Closed Bug 1861267 Opened 8 months ago Closed 7 months ago

wasm (multi-)memory.copy fails to compile

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox121 --- fixed

People

(Reporter: yury, Assigned: jseward)

References

Details

Attachments

(1 file)

Bug 1861267 - wasm (multi-)memory.copy fails to compile. r=rhunt.
48 bytes, text/x-phabricator-request
Details | Review

The following code fails:

var ins = wasmTextEval(`(module
  (memory $$mem0 (data "\\ff\\11\\44\\ee"))
  (memory $$mem1 (data "\\ee\\22\\55\\ff"))
  (memory $$mem2 (data "\\dd\\33\\66\\00"))
  (memory $$mem3 (data "\\aa\\bb\\cc\\dd"))

  (func (export "copy") (param i32 i32 i32)
    (memory.copy $$mem0 $$mem3
      (local.get 0)
      (local.get 1)
      (local.get 2)))
)`);

The baseline compiler error:

Hit MOZ_CRASH(Compiler bug: Expected I64 on stack) at /Users/yury/Work/mozilla-unified/js/src/wasm/WasmBCStkMgmt-inl.h:189
#01: js::wasm::BaseCompiler::loadI64(js::wasm::Stk const&, js::wasm::RegI64)[/Users/yury/Work/mozilla-unified/obj-aarch64-apple-darwin22.5.0/dist/bin/js +0x184f388]
#02: js::wasm::BaseCompiler::passArg(js::wasm::PackedType<js::wasm::ValTypeTraits>, js::wasm::Stk const&, js::wasm::FunctionCall*)[/Users/yury/Work/mozilla-unified/obj-aarch64-apple-darwin22.5.0/dist/bin/js +0x184e73c]
#03: js::wasm::BaseCompiler::emitInstanceCall(js::wasm::SymbolicAddressSignature const&)[/Users/yury/Work/mozilla-unified/obj-aarch64-apple-darwin22.5.0/dist/bin/js +0x183e338]
#04: js::wasm::BaseCompiler::memCopyCall(unsigned int, unsigned int)[/Users/yury/Work/mozilla-unified/obj-aarch64-apple-darwin22.5.0/dist/bin/js +0x1870ba8]

The severity field is not set for this bug.
:rhunt, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(rhunt)
Assignee: nobody → jseward
Severity: -- → S2
Flags: needinfo?(rhunt)
Priority: -- → P1

This patch fixes the following problems with memory.copy when used with
different memories:

  • SASigMemCopyAny didn't match the signature for Instance::memCopy_any,
    causing baseline to assert and Ion to generate incorrect code.
    The arm/arm64/riscv64 simulators are updated accordingly.

  • Ion, EmitMemCopyCall: the MDefinitions to extend 32- to 64-bits were not
    attached to the containing basic block.

  • BaseCompiler::popIndexToInt64: on 32-bit targets, the two components were
    passed to Register64() in the wrong order, causing incorrect bounds-check
    failures in Instance::memCopy_any.

Also there is a new test case and a new directory,
js/src/jit-test/testswasm/multi-memory.

Pushed by jseward@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ebe688928ac9
wasm (multi-)memory.copy fails to compile.  r=rhunt.

https://hg.mozilla.org/mozilla-central/rev/ebe688928ac9

Status: NEW → RESOLVED
Closed: 7 months ago
status-firefox121: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
Regressions: 1865570
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: