Closed
Bug 916770
Opened 11 years ago
Closed 5 years ago
Odinmonkey: ARM constant pool failures
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: dougc, Unassigned)
Details
There are some jit-test failures that appear to be caused by issues with the constant pools on the ARM backend. They fail on JS_ASSERT(label->used()) but the label use was skipped due to an OOM being flagged by a bail-out from a constant pool failure. --ion-eager --ion-check-range-analysis tests/jaeger/testSetTypedFloatArray.js --ion-eager tests/jaeger/testSetTypedIntArray.js --ion-eager --ion-check-range-analysis tests/jaeger/testSetTypedIntArray.js [Pools] [0] Inserting instruction(5692) caused a spill [Pools] [0] Attempting to dump the pool [Pools] [0] Dumping 36 bytes [Pools] [0] Pushing entry 0 in pool 0 into the backwards section. [Pools] [0] Entry 0 in pool 1 is before the pool. [Pools] [0] Fixing offset to 288 [Pools] [0] Pushing entry 1 in pool 1 into the backwards section. [Pools] [0] Pushing entry 2 in pool 1 into the backwards section. [Pools] [0] Pushing entry 3 in pool 1 into the backwards section. [Pools] [0] Pushing entry 4 in pool 1 into the backwards section. [Pools] [0] Pushing entry 5 in pool 1 into the backwards section. [Pools] [0] Finishing pool 0 [Pools] [0] Linking entry 5 in pool 1 [Pools] [0] Fixing offset to -2520 [Pools] [0] Linking entry 4 in pool 1 [Pools] [0] Fixing offset to -1540 [Pools] [0] Linking entry 3 in pool 1 [Pools] [0] Fixing offset to -1528 [Pools] [0] Linking entry 2 in pool 1 [Pools] [0] Fixing offset to -1520 [Pools] [0] Linking entry 1 in pool 1 [Pools] [0] Fixing offset to -584 [Pools] [0] Linking entry 0 in pool 0 [Pools] [0] Fixing offset to -1788 [Pools] [0]***Offset was still out of range!*** [Pools] [0] Too complicated; bailingp --ion-eager --ion-check-range-analysis tests/collections/Map-get.js [Pools] [0] Inserting instruction(36804) caused a spill [Pools] [0] Attempting to dump the pool [Pools] [0] Dumping 60 bytes [Pools] [0] Pushing entry 0 in pool 0 into the backwards section. [Pools] [0] Pushing entry 1 in pool 0 into the backwards section. [Pools] [0] Pushing entry 2 in pool 0 into the backwards section. [Pools] [0] Pushing entry 3 in pool 0 into the backwards section. [Pools] [0] Pushing entry 4 in pool 0 into the backwards section. [Pools] [0] Pushing entry 5 in pool 0 into the backwards section. [Pools] [0] Entry 0 in pool 1 is before the pool. [Pools] [0] Fixing offset to 936 [Pools] [0] Finishing pool 5 [Pools] [0] Linking entry 5 in pool 0 [Pools] [0] Fixing offset to -2524 [Pools] [0]***Offset was still out of range!*** [Pools] [0] Too complicated; bailingp There is a hack patch to address a corner case in bug 906964, but the errors seen here are not just corner cases, and appear to be a long way out of range.
Reporter | ||
Comment 1•11 years ago
|
||
A reduced failing test: testSetTypedFloatArray.js: function testSetTypedFloat64Array(k) { var ar = new Float64Array(8); ar[k] = 1; ar[k+2] = "3"; } for (var i = 0; i <= 10; i++) { testSetTypedFloat64Array(0); } js --ion-eager --ion-check-range-analysis -f testSetTypedFloatArray.js
Reporter | ||
Comment 2•11 years ago
|
||
The reduced test in comment 1 was no longer crashing here, but the original testSetTypedFloatArray.js jit-test did. There is an alternative reduced test: testSetTypedIntArray.js: function testSetTypedUint32Array(k) { var ar = new Uint32Array(8); ar[5] = { }; ar[6] = ar; ar[4] = 800 * 800 * 800 * 800 * 800; var t = k + 555; var L = ar[k+7] = t + 5; ar[0] = 12.3; ar[8] = 500; ar[k+8] = 1200; ar[k+1] = 1; ar[k+3] = 1; assertEq(ar[0], 12); assertEq(ar[1], 1); assertEq(ar[3], 1); assertEq(ar[4], 4060086272); assertEq(ar[8], undefined); } for (var i = 0; i <= 1; i++) { testSetTypedUint32Array(0); } js --ion-eager -f testSetTypedIntArray.js The IONFLAGS=pools output: [Pools] [0] Linking entry 8 in pool 1 [Pools] [0] Fixing offset to -352 [Pools] [0] Linking entry 7 in pool 1 [Pools] [0] Fixing offset to -336 [Pools] [0] Linking entry 6 in pool 1 [Pools] [0] Fixing offset to -312 [Pools] [0] Linking entry 5 in pool 1 [Pools] [0] Fixing offset to -272 [Pools] [0] Linking entry 4 in pool 1 [Pools] [0] Fixing offset to -260 [Pools] [0] Linking entry 3 in pool 1 [Pools] [0] Fixing offset to -252 [Pools] [0] Linking entry 2 in pool 1 [Pools] [0] Fixing offset to -236 [Pools] [0] Linking entry 1 in pool 1 [Pools] [0] Fixing offset to -184 [Pools] [0] Linking entry 2 in pool 0 [Pools] [0] Fixing offset to -1032 [Pools] [0]***Offset was still out of range!*** [Pools] [0] Too complicated; bailingp
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Comment 3•6 years ago
|
||
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
Updated•6 years ago
|
Status: RESOLVED → REOPENED
Resolution: INACTIVE → ---
Updated•5 years ago
|
Component: JavaScript Engine → Javascript: WebAssembly
Comment 4•5 years ago
•
|
||
We now test Spidermonkey on real and simulated ARM devices in automation, so this would now fail hard during testing (I hope!). Also I recall we fixed some ARM constant pools bugs a few years ago, so we should be fine. Closing.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 5 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•