Closed
Bug 1228773
Opened 9 years ago
Closed 9 years ago
Segfault in AsmJSCompile.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
People
(Reporter: azakai, Unassigned)
References
Details
(Whiteboard: fixed by bug 1229855)
Attachments
(1 file)
492.72 KB,
application/javascript
|
Details |
The attached testcase (emscripten's tests/cases/i1282vecnback.ll in -O1, a simd test) segfaults during asm.js compilation. This is on 32-bit linux, latest mozilla-central. Stack trace in gdb is
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6dfab40 (LWP 19542)]
0x0811466a in EmitExpr (f=..., type=<optimized out>, def=0xb6df93cc)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2214
2214 switch (type) {
(gdb) where
#0 0x0811466a in EmitExpr (f=..., type=<optimized out>, def=0xb6df93cc)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2214
#1 0x0812f48e in EmitSimdCast<js::jit::MSimdReinterpretCast> (f=..., fromType=fromType@entry=Int32x4, toType=toType@entry=Float32x4,
def=def@entry=0xb6df945c)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:1841
#2 0x08111a9e in EmitF32X4Expr (f=..., def=0xb6df945c)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2944
#3 0x081148da in EmitSetLoc (f=..., type=type@entry=Float32x4, def=def@entry=0xb6df94ec)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:1412
#4 0x08111c5d in EmitF32X4Expr (f=..., def=def@entry=0xb6df94ec)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2914
#5 0x08110078 in EmitStatement (maybeLabels=0x0, stmt=<optimized out>, f=...)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2537
#6 EmitStatement (f=..., maybeLabels=0x0)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2556
#7 0x08118485 in js::CompileAsmFunction (lifo=..., inputs=..., func=..., results=results@entry=0xb7a8c9a4)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2988
#8 0x0844cd2c in js::HelperThread::handleAsmJSWorkload (this=this@entry=0xb7a3cd28)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/vm/HelperThreads.cpp:1210
#9 0x0844e594 in js::HelperThread::threadLoop (this=0xb7a3cd28)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/vm/HelperThreads.cpp:1584
#10 0x0847e81f in nspr::Thread::ThreadRoutine (arg=0xb7a011c0)
at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/vm/PosixNSPR.cpp:45
#11 0xb7fa6f70 in start_thread (arg=0xb6dfab40) at pthread_create.c:312
#12 0xb7d71bee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
Comment 1•9 years ago
|
||
Are you using gcc4.7? If so, that could be the same issue as bug 1216099, which I could not reproduce on my machine and is likely due to a mis-compilation from gcc.
Flags: needinfo?(azakai)
Reporter | ||
Comment 2•9 years ago
|
||
No, looks like I'm on
gcc (Ubuntu 4.8.2-19ubuntu1) 4.8.2
(32-bit).
Flags: needinfo?(azakai)
Comment 3•9 years ago
|
||
Can you provide the exact configure flags that you have used to compile, please?
I locally have gcc 4.8.4 and can't reproduce as well, with a few different configure setups.
Flags: needinfo?(azakai)
Updated•9 years ago
|
Group: core-security → javascript-core-security
Comment 5•9 years ago
|
||
Alon, does the fix landed in bug 1229855 fix your issue here?
Flags: needinfo?(azakai)
Reporter | ||
Comment 6•9 years ago
|
||
I tested mozilla-central now and no longer see the bug.
(I can't view that other bug, so not sure when it landed.)
Flags: needinfo?(azakai)
Comment 7•9 years ago
|
||
Oops, I was pretty sure I needinfo'd you on the other bug, but apparently it got dismissed, sorry about that.
Marking this one as fixed by bug 1229855, as the cause is likely the same (compiler bug involving inline enum class with storage class less-than-a-word wide) but in a different place, as my investigation there suggests.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: javascript-core-security → core-security-release
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•