Closed
Bug 1507730
Opened 6 years ago
Closed 6 years ago
Assertion failure: Code(reg_) < Registers::Total, at /js/src/jit/Registers.h:62
Categories
(Core :: JavaScript: WebAssembly, defect)
Core
JavaScript: WebAssembly
Tracking
()
RESOLVED
FIXED
mozilla65
People
(Reporter: bbouvier, Assigned: bbouvier)
References
Details
Attachments
(1 file, 1 obsolete file)
2.84 KB,
patch
|
lth
:
review+
jcristau
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
The following test case (reduced from awsm) found a crash in x86 Ion codegen: new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(` (module (func (param i64)) (func (export "f") i64.const 2 i64.const -9223372036854775808 i64.mul call 0 ) ) `))).exports.f(); Lowering and codegen aren't properly sync'd, causing a invalid register to be used. Not sec critical, because this means eax is used in place of the temp register, and eax *is* a fixed register input for this operation anyway, so this just implies correctness issue. Would be nice to have uplifted though.
Assignee | ||
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Comment on attachment 9025594 [details] [diff] [review] fix.patch Oh great, same bug on ARM32.
Attachment #9025594 -
Flags: review?(lhansen)
Assignee | ||
Comment 3•6 years ago
|
||
Attachment #9025594 -
Attachment is obsolete: true
Attachment #9025599 -
Flags: review?(lhansen)
Updated•6 years ago
|
Attachment #9025599 -
Flags: review?(lhansen) → review+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/98b78581ff76 Generate a temporary for negative power-of-two constants in mul64 on 32 bits platforms; r=lth
Comment 5•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/98b78581ff76
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Comment 6•6 years ago
|
||
Please request Beta approval on this when you get a chance. Also, can you please provide some context for the tracking request? It's not clear to me what the impact of this bug is for our users.
Flags: needinfo?(bbouvier)
Flags: in-testsuite+
Assignee | ||
Comment 7•6 years ago
|
||
Comment on attachment 9025599 [details] [diff] [review] fix.patch [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: wasm User impact if declined: Incorrect behavior in wasm code on 32 bits platforms. Is this code covered by automated tests?: Yes Has the fix been verified in Nightly?: Yes Needs manual test from QE?: Yes If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): Very small patch. String changes made/needed: [ESR Uplift Approval Request] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: Fix Landed on Version: Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): String or UUID changes made by this patch:
Flags: needinfo?(bbouvier)
Attachment #9025599 -
Flags: approval-mozilla-esr60?
Attachment #9025599 -
Flags: approval-mozilla-beta?
Comment 8•6 years ago
|
||
Comment on attachment 9025599 [details] [diff] [review] fix.patch wasm fix for 32bit x86 and arm, approved for 64.0b11 and 60.4.0esr
Attachment #9025599 -
Flags: approval-mozilla-esr60?
Attachment #9025599 -
Flags: approval-mozilla-esr60+
Attachment #9025599 -
Flags: approval-mozilla-beta?
Attachment #9025599 -
Flags: approval-mozilla-beta+
Updated•6 years ago
|
status-firefox-esr60:
--- → affected
tracking-firefox-esr60:
--- → 64+
Updated•6 years ago
|
Comment 9•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-esr60/rev/dd0f01818b9c
Comment 10•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/3910d176d5c2
You need to log in
before you can comment on or make changes to this bug.
Description
•