Closed Bug 1429034 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(Overridden getAliasSet without updating AliasAnalysisShared GetObject) at js/src/jit/AliasAnalysisShared.cpp:155

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(2 files)

The attached binary WebAssembly testcase crashes on mozilla-inbound revision f5ed4ddcc512 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
new WebAssembly.Instance(new WebAssembly.Module(data.buffer));



Backtrace:

==10093==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000002c18340 bp 0x7ffd281bf810 sp 0x7ffd281bf7f0 T0)
==10093==The signal is caused by a WRITE memory access.
==10093==Hint: address points to the zero page.
    #0 0x2c1833f in js::jit::GetObject(js::jit::MDefinition const*) js/src/jit/AliasAnalysisShared.cpp:163:5
    #1 0x2c15094 in js::jit::AliasAnalysisShared::genericMightAlias(js::jit::MDefinition const*, js::jit::MDefinition const*) js/src/jit/AliasAnalysisShared.cpp:172:38
    #2 0x2c15094 in js::jit::AliasAnalysis::analyze() js/src/jit/AliasAnalysis.cpp:200
    #3 0xe8a92d in js::jit::OptimizeMIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1604:31
    #4 0x27b7b6f in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmIonCompile.cpp:4383:18
    #5 0x279b086 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:622:14
    #6 0x279be89 in js::wasm::ModuleGenerator::launchBatchCompile() js/src/wasm/WasmGenerator.cpp:695:14
    #7 0x2769484 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:771:26
    #8 0x2769484 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:84
    #9 0x275ffc0 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmCompile.cpp:435:10
    #10 0x2889a91 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/wasm/WasmJS.cpp:275:27
    #11 0x5c846c in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:6592:14
[...]
Attached file Testcase
(atomic accesses in wasm are disabled on all the channels)
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Comment on attachment 8941042 [details]
Bug 1429034: Add WasmAtomicExchangeHeap to GetObject for alias analysis;

https://reviewboard.mozilla.org/r/211344/#review217094
Attachment #8941042 - Flags: review?(lhansen) → review+
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d1d165a1ee03
Add WasmAtomicExchangeHeap to GetObject for alias analysis; r=lth
https://hg.mozilla.org/mozilla-central/rev/d1d165a1ee03
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.