Closed
Bug 1349871
Opened 8 years ago
Closed 8 years ago
[wasm] Assertion failure: profilingReturn_ < end_, at js/src/wasm/WasmCode.cpp:350
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: gkw, Assigned: bbouvier)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:])
Attachments
(2 files)
(deleted),
text/plain
|
Details | |
(deleted),
text/x-review-board-request
|
lth
:
review+
gchang
:
approval-mozilla-aurora+
|
Details |
The following testcase crashes on mozilla-central revision 7513b3f42058 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-always-baseline):
oomTest(Function(`
new WebAssembly.Module(wasmTextToBinary(\`
(module (func (result i32) (param f64) (param f32)
i64.const 0
get_local 0
drop
i32.wrap/i64
f64.const 0
f64.const 0
i32.const 0
select
f32.const 0
f32.const 0
f32.const 0
i32.const 0
select
i32.const 0
i32.const 0
i32.const 0
select
select
drop
drop
))
\`))
`))
Backtrace:
/snip
For detailed crash information, see attachment.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
Backtrace:
#0 0x0000000000cdc448 in js::wasm::CodeRange::CodeRange (this=<optimized out>, funcIndex=<optimized out>, funcLineOrBytecode=<optimized out>, offsets=...) at js/src/wasm/WasmCode.cpp:350
#1 0x0000000000d54195 in mozilla::detail::VectorImpl<js::wasm::CodeRange, 0ul, js::SystemAllocPolicy, true>::new_<unsigned int, unsigned int, js::wasm::FuncOffsets&>(js::wasm::CodeRange*, unsigned int&&, unsigned int&&, js::wasm::FuncOffsets&) (aDst=<optimized out>) at /home/skydbootxps/shell-cache/js-dbg-64-linux-7513b3f42058/objdir-js/dist/include/mozilla/Vector.h:171
#2 mozilla::Vector<js::wasm::CodeRange, 0ul, js::SystemAllocPolicy>::emplaceBack<unsigned int, unsigned int, js::wasm::FuncOffsets&>(unsigned int&&, unsigned int&&, js::wasm::FuncOffsets&) (this=<optimized out>) at /home/skydbootxps/shell-cache/js-dbg-64-linux-7513b3f42058/objdir-js/dist/include/mozilla/Vector.h:697
#3 js::wasm::ModuleGenerator::finishTask (this=this@entry=0x7ffe99786ab0, task=0x7f4aa9240000) at js/src/wasm/WasmGenerator.cpp:472
#4 0x0000000000d54c47 in js::wasm::ModuleGenerator::launchBatchCompile (this=this@entry=0x7ffe99786ab0) at js/src/wasm/WasmGenerator.cpp:960
#5 0x0000000000d54d0d in js::wasm::ModuleGenerator::finishFuncDefs (this=this@entry=0x7ffe99786ab0) at js/src/wasm/WasmGenerator.cpp:1005
/snip
Summary: Assertion failure: profilingReturn_ < end_, at js/src/wasm/WasmCode.cpp:350 → [wasm] Assertion failure: profilingReturn_ < end_, at js/src/wasm/WasmCode.cpp:350
Reporter | ||
Comment 3•8 years ago
|
||
This is the first bug found from the experimental combination of the jsfunfuzz and awsm fuzzers. :)
Reporter | ||
Comment 4•8 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/958074f3b830
user: Dan Gohman
date: Fri Sep 23 09:13:15 2016 -0500
summary: Bug 1287220 - Baldr: update to binary version 0xc (r=luke)
Not sure if this is directly related. Benjamin, is bug 1287220 a likely regressor?
Flags: needinfo?(bbouvier)
Updated•8 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 5•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Assignee | ||
Comment 6•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> autoBisect shows this is probably related to the following changeset:
>
> The first bad revision is:
> changeset: https://hg.mozilla.org/mozilla-central/rev/958074f3b830
> user: Dan Gohman
> date: Fri Sep 23 09:13:15 2016 -0500
> summary: Bug 1287220 - Baldr: update to binary version 0xc (r=luke)
>
> Not sure if this is directly related. Benjamin, is bug 1287220 a likely
> regressor?
No, this commit introduces binary format changes, unrelated to this bug. I think the issue gets back to the start of the baseline compiler, which is trunk only at the moment.
Flags: needinfo?(bbouvier)
Comment hidden (mozreview-request) |
Comment 8•8 years ago
|
||
mozreview-review |
Comment on attachment 8850450 [details]
Bug 1349871: Check for masm OOM at the end of baseline codegen;
https://reviewboard.mozilla.org/r/123042/#review125342
I'm suprised that this is not caught higher up, but I've no objections to placing the check in the baseline compiler. If it were me, I'd probably place it in emitFunction(), though, not in endFunction().
Attachment #8850450 -
Flags: review?(lhansen) → review+
Assignee | ||
Comment 9•8 years ago
|
||
mozreview-review-reply |
Comment on attachment 8850450 [details]
Bug 1349871: Check for masm OOM at the end of baseline codegen;
https://reviewboard.mozilla.org/r/123042/#review125342
Thanks for the review! If the location of the check is just personal preference, I'll keep it in endFunction() where all the other final references to masm are; masm doesn't appear at all in emitFunction().
Comment 10•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
> This is the first bug found from the experimental combination of the
> jsfunfuzz and awsm fuzzers. :)
https://www.youtube.com/watch?v=9nazm3_OXac
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Comment 11•8 years ago
|
||
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/88cb0385ced6
Check for masm OOM at the end of baseline codegen; r=lth
Comment 12•8 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•8 years ago
|
status-firefox52:
--- → disabled
status-firefox53:
--- → disabled
status-firefox54:
--- → disabled
status-firefox-esr52:
--- → disabled
Reporter | ||
Comment 14•8 years ago
|
||
Can we please backport this to aurora? It will be nice to fix it for fuzzing reasons.
Flags: needinfo?(bbouvier)
Assignee | ||
Comment 15•8 years ago
|
||
Comment on attachment 8850450 [details]
Bug 1349871: Check for masm OOM at the end of baseline codegen;
Approval Request Comment
[Feature/Bug causing the regression]: wasm baseline compiler (bug 1232205)
[User impact if declined]: harder fuzzing
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: nope
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not much
[Why is the change risky/not risky?]: conservative 1 line fix
[String changes made/needed]: none
Flags: needinfo?(bbouvier)
Attachment #8850450 -
Flags: approval-mozilla-aurora?
Updated•8 years ago
|
Comment 16•8 years ago
|
||
Comment on attachment 8850450 [details]
Bug 1349871: Check for masm OOM at the end of baseline codegen;
Fix an assertion failure related to wasm. Aurora54+.
Attachment #8850450 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 17•8 years ago
|
||
bugherder uplift |
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•