Closed Bug 1592958 Opened 5 years ago Closed 5 years ago

Ensure new WebAssembly blocks have slots enough for predecessor results

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: wingo, Assigned: wingo)

References

Details

Attachments

(1 file)

Bug 1592958 - Ensure new WebAssembly blocks have slots enough for predecessor results
47 bytes, text/x-phabricator-request
Details | Review

Bug fixes an issue in which returning more than one value from a WebAssembly block via fallthrough would stomple memory, because only 1 slot was reserved in the successor.

Test case (uncommitted, depends on bug 1586207 for codegen, and bug 1584097 for actually assembling the test case):

wasmFullPass(`
  (module
    (func (export "run") (result i32)
      (i32.add
        (loop (result i32 i32)
          (i32.const 32)
          (i32.const 10)))))`,
            42);

The error I was getting before fixing the bug:

Thread 1 "js" received signal SIGSEGV, Segmentation fault.
js::jit::FixedList<js::jit::MDefinition*>::operator[] (this=<optimized out>, index=<optimized out>) at /home/wingo/src/mozilla-unified/js/src/jit/FixedList.h:79
79	    MOZ_ASSERT(index < length_);
(gdb) bt
#0  js::jit::FixedList<js::jit::MDefinition*>::operator[] (this=<optimized out>, index=<optimized out>) at /home/wingo/src/mozilla-unified/js/src/jit/FixedList.h:79
#1  js::jit::MBasicBlock::pop (this=<optimized out>) at /home/wingo/src/mozilla-unified/js/src/jit/MIRGraph.h:213
#2  (anonymous namespace)::FunctionCompiler::popPushedDefs (this=0x7fffffff7578, defs=0x7fffffff70a0) at /home/wingo/src/mozilla-unified/js/src/wasm/WasmIonCompile.cpp:1209
#3  0x0000555557aa2447 in (anonymous namespace)::FunctionCompiler::closeLoop (this=0x7fffffff7578, loopHeader=<optimized out>, loopResults=0x7fffffff70a0) at /home/wingo/src/mozilla-unified/js/src/wasm/WasmIonCompile.cpp:1469
#4  EmitEnd (f=...) at /home/wingo/src/mozilla-unified/js/src/wasm/WasmIonCompile.cpp:1853
#5  EmitBodyExprs (f=...) at /home/wingo/src/mozilla-unified/js/src/wasm/WasmIonCompile.cpp:3392
#6  0x0000555557a97ec2 in js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=0x7ffff415e780, error=0x7fffffffa430) at /home/wingo/src/mozilla-unified/js/src/wasm/WasmIonCompile.cpp:4226
Priority: -- → P1
Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7da36585e596
Ensure new WebAssembly blocks have slots enough for predecessor results r=jandem

https://hg.mozilla.org/mozilla-central/rev/7da36585e596

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: