Open
Bug 1885771
Opened 2 months ago
Updated 1 month ago
Assertion failure: lineOrBytecode == lineOrBytecode_, at wasm/WasmCodegenTypes.h:566
Categories
(Core :: JavaScript: WebAssembly, defect, P2)
Core
JavaScript: WebAssembly
Tracking
()
NEW
People
(Reporter: lukas.bernhard, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
Steps to reproduce:
On git commit 6d5114b3ba4e5c3414a19419ca1d0170ca149b13 the attached sample asserts in the js-shell when invoked as ./obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js
const v3 = "6 Jun 2014" + 1000000.0;
for (let i4 = v3; i4-- > 536870888;) {
}
const v10 = `
function m(stdlib) {
"use asm";
var abs = stdlib.Math.abs;
function f(d) {
d = +d;
return (~~(5.0 - +abs(d)))|0;
}
return f;
}`;
const o11 = {
};
o11.lineNumber = 2096777049;
evaluate(cacheEntry(v10), o11);
#0 0x00005555590d2d3c in js::wasm::CallSiteDesc::CallSiteDesc (this=0x7fffffff3878, lineOrBytecode=2096777067,
kind=js::wasm::CallSiteDesc::Symbolic) at js/src/wasm/WasmCodegenTypes.h:566
#1 0x000055555908a325 in js::jit::MacroAssembler::callWithABI (this=0x7fffffff4e38, bytecode=...,
imm=js::wasm::SymbolicAddress::ToInt32, instanceOffset=..., result=js::jit::ABIType::General)
at js/src/jit/MacroAssembler.cpp:4549
#2 0x000055555908a066 in js::jit::MacroAssembler::outOfLineTruncateSlow (this=0x7fffffff4e38, src=..., dest=...,
widenFloatToDouble=false, compilingWasm=true, callOffset=...) at js/src/jit/MacroAssembler.cpp:3803
#3 0x0000555558bac316 in js::jit::CodeGeneratorShared::visitOutOfLineTruncateSlow (this=0x7fffffff3ef8, ool=0x7ffff5699df0)
at js/src/jit/shared/CodeGenerator-shared.cpp:947
#4 0x0000555558bb541d in js::jit::OutOfLineTruncateSlow::accept (this=0x7ffff5699df0, codegen=0x7fffffff3ef8)
at js/src/jit/shared/CodeGenerator-shared.cpp:893
#5 0x0000555558bb53ae in js::jit::OutOfLineCodeBase<js::jit::CodeGeneratorShared>::generate (this=0x7ffff5699df0, codegen=0x7fffffff3ef8)
at js/src/jit/shared/CodeGenerator-shared.h:425
#6 0x0000555558ba813e in js::jit::CodeGeneratorShared::generateOutOfLineCode (this=0x7fffffff3ef8)
at js/src/jit/shared/CodeGenerator-shared.cpp:224
#7 0x0000555558bff476 in js::jit::CodeGeneratorX86Shared::generateOutOfLineCode (this=0x7fffffff3ef8)
at js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:530
#8 0x0000555558df6e8b in js::jit::CodeGenerator::generateWasm (this=0x7fffffff3ef8, callIndirectId=..., trapOffset=..., argTypes=...,
trapExitLayout=..., trapExitLayoutNumWords=16, offsets=0x7fffffff3c98, stackMaps=0x7ffff5696278, decoder=0x7fffffff3e88)
at js/src/jit/CodeGenerator.cpp:15277
#9 0x00005555592fa756 in js::wasm::IonCompileFunctions (moduleEnv=..., compilerEnv=..., lifo=..., inputs=..., code=0x7ffff5695f80,
error=0x0) at js/src/wasm/WasmIonCompile.cpp:9363
#10 0x00005555592e0727 in ExecuteCompileTask (task=0x7ffff5695bd0, error=0x0)
at js/src/wasm/WasmGenerator.cpp:729
#11 0x00005555592e0974 in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=0x7fffffff5c08)
at js/src/wasm/WasmGenerator.cpp:784
#12 0x00005555592e13b7 in js::wasm::ModuleGenerator::finishFuncDefs (this=0x7fffffff5c08)
at js/src/wasm/WasmGenerator.cpp:915
#13 0x000055555922c6b2 in ModuleValidator<char16_t>::finish (this=0x7fffffff6960) at js/src/wasm/AsmJS.cpp:2226
#14 0x00005555591bd3c1 in CheckModule<char16_t> (fc=0x7fffffff9758, parserAtoms=..., parser=..., stmtList=0x7ffff76d9220,
time=0x7fffffff6ea4) at js/src/wasm/AsmJS.cpp:6470
#15 0x000055555915ee03 in DoCompileAsmJS<char16_t> (fc=0x7fffffff9758, parserAtoms=..., parser=..., stmtList=0x7ffff76d9220,
validated=0x7fffffff6f37) at js/src/wasm/AsmJS.cpp:7151
#16 0x000055555915ed75 in js::CompileAsmJS (fc=0x7fffffff9758, parserAtoms=..., parser=..., stmtList=0x7ffff76d9220,
validated=0x7fffffff6f37) at js/src/wasm/AsmJS.cpp:7174
#17 0x0000555558543db3 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS (this=0x7fffffff90b0, list=0x7ffff76d9220)
at js/src/frontend/Parser.cpp:3844
#18 0x0000555558527365 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::asmJS (this=0x7fffffff90b0,
list=0x7ffff76d9220) at js/src/frontend/Parser.cpp:3857
#19 0x00005555585272e0 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::maybeParseDirective (
this=0x7fffffff90b0, list=0x7ffff76d9220, possibleDirective=0x7ffff76d9290, cont=0x7fffffff705e)
at js/src/frontend/Parser.cpp:3972
#20 0x0000555558518402 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=0x7fffffff90b0,
yieldHandling=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:4050
#21 0x0000555558523dda in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionBody (this=0x7fffffff90b0,
inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement,
type=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::StatementListBody)
at js/src/frontend/Parser.cpp:2419
#22 0x00005555585228c1 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody (
this=0x7fffffff90b0, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, funNode=0x7fffffff73b8,
kind=js::frontend::FunctionSyntaxKind::Statement, parameterListEnd=..., isStandaloneFunction=false)
at js/src/frontend/Parser.cpp:3564
#23 0x00005555585220dd in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunctionForFunctionBox (
this=0x7fffffff90b0, funNode=0x7ffff76d9060, outerpc=0x7fffffff7e10, funbox=0x7ffff76d9128, inHandling=js::frontend::InAllowed,
yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement, newDirectives=0x7fffffff78fc)
at js/src/frontend/Parser.cpp:3259
#24 0x0000555558543bff in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunction (this=0x7fffffff90b0,
funNode=0x7ffff76d9060, outerpc=0x7fffffff7e10, explicitName=..., flags=..., toStringStart=1, inHandling=js::frontend::InAllowed,
yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement,
generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false,
inheritedDirectives=..., newDirectives=0x7fffffff78fc) at js/src/frontend/Parser.cpp:3294
#25 0x0000555558519e46 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction (
this=0x7fffffff90b0, funNode=0x7fffffff7908, explicitName=..., flags=..., toStringStart=1, inHandling=js::frontend::InAllowed,
yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement,
generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false,
inheritedDirectives=..., newDirectives=0x7fffffff78fc) at js/src/frontend/Parser.cpp:3198
#26 0x0000555558519898 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction (
this=0x7fffffff90b0, funNode=0x7fffffff7908, explicitName=..., flags=..., toStringStart=1, inHandling=js::frontend::InAllowed,
yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement,
generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false,
inheritedDirectives=..., newDirectives=0x7fffffff78fc) at js/src/frontend/Parser.cpp:3236
#27 0x0000555558525dd9 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionDefinition (this=0x7fffffff90b0,
funNode=0x7ffff76d9060, toStringStart=1, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, funName=...,
kind=js::frontend::FunctionSyntaxKind::Statement, generatorKind=js::GeneratorKind::NotGenerator,
asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false) at js/src/frontend/Parser.cpp:3065
#28 0x000055555851c647 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionStmt (this=0x7fffffff90b0,
toStringStart=1, yieldHandling=js::frontend::YieldIsName, defaultHandling=js::frontend::NameRequired,
asyncKind=js::FunctionAsyncKind::SyncFunction) at js/src/frontend/Parser.cpp:3733
#29 0x000055555851af68 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=0x7fffffff90b0,
yieldHandling=js::frontend::YieldIsName, canHaveDirectives=true) at js/src/frontend/Parser.cpp:9591
#30 0x00005555585182ad in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=0x7fffffff90b0,
yieldHandling=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:4027
#31 0x000055555857416f in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::globalBody (this=0x7fffffff90b0,
globalsc=0x7fffffff8488) at js/src/frontend/Parser.cpp:1841
#32 0x0000555558608101 in ScriptCompiler<char16_t>::compile (this=0x7fffffff87c0, maybeCx=0x7ffff763d200, sc=0x7fffffff8488)
at js/src/frontend/BytecodeCompiler.cpp:964
#33 0x00005555585e1a51 in CompileGlobalScriptToStencilAndMaybeInstantiate<char16_t> (maybeCx=0x7ffff763d200, fc=0x7fffffff9758,
tempLifoAlloc=..., input=..., scopeCache=0x7fffffff9748, srcBuf=..., scopeKind=js::ScopeKind::Global, maybeExtraBindings=0x0,
output=...) at js/src/frontend/BytecodeCompiler.cpp:336
#34 0x00005555585aa571 in CompileGlobalScriptToStencilImpl<char16_t> (maybeCx=0x7ffff763d200, fc=0x7fffffff9758, tempLifoAlloc=...,
input=..., scopeCache=0x7fffffff9748, srcBuf=..., scopeKind=js::ScopeKind::Global)
at js/src/frontend/BytecodeCompiler.cpp:407
#35 0x00005555585aa4a7 in js::frontend::CompileGlobalScriptToStencil (cx=0x7ffff763d200, fc=0x7fffffff9758, tempLifoAlloc=..., input=...,
scopeCache=0x7fffffff9748, srcBuf=..., scopeKind=js::ScopeKind::Global)
at js/src/frontend/BytecodeCompiler.cpp:419
#36 0x00005555586b2d6a in CompileGlobalScriptToStencilImpl<char16_t> (cx=0x7ffff763d200, options=..., srcBuf=...)
