Closed Bug 1111326 Opened 10 years ago Closed 10 years ago

Assertion failure: addr.offset == 0, at jit/arm/MacroAssembler-arm.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

stack
8.50 KB, text/plain
Details
patch
7.87 KB, patch
mjrosenb
: review+
Details | Diff | Splinter Review 
// Randomly chosen test: js/src/tests/ecma_7/TypedObject/arraytype.js
var ArrayType = TypedObject.ArrayType;
var float32 = TypedObject.float32;
(new new ArrayType(new ArrayType(float32, 3), 3))[1][1] = {}
for (var i = 0; i < 1; i++) {}

asserts js debug 32-bit ARM-simulator shell on m-c changeset f14dcd1c8c0b with --fuzzing-safe --no-threads --ion-eager --ion-gvn=off at Assertion failure: addr.offset == 0, at jit/arm/MacroAssembler-arm.h.

Debug configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/tests/ecma_7/TypedObject/arraytype.js

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d696d5bfb8cf
user:        Brian Hackett
date:        Tue Nov 18 08:37:32 2014 -0700
summary:     Bug 1095952 - Optimize accesses to known inline or outline typed objects, r=nmatsakis,jandem.

Brian, is bug 1095952 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x3102f4, 0x004569ab js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::jit::MacroAssemblerARMCompat::storeFloat32(this=<unavailable>, src=<unavailable>, addr=<unavailable>) + 251 at MacroAssembler-arm.h:1430, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x004569ab js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::jit::MacroAssemblerARMCompat::storeFloat32(this=<unavailable>, src=<unavailable>, addr=<unavailable>) + 251 at MacroAssembler-arm.h:1430
    frame #1: 0x0040afdb js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::jit::MacroAssembler::storeToTypedFloatArray(js::Scalar::Type, js::jit::VFPRegister, js::jit::BaseIndex const&) [inlined] void StoreToTypedFloatArray<js::jit::VFPRegister, js::jit::BaseIndex>(masm=<unavailable>, arrayType=<unavailable>, value=<unavailable>, dest=<unavailable>) + 139 at MacroAssembler.cpp:269
    frame #2: 0x0040af6b js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::jit::MacroAssembler::storeToTypedFloatArray(this=<unavailable>, arrayType=<unavailable>, value=<unavailable>, dest=<unavailable>) + 27 at MacroAssembler.cpp:287
    frame #3: 0x002b1195 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::jit::CodeGenerator::visitStoreTypedArrayElement(js::jit::LStoreTypedArrayElement*) [inlined] void js::jit::StoreToTypedArray<js::jit::BaseIndex>(masm=<unavailable>, arrayType=<unavailable>, dest=0x00000000) + 60 at CodeGenerator.cpp:8871
    frame #4: 0x002b1159 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::jit::CodeGenerator::visitStoreTypedArrayElement(this=<unavailable>, lir=<unavailable>) + 553 at CodeGenerator.cpp:8895
(lldb)
Attached patch patchSplinter Review 
The macro assembler just asserts that base indexes have a zero offset, which is not an assumption it can make anymore after bug 1095952.  This patch fixes this instance of the assert, as well as all the other ones I could find in the ARM assembler.
Flags: needinfo?(bhackett1024)
Attachment #8536532 - Flags: review?(mrosenberg)
Attachment #8536532 - Flags: review?(mrosenberg) → review+
https://hg.mozilla.org/mozilla-central/rev/157b8c310478
Assignee: nobody → bhackett1024
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: