Bug 1529559 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
The following testcase crashes on mozilla-central revision bf3951daded0+ (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-jemalloc --disable-debug, run with --fuzzing-safe --cpu-count=2 --ion-osr=off --ion-offthread-compile=off --enable-streams --disable-oom-functions --ion-warmup-threshold=100):

    See attachment.


Backtrace:

    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  js::jit::PatchJump (jump_=..., label=...) at js/src/jit/arm64/Assembler-arm64.cpp:377
    #1  0x0000aaaafcc0264c in js::jit::IonCacheIRCompiler::compile (this=0xffffe6f37de0) at js/src/jit/IonCacheIRCompiler.cpp:632
    #2  0x0000aaaafcc0c228 in js::jit::IonIC::attachCacheIRStub (this=0xaaab1fc8f3c0, cx=<optimized out>, writer=..., kind=<optimized out>, ionScript=<optimized out>, attached=0xffffe6f391c4, typeCheckInfo=0x0) at js/src/jit/IonCacheIRCompiler.cpp:2570
    #3  0x0000aaaafcc1a8b8 in js::jit::IonGetPropertyIC::update (cx=0xaaab1faa6ab0, outerScript=..., ic=<optimized out>, val=..., idVal=..., res=...) at js/src/jit/IonIC.cpp:149
    #4  0x00003e14b9117540 in ?? ()
    #5  0x0000ffffe6f396e0 in ?? ()
    Backtrace stopped: previous frame inner to this frame (corrupt stack?)
    x0	0x0	0
    x1	0xb91587c8	68258725464008
    x2	0x0	0
    x3	0xc38b4be0	68258900954080
    x4	0xe6f38329	281474556461865
    x5	0xc38b4c41	68258900954177
    x6	0xc8	200
    x7	0xc8	200
    x8	0x0	0
    x9	0xfe05b440	187651382948928
    x10	0xfd1b8ce0	187651367603424
    x11	0x179	377
    x12	0x0	0
    x13	0xe6f38118	281474556461336
    x14	0x0	0
    x15	0x400	1024
    x16	0xfd4f0358	187651370976088
    x17	0xe74790	281462106965904
    x18	0x1fff	8191
    x19	0xb91587c8	68258725464008
    x20	0xc38b4bd4	68258900954068
    x21	0x1345a20	281462112016928
    x22	0xe6f38ea8	281474556464808
    x23	0xfd1c0aec	187651367635692
    x24	0x14c	332
    x25	0x1	274877906945
    x26	0x1	1
    x27	0x1345a20	281462112016928
    x28	0xe6f39290	281474556465808
    x29	0xe6f37cd0	281474556460240
    x30	0xfcafa154	187651360530772
    sp	0xe6f37cc0	281474556460224
    pc	0xaaaafcafa188 <js::jit::PatchJump(js::jit::CodeLocationJump&, js::jit::CodeLocationLabel)+92>
    cpsr	[ EL=0 C N ]
    fpcsr	void
    fpcr	0x0	0
    => 0xaaaafcafa188 <js::jit::PatchJump(js::jit::CodeLocationJump&, js::jit::CodeLocationLabel)+92>:	str	w11, [x8]
       0xaaaafcafa18c <js::jit::PatchJump(js::jit::CodeLocationJump&, js::jit::CodeLocationLabel)+96>:	bl	0xaaaafc5c3608 <abort()>


This requires native ARM64 and the patch from bug 1528869 to enable ARM64 Ion in the JS shell. Unfortunately, reducing the test makes it highly intermittent. Sean, if you could figure out where the intermittent behavior is coming from when fixing this, that would be a great bonus.

Marking s-s because this will likely be security-sensitive once we enable the ARM64 JIT.
Revision 1 by
on 
The following testcase crashes on mozilla-central revision bf3951daded0+ (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-jemalloc --disable-debug, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-warmup-threshold=1):

    See attachment.


Backtrace:

    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  js::jit::PatchJump (jump_=..., label=...) at js/src/jit/arm64/Assembler-arm64.cpp:377
    #1  0x0000aaaafcc0264c in js::jit::IonCacheIRCompiler::compile (this=0xffffe6f37de0) at js/src/jit/IonCacheIRCompiler.cpp:632
    #2  0x0000aaaafcc0c228 in js::jit::IonIC::attachCacheIRStub (this=0xaaab1fc8f3c0, cx=<optimized out>, writer=..., kind=<optimized out>, ionScript=<optimized out>, attached=0xffffe6f391c4, typeCheckInfo=0x0) at js/src/jit/IonCacheIRCompiler.cpp:2570
    #3  0x0000aaaafcc1a8b8 in js::jit::IonGetPropertyIC::update (cx=0xaaab1faa6ab0, outerScript=..., ic=<optimized out>, val=..., idVal=..., res=...) at js/src/jit/IonIC.cpp:149
    #4  0x00003e14b9117540 in ?? ()
    #5  0x0000ffffe6f396e0 in ?? ()
    Backtrace stopped: previous frame inner to this frame (corrupt stack?)
    x0	0x0	0
    x1	0xb91587c8	68258725464008
    x2	0x0	0
    x3	0xc38b4be0	68258900954080
    x4	0xe6f38329	281474556461865
    x5	0xc38b4c41	68258900954177
    x6	0xc8	200
    x7	0xc8	200
    x8	0x0	0
    x9	0xfe05b440	187651382948928
    x10	0xfd1b8ce0	187651367603424
    x11	0x179	377
    x12	0x0	0
    x13	0xe6f38118	281474556461336
    x14	0x0	0
    x15	0x400	1024
    x16	0xfd4f0358	187651370976088
    x17	0xe74790	281462106965904
    x18	0x1fff	8191
    x19	0xb91587c8	68258725464008
    x20	0xc38b4bd4	68258900954068
    x21	0x1345a20	281462112016928
    x22	0xe6f38ea8	281474556464808
    x23	0xfd1c0aec	187651367635692
    x24	0x14c	332
    x25	0x1	274877906945
    x26	0x1	1
    x27	0x1345a20	281462112016928
    x28	0xe6f39290	281474556465808
    x29	0xe6f37cd0	281474556460240
    x30	0xfcafa154	187651360530772
    sp	0xe6f37cc0	281474556460224
    pc	0xaaaafcafa188 <js::jit::PatchJump(js::jit::CodeLocationJump&, js::jit::CodeLocationLabel)+92>
    cpsr	[ EL=0 C N ]
    fpcsr	void
    fpcr	0x0	0
    => 0xaaaafcafa188 <js::jit::PatchJump(js::jit::CodeLocationJump&, js::jit::CodeLocationLabel)+92>:	str	w11, [x8]
       0xaaaafcafa18c <js::jit::PatchJump(js::jit::CodeLocationJump&, js::jit::CodeLocationLabel)+96>:	bl	0xaaaafc5c3608 <abort()>


This requires native ARM64 and the patch from bug 1528869 to enable ARM64 Ion in the JS shell. Unfortunately, reducing the test makes it highly intermittent. Sean, if you could figure out where the intermittent behavior is coming from when fixing this, that would be a great bonus.

Marking s-s because this will likely be security-sensitive once we enable the ARM64 JIT.

Back to Bug 1529559 Comment 0