at js/src/frontend/Stencil.cpp:5443
#37 0x00005555586b2bc0 in JS::CompileGlobalScriptToStencil (cx=0x7ffff763d200, options=..., srcBuf=...)
at js/src/frontend/Stencil.cpp:5463
#38 0x00005555578c6fee in Evaluate (cx=0x7ffff763d200, argc=2, vp=0x7ffff56e9098) at js/src/shell/js.cpp:2680
#39 0x0000555557ab5f3c in CallJSNative (cx=0x7ffff763d200, native=0x5555578c5780 <Evaluate(JSContext*, unsigned int, JS::Value*)>,
reason=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:479
#40 0x0000555557a8c353 in js::InternalCallOrConstruct (cx=0x7ffff763d200, args=..., construct=js::NO_CONSTRUCT,
reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:573
#41 0x0000555557a8cad9 in InternalCall (cx=0x7ffff763d200, args=..., reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:640
#42 0x0000555557a8c913 in js::CallFromStack (cx=0x7ffff763d200, args=..., reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:645
#43 0x0000555557a9b16f in js::Interpret (cx=0x7ffff763d200, state=...) at js/src/vm/Interpreter.cpp:3060
#44 0x0000555557a8bd35 in MaybeEnterInterpreterTrampoline (cx=0x7ffff763d200, state=...)
at js/src/vm/Interpreter.cpp:393
#45 0x0000555557a8b9e1 in js::RunScript (cx=0x7ffff763d200, state=...) at js/src/vm/Interpreter.cpp:451
#46 0x0000555557a8df21 in js::ExecuteKernel (cx=0x7ffff763d200, script=..., envChainArg=..., evalInFrame=..., result=...)
at js/src/vm/Interpreter.cpp:838
#47 0x0000555557a8e29c in js::Execute (cx=0x7ffff763d200, script=..., envChain=..., rval=...)
at js/src/vm/Interpreter.cpp:870
#48 0x0000555557c8ba4f in ExecuteScript (cx=0x7ffff763d200, envChain=..., script=..., rval=...)
at js/src/vm/CompilationAndEvaluation.cpp:494
#49 0x0000555557c8bb75 in JS_ExecuteScript (cx=0x7ffff763d200, scriptArg=...)
at js/src/vm/CompilationAndEvaluation.cpp:518
#50 0x00005555578ec06f in RunFile (cx=0x7ffff763d200, filename=0x7ffff76045c0 "crash.js",
file=0x7ffff776aa60, compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=false)
at js/src/shell/js.cpp:1199
#51 0x00005555578eb93c in Process (cx=0x7ffff763d200, filename=0x7ffff76045c0 "crash.js",
forceTTY=false, kind=FileScript) at js/src/shell/js.cpp:1778
#52 0x00005555578c4571 in ProcessArgs (cx=0x7ffff763d200, op=0x7fffffffdd30) at js/src/shell/js.cpp:11112
#53 0x00005555578b2fc3 in Shell (cx=0x7ffff763d200, op=0x7fffffffdd30) at js/src/shell/js.cpp:11371
#54 0x00005555578ade24 in main (argc=3, argv=0x7fffffffdf98) at js/src/shell/js.cpp:11879
|
Reporter | |
Updated•2 months ago
|
|
||
Comment 1•2 months ago
|
||
This does not reproduce with the latest debug js shell from FTP (2015-10-21) but reproduces with m-c rev a5887514ddfb (Feb 2022).
I'm going to take a guess - since JIT is all over the stack, but wasm is also involved, I'll set a needinfo? on Jan to take a look first, and add Ryan on cc.
Flags: needinfo?(jdemooij)
|
||
Comment 2•2 months ago
|
||
CallSiteDesc has 28 bits for the lineOrBytecode_ field. Here we have a line number that's larger than that so we fail the assertion.
We do check MAX_LINE_OR_BYTECODE_VALUE in appendCallSiteLineNumber but that probably isn't called in this case?
Component: JavaScript Engine: JIT → JavaScript: WebAssembly
Flags: needinfo?(jdemooij) → needinfo?(rhunt)
|
||
Updated•1 month ago
|
Severity: -- → S3
Priority: -- → P2
You need to log in
before you can comment on or make changes to this bug.
Description
•