Assertion failure: count.value < 32, at jit/x86-shared/MacroAssembler-x86-shared-SIMD.cpp:1775
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox78 | --- | unaffected |
firefox79 | --- | disabled |
firefox80 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisect][post-critsmash-triage])
Attachments
(2 files)
The attached testcase crashes on mozilla-central revision 20200703-b48777a21aab (debug build, run with --fuzzing-safe --no-threads test.js).
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555564798a4 in js::jit::MacroAssemblerX86Shared::packedRightShiftByScalarInt64x2(js::jit::Imm32, js::jit::FloatRegister, js::jit::FloatRegister) ()
#1 0x00005555565706e3 in js::jit::CodeGenerator::generateBody() ()
#2 0x00005555565ac131 in js::jit::CodeGenerator::generateWasm(js::wasm::FuncTypeIdDesc, js::wasm::BytecodeOffset, js::wasm::ArgTypeVector const&, js::jit::MachineState const&, unsigned long, js::wasm::FuncOffsets*, js::wasm::StackMaps*) ()
#3 0x00005555568b2438 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#4 0x000055555689d5dd in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#5 0x000055555689e3d7 in js::wasm::ModuleGenerator::finishFuncDefs() ()
#6 0x0000555556827e7e in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) ()
#7 0x0000555556827a23 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) ()
#8 0x0000555556906464 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) ()
#9 0x0000555555942582 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#21 0x00005555557b9c85 in main ()
rax 0x5555570d6764 93825021077348
rbx 0x7ffff5189818 140737305417752
rcx 0x555558383840 93825040660544
rdx 0x0 0
rsi 0x7ffff6abd770 140737331844976
rdi 0x7ffff6abc540 140737331840320
rbp 0x7fffffff86a0 140737488324256
rsp 0x7fffffff8640 140737488324160
r8 0x7ffff6abd770 140737331844976
r9 0x7ffff7fe3d40 140737354022208
r10 0x58 88
r11 0x7ffff67647a0 140737328334752
r12 0x7ffff57ee420 140737312121888
r13 0x7ffff57ee408 140737312121864
r14 0x0 0
r15 0x7fffffff8bb8 140737488325560
rip 0x5555564798a4 <js::jit::MacroAssemblerX86Shared::packedRightShiftByScalarInt64x2(js::jit::Imm32, js::jit::FloatRegister, js::jit::FloatRegister)+308>
=> 0x5555564798a4 <_ZN2js3jit23MacroAssemblerX86Shared31packedRightShiftByScalarInt64x2ENS0_5Imm32ENS0_13FloatRegisterES3_+308>: movl $0x6ef,0x0
0x5555564798af <_ZN2js3jit23MacroAssemblerX86Shared31packedRightShiftByScalarInt64x2ENS0_5Imm32ENS0_13FloatRegisterES3_+319>: callq 0x55555584855e <abort>
Marking s-s until investigated, since this is a range assert.
Reporter | ||
Comment 1•4 years ago
|
||
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
When lowering i64x2.shr_s, we can emit a simpler sequence if the shift count is
constant and less than 32; otherwise, a bigger code sequence needs to be
generated. When making this decision, the shift count wasn't masked, making it
so that a negative shift count would satisfy this condition but could be
greater than 32, in the immediate case. Masking the shift count solves the
issue and makes it also possible to use the constant code sequence for larger
shift counts.
The mask value of 63 is appropriate per specification, since we're operating on
an i64x2 register.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 4•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20200715215205-c4186bb32c30.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•