Closed Bug 1238859 Opened 4 years ago Closed 4 years ago

Crash [@ js::jit::Simulator::instructionDecode]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox46 --- fixed

People

(Reporter: gkw, Assigned: h4writer)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 6020a4cb41a7 (build with --enable-debug --enable-more-deterministic --32 --enable-simulator=arm, run with --fuzzing-safe --no-threads --ion-eager):

function g(x, y) x == x ? x ? h : h : Math.round(y ? x : x);
function f(y)(g(Math.fround(y), Math.fround(y)));
f(-undefined);
f(-undefined);

Backtrace:

0   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x0055a824 js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) + 212 (Simulator-arm.cpp:128)
1   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x00578bf6 void js::jit::Simulator::execute<false>() + 134 (Simulator-arm.cpp:4460)
2   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x005633a3 js::jit::Simulator::callInternal(unsigned char*) + 227 (Simulator-arm.cpp:4549)
3   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x00563ae6 js::jit::Simulator::call(unsigned char*, int, ...) + 198 (Simulator-arm.cpp:4633)
4   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x0026c37d js::jit::IonCannon(JSContext*, js::RunState&) + 701 (Ion.cpp:2719)
5   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x007909e0 js::RunScript(JSContext*, js::RunState&) + 528 (Interpreter.cpp:405)
6   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x007aa6ef js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 687 (Interpreter.cpp:495)
7   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x007aabbd js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 381 (Interpreter.cpp:529)
8   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x001ba9e1 js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2721 (BaselineIC.cpp:6185)
9   js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x0055c2d4 js::jit::Simulator::softwareInterrupt(js::jit::SimInstruction*) + 1204 (Simulator-arm.cpp:2313)
10  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x0055ab31 js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) + 993 (Simulator-arm.cpp:3482)
11  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x00578bf6 void js::jit::Simulator::execute<false>() + 134 (Simulator-arm.cpp:4460)
12  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x005633a3 js::jit::Simulator::callInternal(unsigned char*) + 227 (Simulator-arm.cpp:4549)
13  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x00563ae6 js::jit::Simulator::call(unsigned char*, int, ...) + 198 (Simulator-arm.cpp:4633)
14  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x0026c37d js::jit::IonCannon(JSContext*, js::RunState&) + 701 (Ion.cpp:2719)
15  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x007909e0 js::RunScript(JSContext*, js::RunState&) + 528 (Interpreter.cpp:405)
16  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x007ab8d7 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) + 887 (Interpreter.h:190)
17  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x007abcc4 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 484 (RootingAPI.h:719)
18  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x005a1cd5 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 405 (jsapi.cpp:4339)
19  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x005a1f96 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 86 (RootingAPI.h:719)
20  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x00021b09 Process(JSContext*, char const*, bool, FileKind) + 3401 (js.cpp:516)
21  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x00005f7b main + 13419 (js.cpp:6251)
22  js-dbg-32-dm-armSim-darwin-6020a4cb41a7	0x00001d05 start + 53

autoBisect is running.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2db399cd414f
parent:      257780:0760af2a400f
user:        Hannes Verschore
date:        Fri Aug 14 11:46:28 2015 +0200
summary:     Bug 1193112: IonMonkey - Let the float32 optimization work with Float32, r=bbouvier

Hannes, is bug 1193112 a likely regressor?
Blocks: 1193112
Flags: needinfo?(hv1989)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)
> autoBisect shows this is probably related to the following changeset:
> 
> The first bad revision is:
> changeset:   https://hg.mozilla.org/mozilla-central/rev/2db399cd414f
> parent:      257780:0760af2a400f
> user:        Hannes Verschore
> date:        Fri Aug 14 11:46:28 2015 +0200
> summary:     Bug 1193112: IonMonkey - Let the float32 optimization work with
> Float32, r=bbouvier
> 
> Hannes, is bug 1193112 a likely regressor?

Not a likely regressor. Looking at the code I see everything is going fine, until we generate the code. In the code we overwrite the stack location where lr is located.

Seems the MoveEmitter is at fault:
movegroup [stack:4 -> stack:8, f], [stack:8 -> stack:4, f] gets compiled as:

  0xb7fb8a58  e24dd008       sub sp, sp, #8
  0xb7fb8a5c  ed9dfa20       vldr s30, [sp + 4*32]
  0xb7fb8a60  ed8dfa00       vstr s30, [sp + 4*0]
  0xb7fb8a64  ed8dfa01       vstr s30, [sp + 4*1]            (1)
  0xb7fb8a68  ed9dfa21       vldr s30, [sp + 4*33]
  0xb7fb8a6c  ed8dfa20       vstr s30, [sp + 4*32]
  0xb7fb8a70  ed9dfb00       vldr d15, [sp + 4*0]
  0xb7fb8a74  ed8dfb21       vstr d15, [sp + 4*33]
  0xb7fb8a78  e28dd008       add sp, sp, #8

two issues here:
1) d15 should have been a single fp reg. And we wouldn't have overwritten the stack.
2) Optimization issue. (1) shouldn't be needed.

Next: trying to understand the move emitter.
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8709356 - Attachment is patch: true
This uses a single fp reg when breaking a cycle.

The optimization issue I mentioned is not fixed. This is done on purpose (according to comments). Since I'm not sure why exactly I'm not going to remove it.
Attachment #8709356 - Flags: review+
(In reply to Hannes Verschore [:h4writer] from comment #2)
> (In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)
> > Hannes, is bug 1193112 a likely regressor?
> 
> Not a likely regressor.

Removing bug 1193112 as a regressor.
No longer blocks: 1193112
https://hg.mozilla.org/mozilla-central/rev/f06fb66ef1c1
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.