Closed Bug 1131811 Opened 9 years ago Closed 9 years ago

Assertion failure: from->toStackSlot()->slot() % SimdMemoryAlignment == 0, at js/src/jit/LIR.cpp:557

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox37 --- disabled
firefox38 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: arai, Assigned: bbouvier)

References

Details

Running jstests.py with --tbpl option hits assersion failure with ecma_7/SIMD/select-bitselect.js

Configure options: --enable-threadsafe --enable-debug --enable-warnings-as-errors --with-ccache --enable-nspr-build
Environment variable: none
Running options: --ion-eager --ion-offthread-compile=off

Here is debug log:

(lldb) run --ion-eager --ion-offthread-compile=off -f shell.js -f ecma_7/shell.js -f ecma_7/SIMD/shell.js -f ecma_7/SIMD/select-bitselect.js
Assertion failure: from->toStackSlot()->slot() % SimdMemoryAlignment == 0, at /Users/arai/projects/mozilla-central/js/src/jit/LIR.cpp:557
Process 64759 stopped
* thread #1: tid = 0x250dc8, 0x0000000100569b90 js`js::jit::LMoveGroup::add(this=<unavailable>, from=<unavailable>, to=<unavailable>, type=<unavailable>) + 640 at LIR.cpp:557, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000100569b90 js`js::jit::LMoveGroup::add(this=<unavailable>, from=<unavailable>, to=<unavailable>, type=<unavailable>) + 640 at LIR.cpp:557
   554 	            if (from->isArgument())
   555 	                MOZ_ASSERT(from->toArgument()->index() % SimdMemoryAlignment == 0);
   556 	            else
-> 557 	                MOZ_ASSERT(from->toStackSlot()->slot() % SimdMemoryAlignment == 0);
   558 	        }
   559 	        if (to->isMemory()) {
   560 	            if (to->isArgument())
(lldb) bt
* thread #1: tid = 0x250dc8, 0x0000000100569b90 js`js::jit::LMoveGroup::add(this=<unavailable>, from=<unavailable>, to=<unavailable>, type=<unavailable>) + 640 at LIR.cpp:557, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100569b90 js`js::jit::LMoveGroup::add(this=<unavailable>, from=<unavailable>, to=<unavailable>, type=<unavailable>) + 640 at LIR.cpp:557
    frame #1: 0x000000010056fa6a js`js::jit::LinearScanAllocator::resolveControlFlow() [inlined] js::jit::LiveRangeAllocator<js::jit::LinearScanVirtualRegister, true>::addMove(moves=<unavailable>, from=<unavailable>, to=<unavailable>, type=INT32X4) + 17 at LiveRangeAllocator.h:673
    frame #2: 0x000000010056fa59 js`js::jit::LinearScanAllocator::resolveControlFlow() [inlined] js::jit::VirtualRegister::type(this=<unavailable>, block=<unavailable>, from=<unavailable>, to=<unavailable>, type=INT32X4) const + 69 at LiveRangeAllocator.h:694
    frame #3: 0x000000010056fa14 js`js::jit::LinearScanAllocator::resolveControlFlow(this=0x00007fff5fbfc170) + 1300 at LinearScan.cpp:284
    frame #4: 0x00000001005057b0 js`js::jit::LinearScanAllocator::go(this=0x00007fff5fbfc170) + 288 at LinearScan.cpp:1319
    frame #5: 0x0000000100505294 js`js::jit::GenerateLIR(mir=0x000000010489b498) + 2292 at Ion.cpp:1500
    frame #6: 0x0000000100508785 js`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) [inlined] js::jit::CompileBackEnd(mir=0x000000010489b498, aRhs=<unavailable>) + 63 at Ion.cpp:1588
    frame #7: 0x0000000100508746 js`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) [inlined] js::jit::IonCompile(cx=0x0000000101d02f10, script=<unavailable>, baselineFrame=<unavailable>) + 1194 at Ion.cpp:1957
    frame #8: 0x000000010050829c js`js::jit::Compile(cx=0x0000000101d02f10, osrFrame=<unavailable>, osrPc=<unavailable>, constructing=<unavailable>, forceRecompile=<unavailable>, script=<unavailable>) + 3836 at Ion.cpp:2110
    frame #9: 0x0000000100506e71 js`js::jit::CanEnterAtBranch(cx=0x0000000101d02f10, script=0x00000001044841f0, osrFrame=0x00007fff5fbfd038, pc=0x000000010451f10b) + 369 at Ion.cpp:2179
    frame #10: 0x0000000100440269 js`js::jit::DoWarmUpCounterFallback(JSContext*, js::jit::ICWarmUpCounter_Fallback*, js::jit::BaselineFrame*, js::jit::IonOsrTempData**) [inlined] js::jit::EnsureCanEnterIon(root=0x0000000101d02f60, dummy=<unavailable>) + 71 at BaselineIC.cpp:781
    frame #11: 0x0000000100440222 js`js::jit::DoWarmUpCounterFallback(cx=0x0000000101d02f10, stub=<unavailable>, frame=0x00007fff5fbfd038, infoPtr=0x00007fff5fbfcfd8) + 338 at BaselineIC.cpp:945
    frame #12: 0x0000000101bf2165

Not sure the impact of this bug, so marking as security.
No crash in latest m-i, bug 1130845 (3341a0bc3296) seems to fix it.
Depends on: 1130845
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee: nobody → benj
status-firefox38: --- → fixed
Target Milestone: --- → mozilla38
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.