RegisterState const&)+726>
=> 0x8923dc6 <js::wasm::ProfilingFrameIterator::ProfilingFrameIterator(js::WasmActivation const&, JS::ProfilingFrameIterator::RegisterState const&)+726>: movl $0x0,0x0
0x8923dd0 <js::wasm::ProfilingFrameIterator::ProfilingFrameIterator(js::WasmActivation const&, JS::ProfilingFrameIterator::RegisterState const&)+736>: ud2
|
||
Updated•7 years ago
|
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
|
Assignee | |
Comment 1•7 years ago
|
||
Easy enough fix: the beginning of a thunk isn't necessarily the right instruction to call: it can be padded with bkpts (for alignment) or have random nops that mess up the CodeRange.
Assignee: nobody → luke
Attachment #8859232 -
Flags: review?(bbouvier)
|
||
Comment 2•7 years ago
|
||
Comment on attachment 8859232 [details] [diff] [review] fix-builtin-thunk Review of attachment 8859232 [details] [diff] [review]: ----------------------------------------------------------------- Thanks! ::: js/src/jit-test/tests/wasm/regress/builtin-thunk-begin.js @@ +8,5 @@ > + quit(); > +} > + > +enableGeckoProfiling(); > +var m = new Function('g', "'use asm'; var tof=g.Math.fround; var fun=g.Math.ceil; function f(d) { d=tof(d); return tof(fun(d)) } return f"); Should this file be put under the asmjs/ test directory? (or should we move all the asmjs tests into a subdir of the wasm test directory)
Attachment #8859232 -
Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/56e606097382 Baldr: include initial offset in thunk address (r=bbouvier)
|
|
Assignee | |
Comment 4•7 years ago
|
||
Oops, right, moved to asmjs test dir.
|
||
Comment 5•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/56e606097382
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Updated•7 years ago
|
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•