New issue
Advanced search Search tips

Issue 639492 link

Starred by 4 users
Status: Fixed
Owner:
ahaas@chromium.org
Closed: Sep 2016
Cc:
titzer@chromium.org
adamk@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

V8 crashes when with WebAssembly imports that take i64 params

Project Member Reported by dschuff@chromium.org, Aug 19 2016 
If you compile the module:

(module
  (import $foo "env" "foo" (param i64 ))
)

and try to instantiate it in d8 with something like

  ffi = {'env': {'foo': function() {}}};
  return Wasm.instantiateModule(readbuffer(file_path), ffi, heap);

v8 will crash.
It doesn't seem to matter what kind of function 'foo' is on the JS side.

 https://codereview.chromium.org/2254803002 seems like a likely culprit.

I got the following stack trace from my "debug" build, not super useful:

#
# Fatal error in ../../src/compiler/wasm-compiler.cc, line 2204
# Check failed: module_ && !module_->instance->context.is_null().
#

==== C stack trace ===============================

    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0x123922e]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0x1235436]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0x1031ba4]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0x1033d77]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0x1036080]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0xc7ba54]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0xc71fdb]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0xc7152f]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0xc6b646]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0xc67cef]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0xdd4060]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0xe48295]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0xe46e3b]
    /usr/local/google/home/dschuff/s/wasm-waterfall/src/work/v8/v8/out/Debug/d8() [0xe469a9]
    [0x5e9137063a7]
Received signal 4 ILL_ILLOPN 00000123cae2
Illegal instruction (core dumped)

Comment 1 by ahaas@chromium.org, Aug 23 2016 

I have a fix for this problem (https://codereview.chromium.org/2262103002) but the CL is currently blocked by another CL. I hope that rossberg@ can help me with the other CL on Thursday. If you need this bug fixed sooner, I can provide a quick fix.

Comment 2 by dschuff@chromium.org, Aug 23 2016 

I don't think it's urgent. You can just land the fix when it's ready.
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 30 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/510246f6e23b2c5ff7319b9be2384f2285243f9e

commit 510246f6e23b2c5ff7319b9be2384f2285243f9e
Author: ahaas <ahaas@chromium.org>
Date: Tue Aug 30 12:45:46 2016

[wasm] Use the native_context for the TypeError in ToJS()

With this CL we use isolate->native_context() to provide a context for
the CEntryStub of the runtime call. The native_context() is sufficient
here because Runtime::kWasmThrowTypeError does not use the context.

R=titzer@chromium.org
TEST=mjsunit/wasm/ffi-error.js
BUG= chromium:639492 

Review-Url: https://codereview.chromium.org/2291043002
Cr-Commit-Position: refs/heads/master@{#39014}

[modify] https://crrev.com/510246f6e23b2c5ff7319b9be2384f2285243f9e/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/510246f6e23b2c5ff7319b9be2384f2285243f9e/test/mjsunit/wasm/ffi-error.js
[modify] https://crrev.com/510246f6e23b2c5ff7319b9be2384f2285243f9e/test/mjsunit/wasm/wasm-constants.js

Comment 4 by ahaas@chromium.org, Sep 8 2016

Status: Fixed (was: Assigned)

Sign in to add a comment