Assertion failure: data >> 28 != 0xf (The instruction does not have condition code), at js/src/jit/arm/Assembler-arm.h:1987 with asm.js and OOM

RESOLVED FIXED in Firefox 48

Status

()

--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla48
ARM
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox48 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect])

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision 3a11a57b43aa (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --arm-hwcap=vfp):

function parseAsmJS() {
    eval(`function m(stdlib)
          {
            "use asm";
            var abs = stdlib.Math.abs;
            function f(d)
            {
              d = +d;
              return (~~(5.0 - +abs(d)))|7 *  1    ;
            }
            return f;
          }`);
}
oomTest(parseAsmJS);


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0842f65a in js::jit::Instruction::extractCond (this=0xf7fcf09c) at js/src/jit/arm/Assembler-arm.h:1987
#0  0x0842f65a in js::jit::Instruction::extractCond (this=0xf7fcf09c) at js/src/jit/arm/Assembler-arm.h:1987
#1  0x084305c9 in extractCond (this=0xf7fcf09c) at js/src/jit/arm/Assembler-arm.cpp:3119
#2  InstIsGuard (inst=0xf7fcf09c, ph=<optimized out>) at js/src/jit/arm/Assembler-arm.cpp:3113
#3  0x08435360 in js::jit::Instruction::skipPool (this=0xf7fcf09c) at js/src/jit/arm/Assembler-arm.cpp:3157
#4  0x0843b3eb in InstructionIterator (i_=0xf7fcf09c, this=0xffffa3a0) at js/src/jit/arm/Assembler-arm.cpp:3337
#5  js::jit::Assembler::PatchDataWithValueCheck (label=..., newValue=..., expectedValue=expectedValue@entry=...) at js/src/jit/arm/Assembler-arm.cpp:3063
#6  0x0823c94f in js::wasm::Module::staticallyLink (this=this@entry=0xf7a89320, cx=cx@entry=0xf7a70020, linkData=...) at js/src/asmjs/WasmModule.cpp:1053
#7  0x081ec93d in staticallyLink (cx=0xf7a70020, this=0xf7a89320) at js/src/asmjs/AsmJS.cpp:430
#8  js::CompileAsmJS (cx=0xf7a70020, parser=..., stmtList=stmtList@entry=0xf7a7e638, validated=validated@entry=0xffffa680) at js/src/asmjs/AsmJS.cpp:8300
[...]
#50 main (argc=3, argv=0xffffd8d4, envp=0xffffd8e4) at js/src/shell/js.cpp:7250
eax	0x0	0
ebx	0x9858430	159745072
ecx	0xf7e4488c	-136034164
edx	0x0	0
esi	0xf7fcf09c	-134418276
edi	0xf7a5a824	-140138460
ebp	0xffffa338	4294943544
esp	0xffffa320	4294943520
eip	0x842f65a <js::jit::Instruction::extractCond()+42>
=> 0x842f65a <js::jit::Instruction::extractCond()+42>:	movl   $0x7c3,0x0
   0x842f664 <js::jit::Instruction::extractCond()+52>:	call   0x80fd280 <abort()>
I've been looking at this for an hour, what happens is that there's a call to SymbolicAddress::ToInt32 in OOL code. Before patching in staticallyLink, the to-be-patched value must be set to -1. That value being a numerical value, and we're testing with arm vfp, we're using a constant pool. Constant pools under ARM work in 2 steps: 1. write hints, 2. flush the pool into the actual numbers.

The assertion triggered means that we have written the hint but haven't actually flushed the pool. However, how can that be, as we have this call to flush() at the end of CodeGenerator::generateAsmJS, now?
Ha, found it: the flush() code itself can oom, so we need to check that we didn't reach OOM after flushing.
Created attachment 8730228 [details]
MozReview Request: Bug 1255956: Check for OOM after flushing constant pools; r?luke

Review commit: https://reviewboard.mozilla.org/r/39765/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/39765/
Attachment #8730228 - Flags: review?(luke)

Updated

2 years ago
Attachment #8730228 - Flags: review?(luke) → review+

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/583f746e9e55
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox48: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.