Closed
Bug 1209132
Opened 9 years ago
Closed 9 years ago
Firefox 43 crash in arena_dalloc_small | je_free | js::jit::IonCompile
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox42 | --- | unaffected |
| firefox43 | + | fixed |
| firefox44 | + | fixed |
People
(Reporter: kairo, Assigned: arai)
References
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
|
1.62 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
|
2.57 KB,
patch
|
arai
:
review+
lizzard
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-0d73699a-1b65-4b4c-9cea-749cc2150928.
=============================================================
Stack Trace:
0 @0x250db051
1 mozglue.dll arena_dalloc_small memory/mozjemalloc/jemalloc.c
2 mozglue.dll je_free memory/mozjemalloc/jemalloc.c
3 xul.dll js::jit::IonCompile js/src/jit/Ion.cpp
4 xul.dll js::jit::Compile js/src/jit/Ion.cpp
This is the #1 crash since we opened updates to Firefox 43 Developer Edition. The stacks above is how this looks on Win7 and higher, the WinXP stacks look like this one from bp-88592e76-1a91-4fcc-b811-8403b2150928:
0 @0x81a0f82
1 mozglue.dll arena_dalloc_small memory/mozjemalloc/jemalloc.c
2 mozglue.dll je_free memory/mozjemalloc/jemalloc.c
3 xul.dll js::ScopedJSDeletePtr<js::LifoAlloc>::~ScopedJSDeletePtr<js::LifoAlloc>()
4 xul.dll js::jit::IonCompile js/src/jit/Ion.cpp
5 xul.dll js::jit::Compile js/src/jit/Ion.cpp
|
Reporter | |
Updated•9 years ago
|
status-firefox43:
--- → affected
status-firefox44:
affected → ---
|
|
Reporter | |
Comment 1•9 years ago
|
||
I wonder if https://crash-stats.mozilla.com/report/list?signature=js%3A%3Ajit%3A%3APrepareOsrTempData is the same thing as well, as it's also EXCEPTION_ILLEGAL_INSTRUCTION crashes with JIT-related stuff on the stacks that end in bare hex addresses.
The first dump I opened crashed on an instruction "haddpd xmm0,xmm0"
The xmm register, combined with EXCEPTION_ILLEGAL_INSTRUCTION, plus all these old single-core CPUs, suggests that we're failing to test for SSE support before using it:
Rank Cpu info Count %
1 GenuineIntel family 15 model 2 stepping 9 | 1 333 30.00 %
2 GenuineIntel family 6 model 13 stepping 8 | 1 280 25.23 %
3 GenuineIntel family 15 model 2 stepping 7 | 1 162 14.59 %
4 GenuineIntel family 15 model 2 stepping 4 | 1 118 10.63 %
The code surrounding EIP goes like:
250db043 b8802ce052 mov eax,offset xul!TO_DOUBLE (52e02c80)
250db048 660f6200 punpckldq xmm0,xmmword ptr [eax]
250db04c 660f5c4010 subpd xmm0,xmmword ptr [eax+10h]
250db051 660f7cc0 haddpd xmm0,xmm0
250db055 b868634053 mov eax,offset xul!RNG_DSCALE_INV (53406368)
250db05a f20f5900 mulsd xmm0,mmword ptr [eax]
250db05e f20f100db0b30d25 movsd xmm1,mmword ptr ds:[250DB3B0h]
250db066 f20f59c1 mulsd xmm0,xmm1
Which looks like CodeGenerator::visitRandom. At first glance I'm going to blame bug 774364, which landed in 43. :arai, does that code need to check for SSE support?
Blocks: 774364
Flags: needinfo?(arai.unmht)
|
Assignee | |
Comment 3•9 years ago
|
||
Thank you for pointing that out. subpd needs SSE2 and haddpd needs SSE3. We should check them at the beginning of the MacroAssemblerX86::convertUInt64ToDouble, and fallback to the way MacroAssemblerARMCompat::convertUInt64ToDouble does if SSE2 not present.
I'll prepare patch shortly.
Assignee: nobody → arai.unmht
|
|
Assignee | |
Comment 4•9 years ago
|
||
Added HasSSE3() in MacroAssemblerX86::convertUInt64ToDouble (HasSSE3()==true implies HasSSE2()==true, right?),
and when HasSSE3()==false, it fallbacks to MacroAssemblerARMCompat::convertUInt64ToDouble's way. it's a bit less performant but works well (bug 774364 comment #31)
Flags: needinfo?(arai.unmht)
Attachment #8666984 -
Flags: review?(sstangl)
|
||
Updated•9 years ago
|
Attachment #8666984 -
Flags: review?(sstangl) → review+
Flagging for tracking because this will need to be uplifted to aurora.
[Tracking Requested - why for this release]: Regression in 43, JIT crashes on older CPUs
status-firefox42:
--- → unaffected
tracking-firefox43:
--- → ?
|
||
Comment 8•9 years ago
|
||
(In reply to Tooru Fujisawa [:arai] from comment #3)
> haddpd needs SSE3.
Can we also change this HasSSE2() assert to HasSSE3():
void vhaddpd(FloatRegister src, FloatRegister dest) {
MOZ_ASSERT(HasSSE2());
That way jit-tests or fuzzing with --no-sse3 would have caught it :)
|
||
Comment 10•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
|
|
Assignee | |
Comment 11•9 years ago
|
||
Merged part 2 (only assertion fix).
Approval Request Comment
[Feature/regressing bug #]: bug 774364
[User impact if declined]: Crash with EXCEPTION_ILLEGAL_INSTRUCTION by opening certain webpage on non-SSE2/SSE3 CPU, inside JS JIT code
[Describe test coverage new/current, TreeHerder]: The newly added code path is tested in automated test (basic/math-random.js with --no-sse3 option in jit-test):
https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=ef04c494e2ed
[Risks and why]:
* Very low for currently not-crashing environment. This patch changes almost nothing.
* Low for the currently crashing environment. This patch changes Math.random implementation to a little less-performant way, that is also tested on automated test. Math.random might be used in some security-related thing on some website.
[String/UUID change made/needed]: None
Attachment #8667213 -
Flags: review+
Attachment #8667213 -
Flags: approval-mozilla-aurora?
|
||
Comment 12•9 years ago
|
||
Comment on attachment 8667213 [details] [diff] [review]
(mozilla-aurora) Check for SSE3 in MacroAssemblerX86::convertUInt64ToDouble. r=sstangl,jandem
Tests look ok, crash fix, approved for uplift to aurora.
Attachment #8667213 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Updated•9 years ago
|
tracking-firefox44:
--- → +
|
|
||
Comment 14•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•