Closed
Bug 1100237
Opened 11 years ago
Closed 11 years ago
Assertion failure: memcmp(reinterpret_cast<void*>(instr), cache_page->cachedData(offset), SimInstruction::kInstrSize) == 0, at jit/arm/Simulator-arm.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla36
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | unaffected |
| firefox36 | --- | verified |
| firefox-esr31 | --- | unaffected |
People
(Reporter: gkw, Assigned: luke)
References
Details
(4 keywords)
Attachments
(2 files)
|
7.09 KB,
text/plain
|
Details | |
|
1.96 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
// Random chosen test: js/src/jit-test/tests/asm.js/testResize.js
function asmCompile() {
var f = Function.apply(null, arguments)
return f
}
function asmLink(f) {
ret = f.apply(null, Array.slice(arguments, 1))
return ret
}
byteLength = Function.prototype.call.bind(
Object.getOwnPropertyDescriptor(ArrayBuffer.prototype, "byteLength").get
);
body = "\
\"use asm\";\
var I32 = glob.Int32Array;\
var i32 = new I32(b);\
var len = glob.byteLength;\
function ch(b2) {\
if (len(b2) & 0xffffff || len(b2) <= 0xffffff || len(b2) > 80000000) {\
return false;\
}\
i32 = new I32(b2);\
b = b2;\
return true\
}\
function get(i) {\
i = i | 0;\
return i32[i >> 2] | 0\
}\
return {\
get: get,\
changeHeap: ch\
}\
"
m = asmCompile("glob", "s", "b", body)
buf1 = ArrayBuffer(16777216)
var {
get, changeHeap
} = asmLink(m, this, null, buf1)
assertEq(changeHeap(ArrayBuffer(33554432)), true)
assertEq(get(), 0)
changeHeap(buf1)(get())
asserts js debug shell on m-c changeset a52bf59965a0 with --fuzzing-safe --ion-eager --no-threads --arm-sim-icache-checks at Assertion failure: memcmp(reinterpret_cast<void*>(instr), cache_page->cachedData(offset), SimInstruction::kInstrSize) == 0, at jit/arm/Simulator-arm.cpp.
Debug configure options:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
This was found by combining random jit-tests together with jsfunfuzz. The specific file, which was run with random flag combinations, is:
http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/asm.js/testResize.js
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/8d4702c0db51
user: Luke Wagner
date: Wed Oct 15 09:09:44 2014 -0500
summary: Bug 1082107 - OdinMonkey: add maximum-length requirement to change-heap definition (r=bbouvier)
Luke, is bug 1082107 a likely regressor?
Setting s-s and sec-critical because a previous bug 1055034 with a similar assert was marked s-s and sec-critical.
Flags: needinfo?(luke)
|
Reporter | |
Comment 1•11 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x50bb15, 0x00493c58 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) [inlined] js::jit::AutoLockSimulatorRuntime::AutoLockSimulatorRuntime(srt=<unavailable>) + 15 at Simulator-arm.cpp:419, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00493c58 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) [inlined] js::jit::AutoLockSimulatorRuntime::AutoLockSimulatorRuntime(srt=<unavailable>) + 15 at Simulator-arm.cpp:419
frame #1: 0x00493c49 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) [inlined] js::jit::AutoLockSimulatorRuntime::AutoLockSimulatorRuntime(srt=<unavailable>) at Simulator-arm.cpp:423
frame #2: 0x00493c49 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`js::jit::Simulator::instructionDecode(this=<unavailable>, instr=<unavailable>) + 1273 at Simulator-arm.cpp:4131
frame #3: 0x004ac38a js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`void js::jit::Simulator::execute<false>(this=0x0280a600) + 138 at Simulator-arm.cpp:4215
frame #4: 0x0049b4b7 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`js::jit::Simulator::callInternal(this=0x0280a600, entry=0x019dd000) + 231 at Simulator-arm.cpp:4303
(lldb)
|
|
Assignee | |
Comment 2•11 years ago
|
||
Missing AutoICacheFlush around the change-heap patching.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8523890 -
Flags: review?(benj)
|
||
Updated•11 years ago
|
Attachment #8523890 -
Flags: review?(benj) → review+
|
|
Assignee | |
Comment 4•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 6•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•11 years ago
|
Group: javascript-core-security
|
|
||
Updated•11 years ago
|
status-firefox35:
--- → unaffected
status-firefox-esr31:
--- → unaffected
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•