Assertion failure: Code(reg_) < Registers::Total, at /js/src/jit/Registers.h:62

RESOLVED FIXED in Firefox -esr60

Status

()

defect
RESOLVED FIXED
6 months ago
6 months ago

People

(Reporter: bbouvier, Assigned: bbouvier)

Tracking

(Blocks 1 bug)

unspecified
mozilla65
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr6064+ fixed, firefox63 wontfix, firefox64- fixed, firefox65- fixed)

Details

Attachments

(1 attachment, 1 obsolete attachment)

Assignee

Description

6 months ago
The following test case (reduced from awsm) found a crash in x86 Ion codegen:

new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
(module
    (func (param i64))
    (func (export "f")
        i64.const 2
        i64.const -9223372036854775808
        i64.mul
        call 0
    )
)
`))).exports.f();

Lowering and codegen aren't properly sync'd, causing a invalid register to be used. Not sec critical, because this means eax is used in place of the temp register, and eax *is* a fixed register input for this operation anyway, so this just implies correctness issue. Would be nice to have uplifted though.
Assignee

Comment 1

6 months ago
Posted patch fix.patch (obsolete) — Splinter Review
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #9025594 - Flags: review?(lhansen)
Assignee

Comment 2

6 months ago
Comment on attachment 9025594 [details] [diff] [review]
fix.patch

Oh great, same bug on ARM32.
Attachment #9025594 - Flags: review?(lhansen)
Assignee

Comment 3

6 months ago
Posted patch fix.patchSplinter Review
Attachment #9025594 - Attachment is obsolete: true
Attachment #9025599 - Flags: review?(lhansen)

Updated

6 months ago
Attachment #9025599 - Flags: review?(lhansen) → review+

Comment 4

6 months ago
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/98b78581ff76
Generate a temporary for negative power-of-two constants in mul64 on 32 bits platforms; r=lth

Comment 5

6 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/98b78581ff76
Status: ASSIGNED → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Please request Beta approval on this when you get a chance. Also, can you please provide some context for the tracking request? It's not clear to me what the impact of this bug is for our users.
Flags: needinfo?(bbouvier)
Flags: in-testsuite+
Assignee

Comment 7

6 months ago
Comment on attachment 9025599 [details] [diff] [review]
fix.patch

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: wasm

User impact if declined: Incorrect behavior in wasm code on 32 bits platforms.

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: Yes

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Very small patch.

String changes made/needed: 

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: 

User impact if declined: 

Fix Landed on Version: 

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): 

String or UUID changes made by this patch:
Flags: needinfo?(bbouvier)
Attachment #9025599 - Flags: approval-mozilla-esr60?
Attachment #9025599 - Flags: approval-mozilla-beta?
Comment on attachment 9025599 [details] [diff] [review]
fix.patch

wasm fix for 32bit x86 and arm, approved for 64.0b11 and 60.4.0esr
Attachment #9025599 - Flags: approval-mozilla-esr60?
Attachment #9025599 - Flags: approval-mozilla-esr60+
Attachment #9025599 - Flags: approval-mozilla-beta?
Attachment #9025599 - Flags: approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.