Assertion failure: count > 0 (Should have been a MOVE operation), at jit/x86-shared/CodeGenerator-x86-shared.cpp:3134
Categories
(Core :: JavaScript: WebAssembly, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox85 | --- | unaffected |
firefox86 | --- | wontfix |
firefox87 | --- | verified |
People
(Reporter: decoder, Assigned: lth)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
The attached testcase crashes on mozilla-central revision 20210111-c6d819bd39da (build with --enable-debug, run with --no-threads --fuzzing-safe --wasm-compiler=optimizing --baseline-warmup-threshold=1 --ion-warmup-threshold=1 test.js).
Backtrace:
==29116==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x56230d392beb bp 0x7ffdee595000 sp 0x7ffdee594f70 T29116)
==29116==The signal is caused by a WRITE memory access.
==29116==Hint: address points to the zero page.
#0 0x56230d392beb in js::jit::CodeGenerator::visitWasmPermuteSimd128(js::jit::LWasmPermuteSimd128*) js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:3134:7
#1 0x56230d57be13 in js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:6906:9
#2 0x56230d5d40a4 in js::jit::CodeGenerator::generateWasm(js::wasm::TypeIdDesc, js::wasm::BytecodeOffset, js::wasm::ArgTypeVector const&, js::jit::MachineState const&, unsigned long, js::wasm::FuncOffsets*, js::wasm::StackMaps*) js/src/jit/CodeGenerator.cpp:11840:8
#3 0x56230d980fcb in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmIonCompile.cpp:5552:20
#4 0x56230d94394c in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:782:16
#5 0x56230d94547b in locallyCompileCurrentTask js/src/wasm/WasmGenerator.cpp:844:8
#6 0x56230d94547b in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:982:24
#7 0x56230d89a08d in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:571:13
#8 0x56230d899b02 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:594:8
#9 0x56230d995ad6 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1585:25
#10 0x56230c7bbb71 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:503:13
[...]
Marking s-s until investigated because this is a JIT-related assertion.
Reporter | ||
Comment 1•4 years ago
|
||
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
This is not s-s, it's just a missing guard in an optimization. The computation involves only vector values and there is no risk. This can be opened up.
Assignee | ||
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
The trigger for the rotate specialization did not check that the
second run of increasing values in the shuffle pattern, if present,
must start with lane value zero.
Comment 4•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210124215058-63534c66d7b8.
Failed to bisect testcase (Unable to launch the start build!):
Start: c0fa6d007c58437398cc06a97d221c42d41dcf9e (20200127093737)
End: c6d819bd39daf86acd5e0c5bce5d74c2db8b8d64 (20210111215143)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
Comment 6•4 years ago
|
||
bugherder |
Comment 7•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210127213646-050d232035a7.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Comment 8•4 years ago
|
||
The patch landed in nightly and beta is affected.
:lth, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 9•4 years ago
|
||
I think no code on the open web uses this, the feature has not shipped yet, it's in Nightly behind a flag. Serious users use Nightly for this.
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Description
•