Closed Bug 1241872 Opened 9 years ago Closed 9 years ago

Hit MOZ_CRASH(SIMD constructor call not expected.) at jit/MCallOptimize.cpp:3074 or Crash [@ js::jit::IonBuilder::inlineSimd]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file)

MozReview Request: Bug 1241872: Fix inlining of SIMD extractLanes in self-hosting; r?jolesen
58 bytes, text/x-review-board-request
jolesen
: review+
Details
The following testcase crashes on mozilla-central revision c5da92c5b490 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe): function test() { Float32x4 = SIMD.Float32x4; f = Float32x4(); test(f.toSource()); } test(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000731968 in js::jit::IonBuilder::inlineSimd (this=0x7ffff69b6370, callInfo=..., target=<optimized out>, simdType=<optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/MCallOptimize.cpp:3074 #0 0x0000000000731968 in js::jit::IonBuilder::inlineSimd (this=0x7ffff69b6370, callInfo=..., target=<optimized out>, simdType=<optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/MCallOptimize.cpp:3074 #1 0x00000000006b57cd in js::jit::IonBuilder::inlineSingleCall (this=0x7ffff69b6370, callInfo=..., targetArg=<optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:5572 #2 0x00000000006b711c in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7ffff69b6370, targets=..., callInfo=...) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:5636 #3 0x00000000006b74ad in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff69b6370, argc=2, constructing=<optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:6573 #4 0x00000000006b10b6 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff69b6370, op=op@entry=JSOP_CALL) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:1888 #5 0x00000000006b1c90 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69b6370) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:1522 #6 0x00000000006b2455 in js::jit::IonBuilder::build (this=0x7ffff69b6370) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:918 #7 0x00000000006c44c0 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907800, script=script@entry=0x7ffff7e6d300, baselineFrame=baselineFrame@entry=0x7ffffffcba68, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/Ion.cpp:2213 #8 0x00000000006c4efc in js::jit::Compile (cx=cx@entry=0x7ffff6907800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7ffffffcba68, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/Ion.cpp:2452 #9 0x00000000006c5710 in js::jit::CompileFunctionForBaseline (cx=cx@entry=0x7ffff6907800, script=script@entry=..., frame=frame@entry=0x7ffffffcba68) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/Ion.cpp:2646 #10 0x00000000005ebcd2 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff318700c "\271W", script=..., frame=0x7ffffffcba68, cx=0x7ffff6907800) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/BaselineIC.cpp:69 #11 js::jit::DoWarmUpCounterFallback (cx=0x7ffff6907800, frame=0x7ffffffcba68, stub=<optimized out>, infoPtr=0x7ffffffcb980) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/BaselineIC.cpp:230 #12 0x00007ffff7ff25d9 in ?? () [...] #23 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff69b6370 140737330766704 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7ffffffcb0c0 140737488138432 rsp 0x7ffffffcb090 140737488138384 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7ffffffcae50 140737488137808 r11 0x7ffff6c27960 140737333328224 r12 0x7ffffffcb240 140737488138816 r13 0x0 0 r14 0x7ffffffcb1f0 140737488138736 r15 0x7ffffffcb240 140737488138816 rip 0x731968 <js::jit::IonBuilder::inlineSimd(js::jit::CallInfo&, JSFunction*, js::jit::MIRType)+296> => 0x731968 <js::jit::IonBuilder::inlineSimd(js::jit::CallInfo&, JSFunction*, js::jit::MIRType)+296>: movl $0xc02,0x0 0x731973 <js::jit::IonBuilder::inlineSimd(js::jit::CallInfo&, JSFunction*, js::jit::MIRType)+307>: callq 0x4a2d10 <abort()>
Comment on attachment 8711032 [details] MozReview Request: Bug 1241872: Fix inlining of SIMD extractLanes in self-hosting; r?jolesen https://reviewboard.mozilla.org/r/31943/#review28707 Thanks! Looks good.
Attachment #8711032 - Flags: review?(jolesen) → review+
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/02827acc616d user: Jakob Stoklund Olesen date: Wed Jan 20 12:50:07 2016 -0800 summary: Bug 1238679 - Implement main SIMD inlining dispatch. r=bbouvier This iteration took 319.010 seconds to run.
https://hg.mozilla.org/mozilla-central/rev/1dcd651f539a
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
(In reply to Fuzzing Team from comment #4) > The first bad revision is: > changeset: https://hg.mozilla.org/mozilla-central/rev/02827acc616d > user: Jakob Stoklund Olesen > date: Wed Jan 20 12:50:07 2016 -0800 > summary: Bug 1238679 - Implement main SIMD inlining dispatch. r=bbouvier Assuming related to bug 1238679.
Blocks: 1238679
Target Milestone: mozilla46 → mozilla47
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: