Closed Bug 1039207 Opened 5 years ago Closed 5 years ago

Assertion failure: diffF == 0, at jit/arm/MacroAssembler-arm.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla33

People

(Reporter: gkw, Assigned: mjrosenb)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

Attached file stack
function f(y) {
    Math.fround(y)("" | 0)
};
try {
    f(0)
} catch (e) {}
f()

asserts js debug shell on m-c changeset 869971ad9fd6 with --ion-eager --ion-offthread-compile=off at Assertion failure: diffF == 0, at jit/arm/MacroAssembler-arm.cpp

My configure flags are:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

Not sure if this is benign, so setting s-s first.
Flags: needinfo?(mrosenberg)
Flags: needinfo?(dtc-moz)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/651fde63cc76
user:        Marty Rosenberg
date:        Tue Jul 15 03:34:08 2014 -0400
summary:     bug 991153: Fix float32 on arm to handle aliased registers (r=jandem)

Marty, is bug 991153 a likely regressor?
Blocks: 991153
Flags: needinfo?(dtc-moz)
Looks like I missed one of the places where we explicitly iterate over a float register set.  Will re-post if I notice another place.
Attachment #8456921 - Flags: review?(dtc-moz)
Flags: needinfo?(mrosenberg)
this bug can lead to some interesting failures, but 100% of the failures should be of the form 'we loaded the wrong floating-point value'.  The stack never gets misaligned, and we never load a pointer from incorrect memory.
Group: core-security
Attachment #8456921 - Flags: review?(dtc-moz) → review+
https://hg.mozilla.org/mozilla-central/rev/cf53628c7ca8
Assignee: nobody → mrosenberg
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Duplicate of this bug: 1038653
You need to log in before you can comment on or make changes to this bug.