Assertion failure: k->wasmRefType() == l->wasmRefType(), at jit/ValueNumbering.cpp:59
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox137 | --- | unaffected |
| firefox138 | --- | unaffected |
| firefox139 | --- | fixed |
People
(Reporter: decoder, Assigned: bvisness)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(3 files)
The attached testcase crashes on mozilla-central revision 20250410-1ac598af5141 (build with debug, run with --fuzzing-safe --no-threads --wasm-compiler=optimized test.js).
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557f7cf23 in js::jit::ValueNumberer::VisibleValues::ValueHasher::match(js::jit::MDefinition*, js::jit::MDefinition const*) ()
#1 0x0000555558002458 in mozilla::detail::EntrySlot<js::jit::MDefinition* const> mozilla::detail::HashTable<js::jit::MDefinition* const, mozilla::HashSet<js::jit::MDefinition*, js::jit::ValueNumberer::VisibleValues::ValueHasher, js::jit::JitAllocPolicy>::SetHashPolicy, js::jit::JitAllocPolicy>::lookup<(mozilla::detail::HashTable<js::jit::MDefinition* const, mozilla::HashSet<js::jit::MDefinition*, js::jit::ValueNumberer::VisibleValues::ValueHasher, js::jit::JitAllocPolicy>::SetHashPolicy, js::jit::JitAllocPolicy>::LookupReason)1>(js::jit::MDefinition const* const&, unsigned int) const ()
#2 0x00005555580022f5 in mozilla::detail::HashTable<js::jit::MDefinition* const, mozilla::HashSet<js::jit::MDefinition*, js::jit::ValueNumberer::VisibleValues::ValueHasher, js::jit::JitAllocPolicy>::SetHashPolicy, js::jit::JitAllocPolicy>::lookupForAdd(js::jit::MDefinition const* const&) ()
#3 0x0000555557f7ec4c in js::jit::ValueNumberer::leader(js::jit::MDefinition*) ()
#4 0x0000555557f7f4bf in js::jit::ValueNumberer::visitDefinition(js::jit::MDefinition*) ()
#5 0x0000555557f80855 in js::jit::ValueNumberer::visitBlock(js::jit::MBasicBlock*) ()
#6 0x0000555557f80bae in js::jit::ValueNumberer::visitDominatorTree(js::jit::MBasicBlock*) ()
#7 0x0000555557f80ff3 in js::jit::ValueNumberer::visitGraph() ()
#8 0x0000555557f819fc in js::jit::ValueNumberer::run(js::jit::ValueNumberer::UpdateAliasAnalysisFlag) ()
#9 0x0000555557f43244 in js::jit::OptimizeMIR(js::jit::MIRGenerator*) ()
#10 0x000055555828707d in js::wasm::IonCompileFunctions(js::wasm::CodeMetadata const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#11 0x000055555825bc30 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#12 0x000055555825d447 in js::wasm::ModuleGenerator::finishFuncDefs() ()
#13 0x0000555558232bcb in bool DecodeCodeSection<js::wasm::Decoder, js::wasm::ModuleGenerator>(js::wasm::CodeMetadata const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) ()
#14 0x0000555558232481 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::BytecodeBufferOrSource const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) ()
#15 0x0000555558293bf3 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) ()
#16 0x000055555704a335 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#28 0x0000555556eb7d7e in main ()
rax 0x0 0
rbx 0xf467f601 4100453889
rcx 0x3b 59
rdx 0x1 1
rsi 0x0 0
rdi 0x7ffff7bee7d0 140737349871568
rbp 0x7fffffff7ee0 140737488322272
rsp 0x7fffffff7eb0 140737488322224
r8 0x0 0
r9 0x3 3
r10 0x0 0
r11 0x0 0
r12 0x7ffff467f2d0 140737293841104
r13 0x7ffff467f2d0 140737293841104
r14 0x7ffff467f800 140737293842432
r15 0x7ffff467f6c8 140737293842120
rip 0x555557f7cf23 <js::jit::ValueNumberer::VisibleValues::ValueHasher::match(js::jit::MDefinition*, js::jit::MDefinition const*)+291>
=> 0x555557f7cf23 <_ZN2js3jit13ValueNumberer13VisibleValues11ValueHasher5matchEPNS0_11MDefinitionEPKS4_+291>: mov %rcx,(%rax)
0x555557f7cf26 <_ZN2js3jit13ValueNumberer13VisibleValues11ValueHasher5matchEPNS0_11MDefinitionEPKS4_+294>: callq 0x555556f52260 <abort>
Marking s-s because from the assert this looks like a potential type confusion.
|
Reporter | |
Comment 1•19 days ago
|
||
|
|
Reporter | |
Comment 2•19 days ago
|
||
|
|
Reporter | |
Updated•19 days ago
|
|
Assignee | |
Updated•19 days ago
|
|
|
Assignee | |
Comment 3•19 days ago
|
||
Here's a simpler repro:
const m = new WebAssembly.Module(wasmTextToBinary(`(module
(global $g (export "g") (mut funcref) ref.null func)
(func (;0;)
global.get $g
global.set $g
)
)`));
The assert that is failing is a new assert designed to catch issues caused by bug 1892721 and any follow-up optimizations, where two nodes with different wasm ref types are inadvertently marked congruent. This can indicate type confusion, but in this case the assert is benign. Both global.get and global.set produce an MWasmLoadGlobalCell, but one is getting type funcref while the other is getting no type at all. However, the nodes are completely congruent and this is merely a bookkeeping mistake that will not lead to wrong behavior in release builds.
I would recommend declassifying this.
|
||
Comment 4•19 days ago
|
||
Set release status flags based on info from the regressing bug 1892721
|
|
Assignee | |
Comment 5•19 days ago
|
||
The lack of ref types in some cases was tripping a new assert in GVN,
although the actual behavior of GVN was correct.
|
||
Updated•18 days ago
|
|
||
Comment 6•17 days ago
|
||
Unable to reproduce bug 1959720 using build mozilla-central 20250410092904-1ac598af5141. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 8•13 days ago
|
||
| bugherder | ||
Description
•