1558165 - Crash [@ js::wasm::CompileArgs::build] or Assertion failure: baseline || ion || cranelift, at js/src/wasm/WasmCompile.cpp:120

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 7a44faddc33d (build with PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' AR=ar 'CC="clang -m32 -msse2 -mfpmath=sse"' sh ./configure --target=i686-pc-linux --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-compiler=cranelift):

(function(x, y, z) {
    "use asm";
    function f() {}
    return f;
})();

Backtrace:

#0 js::wasm::CompileArgs::build (cx=0xf6c20800, scriptedCaller=...) at js/src/wasm/WasmCompile.cpp:120
#1 0x58864ec3 in ModuleValidator<char16_t>::finish (this=0xff7ffa50) at js/src/wasm/AsmJS.cpp:2124
#2 0x587df794 in CheckModule<char16_t> (cx=<optimized out>, parser=..., stmtList=<optimized out>, time=<optimized out>) at js/src/wasm/AsmJS.cpp:6413
#3 DoCompileAsmJS<char16_t> (cx=<optimized out>, parser=..., stmtList=0xf6cce180, validated=0xff7fff6b) at js/src/wasm/AsmJS.cpp:7084
#4 0x587dd925 in js::CompileAsmJS (cx=0xf6c20800, parser=..., stmtList=0xf6cce180, validated=0xff7fff6b) at js/src/wasm/AsmJS.cpp:7122
#5 0x5819386e in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS (this=0xff8015fc, list=0xf6cce180) at js/src/frontend/Parser.cpp:3323
/snip

Opt stack:

#0 js::wasm::CompileArgs::build (cx=0xf6c1e800, scriptedCaller=...) at /home/ubuntu/trees/mozilla-central/js/src/wasm/WasmCompile.cpp:120
#1 0x57fce701 in ModuleValidator<char16_t>::finish (this=0xffff9ae8) at /home/ubuntu/trees/mozilla-central/js/src/wasm/AsmJS.cpp:2124
#2 0x57f771df in CheckModule<char16_t> (cx=<optimized out>, parser=..., stmtList=<optimized out>, time=<optimized out>)
at /home/ubuntu/trees/mozilla-central/js/src/wasm/AsmJS.cpp:6413
#3 DoCompileAsmJS<char16_t> (cx=<optimized out>, parser=..., stmtList=0xf6cba110, validated=0xffff9ef7)
at /home/ubuntu/trees/mozilla-central/js/src/wasm/AsmJS.cpp:7084
#4 js::CompileAsmJS (cx=0xf6c1e800, parser=..., stmtList=0xf6cba110, validated=0xffff9ef7)
at /home/ubuntu/trees/mozilla-central/js/src/wasm/AsmJS.cpp:7122
#5 0x57b9d339 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS (this=<optimized out>, list=0x5675445f)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:3323
#6 js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::asmJS (this=<optimized out>, list=0x5675445f)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:3336
#7 js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::maybeParseDirective (this=0xffffb3cc, list=0xf6cba110,
possibleDirective=0xf6cba148, cont=0xffff9f33) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:3415
#8 0x57b9297c in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=0xffffb3cc,
yieldHandling=js::frontend::YieldIsName) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:3492
#9 0x57b9b146 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionBody (this=0xffffb3cc,
inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Expression,
type=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::StatementListBody)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:1878
#10 0x57b9a0f2 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody (this=0xffffb3cc,
inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, funNode=0xffffa174,
kind=js::frontend::FunctionSyntaxKind::Expression, parameterListEnd=..., isStandaloneFunction=95)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:3035
/snip

For detailed crash information, see attachment.

I don't think this is s-s as cranelift doesn't seem to be on by default, but I'll leave it to others to decide.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/cb20dcd8ea7e
user: Benjamin Bouvier
date: Wed Jan 23 15:59:12 2019 +0100
summary: Bug 1509441: Check coherency of compiler switches when building a CompilerArgs; r=lth

changeset: https://hg.mozilla.org/mozilla-central/rev/7df604faea71
user: Benjamin Bouvier
date: Thu Jan 24 13:32:44 2019 +0100
summary: Bug 1509441: Make sure non-Cranelift builds still work; rs=lth

Benjamin, is bug 1509441 a likely regressor?

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: Bug 1558165: Throw when forcing Cranelift usage on an unsupported platform; r?lth

Comment 4

[Benjamin Bouvier [:bbouvier] (inactive)]

Opening up, this is Nightly-only (Cranelift) + safe release assert.

Comment 5

[Pulsebot]

Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9e7c1e1a993d
Throw when forcing Cranelift usage on an unsupported platform; r=lth

Comment 6

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/9e7c1e1a993d