Closed Bug 1670983 Opened 5 years ago Closed 5 years ago

Crash in [@ js::jit::MacroAssembler::callWithABI]

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- unaffected
firefox83 --- fixed

People

(Reporter: kbrosnan, Assigned: lth)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1670983 - Preserve Tls register across callouts to soft div/mod. r?nbp
47 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/50ee9ef3-0e0d-484f-9045-93c750201013

Reason: SIGSEGV /SEGV_MAPERR

Top 10 frames of crashing thread:

0 libxul.so js::jit::MacroAssembler::callWithABI js/src/jit/MacroAssembler.cpp:3174
1 libxul.so js::jit::CodeGenerator::visitSoftUDivOrMod js/src/jit/arm/CodeGenerator-arm.cpp:2264
2 libxul.so js::jit::CodeGenerator::generateBody js/src/jit/CodeGenerator.cpp:7299
3 libxul.so js::jit::CodeGenerator::generateWasm js/src/jit/CodeGenerator.cpp:11328
4 libxul.so js::wasm::IonCompileFunctions js/src/wasm/WasmIonCompile.cpp:5458
5 libxul.so ExecuteCompileTask js/src/wasm/WasmGenerator.cpp:760
6 libxul.so js::wasm::ModuleGenerator::locallyCompileCurrentTask js/src/wasm/WasmGenerator.cpp:822
7 libxul.so js::wasm::ModuleGenerator::finishFuncDefs js/src/wasm/WasmGenerator.cpp:960
8 libxul.so js::wasm::CompileStreaming js/src/wasm/WasmCompile.cpp:752
9 libxul.so CompileStreamTask::execute js/src/wasm/WasmJS.cpp:4007

Crashing line got added in bug 1639153. Dmitry, does this only get reported now due to this change or is it an actual regression from it?

Flags: needinfo?(dbezhetskov)
Keywords: regression
Regressed by: 1639153
Has Regression Range: --- → yes
Severity: -- → S2
Component: JavaScript Engine → Javascript: WebAssembly
Priority: -- → P1

Dmitry's on PTO for the next two weeks, I'll take a look.

Hm, soft div/mod on ARM called from Ion... I thought for sure that was not a supported configuration for wasm... No matter. Bug 1639153 regressed this, because it requires the Tls register to be threaded through runtime calls. It is not done so for soft div/mod. I can repro locally; it will be my preference to try to fix this, I may choose to do so by disabling wasm on soft-idiv ARMv7 devices but we'll see.

Assignee: nobody → lhansen
Status: NEW → ASSIGNED

Test case div.js:

new WebAssembly.Module(wasmTextToBinary(`
(module
  (func (export "f") (param i32 i32) (result i32)
    (i32.div_s (local.get 0) (local.get 1))))
`))

Run like this on ARM simulator: ARMHWCAP=armv7,vfp,vfpv3 dist/bin/js --wasm-compiler=ion ~/moz/div.js

There are multiple locations that have this problem: soft signed div, soft mod, soft unsigned div.

Soft div/mod are supported on ARMv7 with Ion, and the callouts need to
preserve the Tls register and pass the Tls register offset to
callWithABI.

The introduced code follows the pattern used elsewhere in the file:
push the Tls before setting up the call and record its frame depth;
pass the frame offset to callWithABI; pop the Tls after the call.
Passes all tests on simulator.

Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5ec01259d453 Preserve Tls register across callouts to soft div/mod. r=nbp

https://hg.mozilla.org/mozilla-central/rev/5ec01259d453

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

iiuc we are done here

Flags: needinfo?(dbezhetskov)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: