Closed Bug 1228773 Opened 9 years ago Closed 9 years ago

Segfault in AsmJSCompile.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: azakai, Unassigned)

References

Details

(Whiteboard: fixed by bug 1229855)

Attachments

(1 file)

Attached file crashing program
The attached testcase (emscripten's tests/cases/i1282vecnback.ll in -O1, a simd test) segfaults during asm.js compilation. This is on 32-bit linux, latest mozilla-central. Stack trace in gdb is Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb6dfab40 (LWP 19542)] 0x0811466a in EmitExpr (f=..., type=<optimized out>, def=0xb6df93cc) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2214 2214 switch (type) { (gdb) where #0 0x0811466a in EmitExpr (f=..., type=<optimized out>, def=0xb6df93cc) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2214 #1 0x0812f48e in EmitSimdCast<js::jit::MSimdReinterpretCast> (f=..., fromType=fromType@entry=Int32x4, toType=toType@entry=Float32x4, def=def@entry=0xb6df945c) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:1841 #2 0x08111a9e in EmitF32X4Expr (f=..., def=0xb6df945c) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2944 #3 0x081148da in EmitSetLoc (f=..., type=type@entry=Float32x4, def=def@entry=0xb6df94ec) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:1412 #4 0x08111c5d in EmitF32X4Expr (f=..., def=def@entry=0xb6df94ec) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2914 #5 0x08110078 in EmitStatement (maybeLabels=0x0, stmt=<optimized out>, f=...) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2537 #6 EmitStatement (f=..., maybeLabels=0x0) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2556 #7 0x08118485 in js::CompileAsmFunction (lifo=..., inputs=..., func=..., results=results@entry=0xb7a8c9a4) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/asmjs/AsmJSCompile.cpp:2988 #8 0x0844cd2c in js::HelperThread::handleAsmJSWorkload (this=this@entry=0xb7a3cd28) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/vm/HelperThreads.cpp:1210 #9 0x0844e594 in js::HelperThread::threadLoop (this=0xb7a3cd28) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/vm/HelperThreads.cpp:1584 #10 0x0847e81f in nspr::Thread::ThreadRoutine (arg=0xb7a011c0) at /media/alon/d69dd9b2-4791-4b8e-aeb3-f6353b45d710/home/alon/Dev/mozilla-central/js/src/vm/PosixNSPR.cpp:45 #11 0xb7fa6f70 in start_thread (arg=0xb6dfab40) at pthread_create.c:312 #12 0xb7d71bee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
Are you using gcc4.7? If so, that could be the same issue as bug 1216099, which I could not reproduce on my machine and is likely due to a mis-compilation from gcc.
Flags: needinfo?(azakai)
No, looks like I'm on gcc (Ubuntu 4.8.2-19ubuntu1) 4.8.2 (32-bit).
Flags: needinfo?(azakai)
Can you provide the exact configure flags that you have used to compile, please? I locally have gcc 4.8.4 and can't reproduce as well, with a few different configure setups.
Flags: needinfo?(azakai)
I use --enable-optimize --disable-debug
Flags: needinfo?(azakai)
Group: core-security → javascript-core-security
Alon, does the fix landed in bug 1229855 fix your issue here?
Flags: needinfo?(azakai)
I tested mozilla-central now and no longer see the bug. (I can't view that other bug, so not sure when it landed.)
Flags: needinfo?(azakai)
Oops, I was pretty sure I needinfo'd you on the other bug, but apparently it got dismissed, sorry about that. Marking this one as fixed by bug 1229855, as the cause is likely the same (compiler bug involving inline enum class with storage class less-than-a-word wide) but in a different place, as my investigation there suggests.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: javascript-core-security → core-security-release
Group: core-security-release
Depends on: 1229855
Whiteboard: fixed by bug 1229855
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: