Closed
Bug 1136551
Opened 10 years ago
Closed 10 years ago
Crash at a weird memory address or Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp or Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1136898
| Tracking | Status | |
|---|---|---|
| firefox39 | --- | affected |
People
(Reporter: gkw, Assigned: sunfish)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(1 file)
|
9.36 KB,
text/plain
|
Details |
f = function(stdlib, n, heap) {
"use asm";
var Int8ArrayView = new stdlib.Int8Array(heap);
function f() {
Int8ArrayView[9999 >> 0] = 0
}
}
asserts js debug 32-bit shell on m-c changeset 0a8b3b67715a with --fuzzing-safe --no-threads --ion-eager --ion-regalloc=lsra at Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp.
Configure options:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh ~/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32 -R ~/trees/mozilla-central" -r 0a8b3b67715a
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/11a0fa1a0122
user: Dan Gohman
date: Tue Feb 24 07:50:14 2015 -0800
summary: Bug 986981 - OdinMonkey: Optimize addresses with constant offsets on x86 and x64 r=luke
Dan, is bug 986981 a likely regressor?
Flags: needinfo?(sunfish)
|
Reporter | |
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x279e49, 0x0066c7de js-dbg-32-dm-nsprBuild-darwin-0a8b3b67715a`js::jit::AllocationIntegrityState::checkIntegrity(this=<unavailable>, block=<unavailable>, ins=<unavailable>, vreg=<unavailable>, alloc=(bits_ = 11), populateSafepoints=<unavailable>) + 1102 at RegisterAllocator.cpp:217, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0066c7de js-dbg-32-dm-nsprBuild-darwin-0a8b3b67715a`js::jit::AllocationIntegrityState::checkIntegrity(this=<unavailable>, block=<unavailable>, ins=<unavailable>, vreg=<unavailable>, alloc=(bits_ = 11), populateSafepoints=<unavailable>) + 1102 at RegisterAllocator.cpp:217
frame #1: 0x0066a974 js-dbg-32-dm-nsprBuild-darwin-0a8b3b67715a`js::jit::AllocationIntegrityState::check(this=<unavailable>, populateSafepoints=<unavailable>) + 1012 at RegisterAllocator.cpp:168
frame #2: 0x0051a725 js-dbg-32-dm-nsprBuild-darwin-0a8b3b67715a`js::jit::GenerateLIR(mir=0x00000000) + 1957 at Ion.cpp:1492
frame #3: 0x000b3119 js-dbg-32-dm-nsprBuild-darwin-0a8b3b67715a`CheckModule(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, js::ScopedJSDeletePtr<js::AsmJSModule>*, js::ScopedJSFreePtr<char>*) [inlined] CheckFunctionsSequential(m=0x01e012f0)::ModuleCompiler&) + 463 at AsmJSValidate.cpp:7720
frame #4: 0x000b2f4a js-dbg-32-dm-nsprBuild-darwin-0a8b3b67715a`CheckModule(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, js::ScopedJSDeletePtr<js::AsmJSModule>*, js::ScopedJSFreePtr<char>*) [inlined] CheckFunctions(m=0x01e012f0)::ModuleCompiler&) at AsmJSValidate.cpp:7966
(lldb)
|
|
Reporter | |
Comment 2•10 years ago
|
||
(function(stdlib, n, heap) {
"use asm"
var Uint8ArrayView = new stdlib.Uint8Array(heap)
function f() {
Uint8ArrayView[(735083223 + 1544918759) >>> 155] = 67301701
}
return f
})(this, {}, new ArrayBuffer(4096))()
crashes js opt 32-bit shell with --fuzzing-safe --no-threads --ion-eager --ion-regalloc=lsra at a weird memory address and asserts similarly.
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh ~/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build --32 -R ~/trees/mozilla-central" -r 0a8b3b67715a
Process 64513 stopped
* thread #1: tid = 0x331e3c, 0x014fe027, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x80bf745)
frame #0: 0x014fe027
-> 0x14fe027: movb %al, 0x4090600(%eax)
0x14fe02d: nop
0x14fe02f: addl $0x4, %esp
0x14fe032: retl
(lldb)
Keywords: crash
|
|
Reporter | |
Updated•10 years ago
|
Summary: Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp → Crash at a weird memory address or Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp
|
Assignee | |
Comment 3•10 years ago
|
||
I propose to fix this by implementing bug 1136898.
|
|
Reporter | |
Comment 4•10 years ago
|
||
f = function(stdlib, n, heap) {
"use asm"
var Uint8ArrayView = new stdlib.Uint8Array(heap)
function f() {
Uint8ArrayView[9999 >> 0] = 0 >> Uint8ArrayView[0] > 0
}
}
asserts js debug 32-bit shell on m-c changeset 0a8b3b67715a with --fuzzing-safe --no-threads --ion-eager --ion-regalloc=lsra at Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp.
Configure options:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh ~/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32 -R ~/trees/mozilla-central" -r 0a8b3b67715a
This bisects to the same bug, guessing this is the same issue.
Summary: Crash at a weird memory address or Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp → Crash at a weird memory address or Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp or Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 5•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update]
|
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 6•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Assignee | |
Comment 7•10 years ago
|
||
Now that bug 1136898 is fixed, this bug no longer exists.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•