Closed
Bug 1500231
Opened 6 years ago
Closed 6 years ago
Assertion failure: !(hasUseRegister && hasUseRegisterAtStart), at js/src/jit/BacktrackingAllocator.cpp:765
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
RESOLVED
FIXED
mozilla65
People
(Reporter: gkw, Assigned: bbouvier)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
9.57 KB,
text/plain
|
Details | |
1.15 KB,
patch
|
sunfish
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 733484af9034 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion --enable-avx): // Adapted from randomly chosen test: js/src/jit-test/tests/wasm/spec/harness/index.js function g(y) { let m = new ArrayBuffer(y.length); let n = new Uint8Array(m); for (let i = 0; i < y.length; ++i) { n[i] = y.charCodeAt(i); } return m; } // Adapted from randomly chosen test: js/src/jit-test/tests/wasm/spec/f32.wast.js let x = "\0\x61\x73\x6d\1\0\0\0\1\x8c\0\2\x60\2\x7d\x7d\1\x7d\x60\1\x7d\1\x7d\3\x8f\0\x0e\0\0\0\0\1\0\0\1\1\1\1\1\1\0\7\xe4\0\x0e\3\\44\0\0\3\\52\0\1\3d5c\0\2\3\\96\0\3\4\\124\0\4\3d9e\0\5\3d18\0\6\4\\59c\0\7\5\\cff2\0\x08\5\\25e3\0\x09\7e512534\0\x0a\3\\23\0\b\3e57\0\x0c\x083f09397e\0\x0d\x0a\x9b\x81\0\x0e\x87\x80\x80\x80\0\0\0\0\0\1\x92\x0b\x87\x80\x80\x80\0\0\0\0\0\1\x93\x0b\x87\x80\x80\x80\0\0\0\0\0\1\x94\x0b\x87\x80\x80\x80\0\0\0\0\0\1\x95\x0b\x85\x80\x80\x80\0\0\0\0\1\x0b\x87\x80\x80\x80\0\0\0\0\0\1\x96\x0b\x87\x80\x80\x80\0\0\0\0\0\1\x97\x0b\x85\x80\x80\x80\0\0\0\0\x8d\x0b\x85\x80\x80\x80\0\0\0\0\x8e\x0b\x85\x80\x80\x80\0\0\0\0\x8f\x0b\x85\x80\x80\x80\0\0\0\0\0\x0b\x85\x80\x80\x80\0\0\0\0\x8b\x0b\x85\x80\x80\x80\0\0\0\0\x8c\x0b\x87\x80\x80\x80\0\0\x20\0\x20\1\x98\x0b"; new WebAssembly.Module(g(x)); Backtrace: #0 0x00005582bc0283ed in js::jit::BacktrackingAllocator::buildLivenessInfo (this=0x7ffc168f8378) at js/src/jit/BacktrackingAllocator.cpp:765 #1 0x00005582bc0286b5 in js::jit::BacktrackingAllocator::go (this=0x7ffc168f8378) at js/src/jit/BacktrackingAllocator.cpp:902 #2 0x00005582bc1e0a7e in js::jit::GenerateLIR (mir=<optimized out>) at js/src/jit/Ion.cpp:1814 #3 0x00005582bc9143e4 in js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=0x7fb03518c288, dvs=..., error=0x7ffc168fc000) at js/src/wasm/WasmIonCompile.cpp:3950 #4 0x00005582bc909798 in ExecuteCompileTask (task=0x7fb03518c000, error=0x7ffc168fc000) at js/src/wasm/WasmGenerator.cpp:675 #5 0x00005582bc909b83 in js::wasm::ModuleGenerator::launchBatchCompile (this=0x7ffc168faee8) at js/src/wasm/WasmGenerator.cpp:757 #6 0x00005582bc909fd4 in js::wasm::ModuleGenerator::finishFuncDefs (this=0x7ffc168faee8) at js/src/wasm/WasmGenerator.cpp:838 /snip For detailed crash information, see attachment. Setting s-s as a start as the backtracking allocator is involved, and LIR is on the stack.
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Comment 2•6 years ago
|
||
Setting needinfo? from :bbouvier as a start since wasm is involved. I'll try to get a bisection...
Flags: needinfo?(bbouvier)
Reporter | ||
Comment 3•6 years ago
|
||
autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d82c91046a3f user: Luke Wagner date: Tue Feb 14 17:59:01 2017 -0600 summary: Bug 1338002 - Baldr: backout bug 1324032 (r=sunfish) Not sure if this is actually correct. Luke, is bug 1338002 a likely regressor?
Blocks: 1338002
Flags: needinfo?(luke)
Assignee | ||
Updated•6 years ago
|
Component: JavaScript Engine → Javascript: Web Assembly
Flags: needinfo?(bbouvier)
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(bbouvier)
Comment 4•6 years ago
|
||
Bug 1338002 is only involved incidentally, insofar as it allows the wasm input to validate. Probably an old lowering/regalloc bug?
Flags: needinfo?(luke)
Assignee | ||
Comment 6•6 years ago
|
||
I think it's wasm specific, but I think the main reason is that it's using --enable-avx, which is heavily undertested (and disabled by default, iirc). I'd like to investigate to see if it's an easy fix, otherwise sunfish might be the next person to call.
Assignee | ||
Comment 8•6 years ago
|
||
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(bbouvier)
Attachment #9019025 -
Flags: review?(sunfish)
Assignee | ||
Comment 9•6 years ago
|
||
We don't use AVX registers by default (avxEnabled is set to false), and the --enable-avx switch is shell-only, so we could unhide this. (Note I didn't add a test case because the shell tests were already catching this when run with --enable-avx)
Updated•6 years ago
|
Group: javascript-core-security
Comment 10•6 years ago
|
||
Comment on attachment 9019025 [details] [diff] [review] fix.patch Review of attachment 9019025 [details] [diff] [review]: ----------------------------------------------------------------- lgtm!
Attachment #9019025 -
Flags: review?(sunfish) → review+
Comment 11•6 years ago
|
||
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6383d580c713 Fix register allocation of copysign on AVX; r=sunfish
Comment 12•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/6383d580c713
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Comment 13•6 years ago
|
||
What's the user impact of this bug? Is this something we should consider backporting or can it ride the trains?
status-firefox63:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Flags: needinfo?(bbouvier)
Flags: in-testsuite+
Assignee | ||
Comment 14•6 years ago
|
||
We can let it ride the trains, since AVX is only available on trunk via the shell.
Flags: needinfo?(bbouvier)
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•