Closed Bug 1123631 Opened 10 years ago Closed 10 years ago

Hit MOZ_CRASH(Unknown SIMD kind when generating MSimdBox instruction.) at js/src/jit/MCallOptimize.cpp:2534

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox38 --- affected

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 file)

SIMD Ion: Disable inlining of Float64x2.
1.53 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision c1c6840d9255 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager): var float64x2 = SIMD.float64x2; function test() { var a = float64x2(1, 2); } test(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x08380035 in js::jit::IonBuilder::inlineConstructSimdObject (this=0x96f3df0, callInfo=..., descr=(js::SimdTypeDescr *) 0xf61595f0 [object SIMD]) at js/src/jit/MCallOptimize.cpp:2534 2534 MOZ_CRASH("Unknown SIMD kind when generating MSimdBox instruction."); #0 0x08380035 in js::jit::IonBuilder::inlineConstructSimdObject (this=0x96f3df0, callInfo=..., descr=(js::SimdTypeDescr *) 0xf61595f0 [object SIMD]) at js/src/jit/MCallOptimize.cpp:2534 #1 0x083caf49 in js::jit::IonBuilder::inlineCallsite (this=0x96f3df0, targets=..., originals=..., lambda=false, callInfo=...) at js/src/jit/IonBuilder.cpp:4877 #2 0x083cb6f1 in js::jit::IonBuilder::jsop_call (this=0x96f3df0, argc=2, constructing=false) at js/src/jit/IonBuilder.cpp:5679 #3 0x083c4c6f in js::jit::IonBuilder::inspectOpcode (this=0x96f3df0, op=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1672 #4 0x083c58ed in js::jit::IonBuilder::traverseBytecode (this=0x96f3df0) at js/src/jit/IonBuilder.cpp:1340 #5 0x083cc7b6 in build (this=0x96f3df0) at js/src/jit/IonBuilder.cpp:757 #6 js::jit::IonBuilder::build (this=0x96f3df0) at js/src/jit/IonBuilder.cpp:660 #7 0x082e6453 in IonCompile (optimizationLevel=js::jit::Optimization_DontCompile, recompile=false, constructing=false, osrPc=0x0, baselineFrame=0x0, script=0xf61491c0, cx=0x964c420) at js/src/jit/Ion.cpp:1808 #8 js::jit::Compile (cx=0x964c420, script=..., osrFrame=0x0, osrPc=0x0, constructing=false, forceRecompile=false) at js/src/jit/Ion.cpp:1999 #9 0x08302bfa in js::jit::CanEnter (cx=0x964c420, state=...) at js/src/jit/Ion.cpp:2138 #10 0x086f37a9 in js::RunScript (cx=0x964c420, state=...) at js/src/vm/Interpreter.cpp:424 #11 0x086f3f9d in js::Invoke (cx=0x964c420, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:517 #12 0x086f5149 in js::Invoke (cx=0x964c420, thisv=..., fval=..., argc=0, argv=0xffffd160, rval=$jsval(-nan(0xfff8200000000))) at js/src/vm/Interpreter.cpp:554 #13 0x0830fea1 in js::jit::DoCallFallback (cx=0x964c420, frame=0xffffd180, stub_=0x96f1a10, argc=0, vp=0xffffd150, res=$jsval(-nan(0xfff8200000000))) at js/src/jit/BaselineIC.cpp:9294 #14 0xf7743a0c in ?? () #15 0x096f1a10 in ?? () #16 0xf773fa04 in ?? () eax 0x0 0 ebx 0x9606ff4 157315060 ecx 0xf7e648ac -135903060 edx 0x0 0 esi 0xf61595f0 -166357520 edi 0xffffc638 -14792 ebp 0xffffc518 4294952216 esp 0xffffc4c0 4294952128 eip 0x8380035 <js::jit::IonBuilder::inlineConstructSimdObject(js::jit::CallInfo&, js::SimdTypeDescr*)+229> => 0x8380035 <js::jit::IonBuilder::inlineConstructSimdObject(js::jit::CallInfo&, js::SimdTypeDescr*)+229>: movl $0x9e6,0x0 0x838003f <js::jit::IonBuilder::inlineConstructSimdObject(js::jit::CallInfo&, js::SimdTypeDescr*)+239>: call 0x804a960 <abort@plt> This is a very frequent crasher, marking as a fuzzblocker.
Probably not s-s though.
Group: core-security
The test is so simple... Don't we have jit-tests for this?
Blocks: 1031203
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Comment on attachment 8551764 [details] [diff] [review] SIMD Ion: Disable inlining of Float64x2. Review of attachment 8551764 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/MCallOptimize.cpp @@ -2531,5 @@ > simdType = MIRType_Float32x4; > break; > - default: > - MOZ_CRASH("Unknown SIMD kind when generating MSimdBox instruction."); > - return InliningStatus_NotInlined; I removed the default case, such that a compiler error force us to make this enumeration complete.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7ce5ad5a7539 user: ProgramFOX date: Fri Jan 16 17:17:37 2015 +0100 summary: Bug 1031203 - Implemented float64x2. r=bbouvier This iteration took 598.316 seconds to run.
Comment on attachment 8551764 [details] [diff] [review] SIMD Ion: Disable inlining of Float64x2. Review of attachment 8551764 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/MCallOptimize.cpp @@ +2530,5 @@ > case SimdTypeDescr::TYPE_FLOAT32: > simdType = MIRType_Float32x4; > break; > + case SimdTypeDescr::TYPE_FLOAT64: > + return InliningStatus_NotInlined; // NYI please add a bug number (and file a followup if necessary) and a TODO mark
Attachment #8551764 - Flags: review?(benj) → review+
https://hg.mozilla.org/mozilla-central/rev/23a25f888164
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: