Closed Bug 1604004 Opened 6 years ago Closed 6 years ago

Hit MOZ_CRASH(assertion failed: ret.is_none()) at js/src/wasm/cranelift/src/wasm2clif.rs:1041 with Cranelift

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1603772
Tracking Flags:
Tracking Status
firefox73 --- fixed

People

(Reporter: gkw, Unassigned)

References

(Regression)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Detailed Crash Information
14.75 KB, text/plain
Details

The following testcase crashes on mozilla-central revision 8855bff16ed6 (build with --enable-debug --disable-optimize, run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-compiler=cranelift):

// Adapted from randomly chosen test: js/src/jit-test/tests/wasm/passive-segs-nonboundary.js
let x = "(module (table 30 30 funcref) (func (table.copy (i32.const 0) (i32.const 0) (i32.const 0))))";
new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(x)));

Backtrace:

#0  MOZ_Crash (aFilename=<optimized out>, aLine=1041, aReason=0x7ffd629297a2 "assertion failed: ret.is_none()") at /home/ubuntu/shell-cache/js-dbg-optDisabled-64-linux-x86_64-8855bff16ed6/objdir-js/dist/include/mozilla/Assertions.h:332
#1  RustMozCrash (aFilename=<optimized out>, aLine=1041, aReason=0x7ffd629297a2 "assertion failed: ret.is_none()") at wrappers.cpp:17
#2  0x0000563571912d2a in mozglue_static::panic_hook (info=0x7ffd62929c38) at mozglue/static/rust/lib.rs:89
#3  0x0000563571912d89 in core::ops::function::Fn::call () at /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/libcore/ops/function.rs:69
#4  0x00005635721f6d4c in std::panicking::rust_panic_with_hook () at src/libstd/panicking.rs:477
#5  0x0000563571ce6bd2 in std::panicking::begin_panic (msg=..., file_line_col=0x5635722c2e28) at /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/libstd/panicking.rs:407
/snip

For detailed crash information, see attachment.

Setting s-s as a start, even though this seems cranelift-only for now.

Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/05ca91f87ca8
user: Ryan Hunt
date: Mon Dec 09 14:04:31 2019 +0000
summary: Bug 1599517 - Update cranelift to 4727b70b67abfa4f3ae1c276454a0da7a76e1d49. r=bbouvier

changeset: https://hg.mozilla.org/mozilla-central/rev/fd374e1cf7e5
user: Ryan Hunt
date: Mon Dec 09 15:04:26 2019 +0000
summary: Bug 1599517 - Update baldrdash for changes to cranelift-wasm. r=bbouvier

changeset: https://hg.mozilla.org/mozilla-central/rev/9129ac29705f
user: Ryan Hunt
date: Mon Dec 09 15:04:26 2019 +0000
summary: Bug 1599517 - Add support for bulk-memory operations with Cranelift. r=bbouvier

Ryan, is bug 1599517 a likely regressor?

Flags: needinfo?(rhunt)
Regressed by: 1599517

Fixed by first patch in bug 1603772.

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(rhunt)
Resolution: --- → DUPLICATE
Component: JavaScript Engine → Javascript: WebAssembly
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: