Closed
Bug 1352500
Opened 7 years ago
Closed 7 years ago
Hit MOZ_CRASH(ARM simulator breakpoint) at js/src/jit/arm/Simulator-arm.cpp:3185 with asm.js
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: decoder, Assigned: bbouvier)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
|
3.23 KB,
patch
|
luke
:
review+
gchang
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 8df9fabf2587 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --arm-hwcap=vfp --ion-offthread-compile=off):
function asmCompile() {
var f = Function.apply(null, arguments);
return f;
}
setJitCompilerOption('asmjs.atomics.enable', 1);
var m1 = asmCompile("stdlib", "ffi", "heap", `
"use asm";
var i8 = new stdlib.Int8Array(heap);
var add = stdlib.Atomics.add;
function f() {
add(i8, 0, 1);
}
return { f:f }
`);
var { f } = m1(this, {}, new SharedArrayBuffer(65536));
f();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x08513288 in js::jit::Simulator::decodeType01 (this=0xf7968000, instr=0x5ace2028) at js/src/jit/arm/Simulator-arm.cpp:3185
#0 0x08513288 in js::jit::Simulator::decodeType01 (this=0xf7968000, instr=0x5ace2028) at js/src/jit/arm/Simulator-arm.cpp:3185
#1 0x0850fdba in js::jit::Simulator::instructionDecode (this=0xf7968000, instr=0x5ace2028) at js/src/jit/arm/Simulator-arm.cpp:4687
#2 0x0851390a in js::jit::Simulator::execute<false> (this=0xf7968000) at js/src/jit/arm/Simulator-arm.cpp:4760
#3 js::jit::Simulator::callInternal (this=0xf7968000, entry=0x5ace2068 "\004\340-\345\360\037-\351\020\212", <incomplete sequence \355>) at js/src/jit/arm/Simulator-arm.cpp:4848
#4 0x08513bf1 in js::jit::Simulator::call (this=<optimized out>, entry=0x5ace2068 "\004\340-\345\360\037-\351\020\212", <incomplete sequence \355>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4931
#5 0x08929790 in js::wasm::Instance::callExport (this=0xf5175280, cx=0xf791d000, funcIndex=4097, args=...) at js/src/wasm/WasmInstance.cpp:655
#6 0x0892a1ec in WasmCall (cx=0xf791d000, argc=0, vp=0xf5056058) at js/src/wasm/WasmJS.cpp:1114
#7 0x0817a537 in js::CallJSNative (cx=0xf791d000, native=0x892a140 <WasmCall(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:282
[...]
#21 main (argc=5, argv=0xffffcda4, envp=0xffffcdbc) at js/src/shell/js.cpp:8664
eax 0x0 0
ebx 0x8cdfff4 147718132
ecx 0xf7da4864 -136689564
edx 0x0 0
esi 0x8cdfff4 147718132
edi 0xf7da3df8 -136692232
ebp 0xffffbd58 4294950232
esp 0xffffbd00 4294950144
eip 0x8513288 <js::jit::Simulator::decodeType01(js::jit::SimInstruction*)+5112>
=> 0x8513288 <js::jit::Simulator::decodeType01(js::jit::SimInstruction*)+5112>: movl $0x0,0x0
0x8513292 <js::jit::Simulator::decodeType01(js::jit::SimInstruction*)+5122>: ud2
This seems pretty much identical to bug 1350552 but still reproduces on tip.
|
Assignee | |
Comment 1•7 years ago
|
||
|
||
Updated•7 years ago
|
Attachment #8853487 -
Flags: review?(luke) → review+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/26c12944db87 Baldr: Force stack alignment for asm.js atomics callouts on ARM; r=luke
|
||
Comment 3•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/26c12944db87
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Comment 4•7 years ago
|
||
At the risk of repeating myself, Tier3 (ARMv6) bugs really ought not be labeled critical.
|
Reporter | |
Comment 5•7 years ago
|
||
(In reply to Lars T Hansen [:lth] from comment #4) > At the risk of repeating myself, Tier3 (ARMv6) bugs really ought not be > labeled critical. We file bugs with templates and the default template has "critical" for the severity because that has always been the standard severity for JS bugs. We often cannot determine is something is Tier1 or Tier3 so this should be changed by JS triage when appropriate.
|
||
Comment 6•7 years ago
|
||
Should we consider backporting this or can it ride the trains?
Blocks: 1277973
status-firefox52:
--- → wontfix
status-firefox53:
--- → affected
status-firefox54:
--- → affected
status-firefox-esr52:
--- → disabled
Flags: needinfo?(bbouvier)
|
|
Assignee | |
Comment 8•7 years ago
|
||
Comment on attachment 8853487 [details] [diff] [review] setperformcall.patch Approval Request Comment [Feature/Bug causing the regression]: atomics in asm.js [User impact if declined]: crashes on tier-3 platforms (arm v6) [Is this code covered by automated tests?]: no [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: not much [Why is the change risky/not risky?]: patch is only a few lines of code [String changes made/needed]: n/a
Attachment #8853487 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•7 years ago
|
|
||
Comment 9•7 years ago
|
||
Comment on attachment 8853487 [details] [diff] [review] setperformcall.patch We can take this in Aurora to fix crashes on tier-3 platforms. Aurora54+.
Attachment #8853487 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 10•7 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/e99180e4d046
You need to log in
before you can comment on or make changes to this bug.
Description
•