1562393 - [Cranelift] thread '<unnamed>' panicked at 'assertion failed: `(left == right)` left: `1`, right: `0`', js/src/wasm/cranelift/src/wasm2clif.rs:554:9

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 207bcf72dac7 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --wasm-compiler=cranelift):

See attachment.

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  mozalloc_abort (msg=msg@entry=0x555556c02980 "Redirecting call to abort() to mozalloc_abort\n") at memory/mozalloc/mozalloc_abort.cpp:33
#1  0x00005555558a2fe0 in abort () at memory/mozalloc/mozalloc_abort.cpp:79
#2  0x0000555556b01f67 in panic_abort::__rust_start_panic::abort::hb92452da2fb4d52a () at src/libpanic_abort/lib.rs:49
#3  0x0000555556b01f56 in __rust_start_panic () at src/libpanic_abort/lib.rs:45
#4  0x0000555556af17a9 in rust_panic () at src/libstd/panicking.rs:523
#5  0x0000555556af16cc in rust_panic_with_hook () at src/libstd/panicking.rs:494
#6  0x0000555556af1112 in continue_panic_fmt () at src/libstd/panicking.rs:381
#7  0x0000555556af105f in begin_panic_fmt () at src/libstd/panicking.rs:336
#8  0x0000555556b33e63 in _$LT$baldrdash..wasm2clif..TransEnv$u20$as$u20$cranelift_wasm..environ..spec..FuncEnvironment$GT$::translate_call_indirect::h465f1d366776e3ad (self=0x7fffffffa3c0, pos=..., table_index=..., table=..., sig_index=..., sig_ref=..., callee=..., call_args=...) at js/src/wasm/cranelift/src/wasm2clif.rs:554
#9  0x0000555556b9d189 in cranelift_wasm::code_translator::translate_operator::h5a38cf6634c3b0fd (op=..., builder=0x7fffffffa260, state=0x7ffff6922960, environ=0x7fffffffa3c0) at third_party/rust/cranelift-wasm/src/code_translator.rs:382
#10 0x0000555556b36eec in cranelift_wasm::func_translator::parse_function_body::h620bc9a954aa7cf3 (reader=..., builder=0x7fffffffa260, state=0x7ffff6922960, environ=0x7fffffffa3c0) at third_party/rust/cranelift-wasm/src/func_translator.rs:209
#11 0x0000555556b36b17 in cranelift_wasm::func_translator::FuncTranslator::translate_from_reader::h65c92e8f0260d092 (self=<optimized out>, reader=..., func=<optimized out>, environ=0x7fffffffa3c0) at third_party/rust/cranelift-wasm/src/func_translator.rs:106
#12 0x0000555556b36dd5 in cranelift_wasm::func_translator::FuncTranslator::translate::h0dede614b0f03660 (self=0x7ffff6eeb770 <_IO_stdfile_2_lock>, code=..., code_offset=<optimized out>, func=0x7ffff6c1c2dd <write+45>, environ=0x7fffffffa3c0) at third_party/rust/cranelift-wasm/src/func_translator.rs:62
#13 0x00005555568f4546 in baldrdash::compile::BatchCompiler::translate_wasm::hd833101254e1667f (self=<optimized out>, func=0x7fffffffa670) at js/src/wasm/cranelift/src/compile.rs:129
#14 0x00005555568f0a48 in cranelift_compile_function (compiler=<optimized out>, data=<optimized out>, data@entry=0x7fffffffa670, result=result@entry=0x7fffffffa760) at js/src/wasm/cranelift/src/lib.rs:93
#15 0x000055555649f84c in js::wasm::CraneliftCompileFunctions (env=..., lifo=..., inputs=..., code=code@entry=0x7ffff5fb7780, error=error@entry=0x7fffffffc598) at js/src/wasm/WasmCraneliftCompile.cpp:413
#16 0x0000555556534475 in ExecuteCompileTask (task=0x7ffff5fb73d8, error=0x7fffffffc598) at js/src/wasm/WasmGenerator.cpp:728
#17 0x0000555556534c1c in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=0x7fffffffb770) at js/src/wasm/WasmGenerator.cpp:775
#18 js::wasm::ModuleGenerator::finishFuncDefs (this=this@entry=0x7fffffffb770) at js/src/wasm/WasmGenerator.cpp:904
#19 0x0000555556475434 in DecodeCodeSection<js::wasm::Decoder> (env=..., d=..., mg=...) at js/src/wasm/WasmCompile.cpp:557
#20 0x0000555556476032 in DecodeCodeSection<js::wasm::Decoder> (mg=..., d=..., env=...) at js/src/wasm/WasmCompile.cpp:534
#21 js::wasm::CompileBuffer (args=..., bytecode=..., error=error@entry=0x7fffffffc598, warnings=warnings@entry=0x7fffffffc600, listener=listener@entry=0x0) at js/src/wasm/WasmCompile.cpp:580
#22 0x000055555656e016 in js::WasmModuleObject::construct (cx=<optimized out>, cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=<optimized out>) at js/src/wasm/WasmJS.cpp:1136
#23 0x000055555590b06f in CallJSNative (cx=0x7ffff5f19000, native=native@entry=0x55555656ddf0 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
[...]
#36 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11367
rax	0x555557dd2160	93825034690912
rbx	0x7ffff6eea700	140737336223488
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x555556ba435b	93825015628635
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffff9bc0	140737488329664
rsp	0x7fffffff9bb0	140737488329648
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x555557db1148	93825034555720
r13	0x7fffffff9d58	140737488330072
r14	0x9	9
r15	0x1	1
rip	0x5555558a301b <mozalloc_abort(char const*)+59>
=> 0x5555558a301b <mozalloc_abort(char const*)+59>:	movl   $0x0,0x0
   0x5555558a3026 <mozalloc_abort(char const*)+70>:	ud2

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: Bug 1562393: Cranelift: Don't panic when seeing unexpected number of memories/tables; r=lth

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug is a defect, but please change it back in case of error.

Comment 4

[Pulsebot]

Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/42bc4b6a03dd
Cranelift: Don't panic when seeing unexpected number of memories/tables; r=lth

Comment 5

[Raul Gurzau (:RaulG)]

https://hg.mozilla.org/mozilla-central/rev/42bc4b6a03dd