Closed
Bug 1674979
Opened 4 years ago
Closed 4 years ago
Assertion failure: ToSimdFloatRegister(rhs) != lhs && ToSimdFloatRegister(rhs) != tmp1 && ToSimdFloatRegister(rhs) != tmp2, at js/src/jit/x86-shared/MacroAssembler-x86-shared-SIMD.cpp:288
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1674641
Tracking | Status | |
---|---|---|
firefox84 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
9.67 KB,
application/octet-stream
|
Details |
The attached testcase crashes on mozilla-central revision 20201103-0ec69f07cdc9 (debug build, run with --no-threads --fuzzing-safe --baseline-warmup-threshold=0 --disable-oom-functions test.js).
Backtrace:
==31826==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x564ca8c49515 bp 0x7ffce77ed8a0 sp 0x7ffce77ed850 T31826)
#0 0x564ca8c49515 in js::jit::MacroAssemblerX86Shared::unsignedCompareInt8x16(js::jit::FloatRegister, js::jit::Operand, js::jit::AssemblerX86Shared::Condition, js::jit::FloatRegister, js::jit::FloatRegister, js::jit::FloatRegister) js/src/jit/x86-shared/MacroAssembler-x86-shared-SIMD.cpp:285:3
#1 0x564ca8c30678 in js::jit::MacroAssembler::unsignedCompareInt8x16(js::jit::AssemblerX86Shared::Condition, js::jit::FloatRegister, js::jit::FloatRegister, js::jit::FloatRegister, js::jit::FloatRegister) js/src/jit/x86-shared/MacroAssembler-x86-shared-inl.h:1821:28
#2 0x564ca8d73463 in js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:7328:9
#3 0x564ca8dab2f1 in js::jit::CodeGenerator::generateWasm(js::wasm::FuncTypeIdDesc, js::wasm::BytecodeOffset, js::wasm::ArgTypeVector const&, js::jit::MachineState const&, unsigned long, js::wasm::FuncOffsets*, js::wasm::StackMaps*) js/src/jit/CodeGenerator.cpp:11436:8
#4 0x564ca913fa08 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmIonCompile.cpp:5459:20
#5 0x564ca91032de in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:760:16
#6 0x564ca9104e9b in locallyCompileCurrentTask js/src/wasm/WasmGenerator.cpp:822:8
#7 0x564ca9104e9b in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:960:24
#8 0x564ca9056a5a in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:569:13
#9 0x564ca9056438 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:592:8
#10 0x564ca9154c46 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1631:25
#11 0x564ca811b8c1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:507:13
[...]
Marking s-s for now because this is a macro assembler assertion and I don't know if it has any security impact.
Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Over-eager assertion.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Updated•4 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•