Closed
Bug 1258999
Opened 7 years ago
Closed 7 years ago
Assertion failure: data >> 28 != 0xf (The instruction does not have condition code), at js/src/jit/arm/Assembler-arm.h:1987 with asm.js and OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
861 bytes,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 3587b25bae30 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --arm-hwcap=vfp --baseline-eager):
USE_ASM = '"use asm";'
function asmCompile()
Function.apply(0, arguments);
oomTest(() => {
try {
function f() {}
} catch (SECTION) {
if (0 == 0) TestCase;
}
f(asmCompile(USE_ASM + "function f() { var i=42; } return f"));
})
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x08466d1a in js::jit::Instruction::extractCond (this=0xf7c8a0ac) at js/src/jit/arm/Assembler-arm.h:1987
#0 0x08466d1a in js::jit::Instruction::extractCond (this=0xf7c8a0ac) at js/src/jit/arm/Assembler-arm.h:1987
#1 0x08467109 in extractCond (this=0xf7c8a0ac) at js/src/jit/arm/Assembler-arm.cpp:3119
#2 InstIsGuard (inst=0xf7c8a0ac, ph=<optimized out>) at js/src/jit/arm/Assembler-arm.cpp:3113
#3 0x08471450 in js::jit::Instruction::skipPool (this=0xf7c8a0ac) at js/src/jit/arm/Assembler-arm.cpp:3157
#4 0x08472aeb in InstructionIterator (i_=0xf7c8a0ac, this=0xffff9130) at js/src/jit/arm/Assembler-arm.cpp:3337
#5 js::jit::Assembler::PatchDataWithValueCheck (label=..., newValue=..., expectedValue=expectedValue@entry=...) at js/src/jit/arm/Assembler-arm.cpp:3063
#6 0x0823de1f in js::wasm::Module::staticallyLink (this=this@entry=0xf7a8baf0, cx=cx@entry=0xf7a75020, linkData=...) at js/src/asmjs/WasmModule.cpp:1078
#7 0x081e8f40 in staticallyLink (cx=0xf7a75020, this=0xf7a8baf0) at js/src/asmjs/AsmJS.cpp:430
#8 js::CompileAsmJS (cx=0xf7a75020, parser=..., stmtList=stmtList@entry=0xf7a83248, validated=validated@entry=0xffff9410) at js/src/asmjs/AsmJS.cpp:8299
#9 0x0812e915 in js::frontend::Parser<js::frontend::FullParseHandler>::asmJS (this=0xffff9d00, list=0xf7a83248) at js/src/frontend/Parser.cpp:3413
#10 0x08141961 in js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective (this=this@entry=0xffff9d00, list=list@entry=0xf7a83248, pn=pn@entry=0xf7a83298, cont=cont@entry=0xffff9470) at js/src/frontend/Parser.cpp:3487
#11 0x08161c45 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0xffff9d00, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3553
#12 0x08161f87 in js::frontend::Parser<js::frontend::FullParseHandler>::functionBody (this=this@entry=0xffff9d00, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=kind@entry=js::frontend::Statement, type=type@entry=js::frontend::Parser<js::frontend::FullParseHandler>::StatementListBody) at js/src/frontend/Parser.cpp:1364
#13 0x081378f7 in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneFunctionBody (this=this@entry=0xffff9d00, fun=..., fun@entry=..., formals=formals@entry=..., generatorKind=generatorKind@entry=js::NotGenerator, inheritedDirectives=..., newDirectives=newDirectives@entry=0xffff97e0, enclosingStaticScope=enclosingStaticScope@entry=...) at js/src/frontend/Parser.cpp:1206
#14 0x0883f924 in BytecodeCompiler::compileFunctionBody (this=this@entry=0xffff9834, fun=fun@entry=..., formals=formals@entry=..., generatorKind=generatorKind@entry=js::NotGenerator) at js/src/frontend/BytecodeCompiler.cpp:639
#15 0x0883fbdb in CompileFunctionBody (cx=<optimized out>, fun=..., options=..., formals=..., srcBuf=..., enclosingStaticScope=..., generatorKind=js::NotGenerator) at js/src/frontend/BytecodeCompiler.cpp:872
#16 0x0883fd46 in js::frontend::CompileFunctionBody (cx=0xf7a75020, fun=..., options=..., formals=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:891
#17 0x08579873 in FunctionConstructor (cx=0xf7a75020, argc=<optimized out>, vp=0xffffab30, generatorKind=js::NotGenerator) at js/src/jsfun.cpp:1779
#18 0x0872259a in js::CallJSNative (cx=0xf7a75020, native=0x8579ac0 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#19 0x0871aa01 in js::Invoke (cx=cx@entry=0xf7a75020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476
#20 0x0856c9e7 in js::fun_apply (cx=0xf7a75020, argc=2, vp=0xffffaf60) at js/src/jsfun.cpp:1233
#21 0x0872259a in js::CallJSNative (cx=0xf7a75020, native=0x856c5f0 <js::fun_apply(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#22 0x0871aa01 in js::Invoke (cx=0xf7a75020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476
#23 0x0871b3ee in js::Invoke (cx=0xf7a75020, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0xf45ffd00, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:528
#24 0x08270656 in js::jit::DoCallFallback (cx=cx@entry=0xf7a75020, frame=frame@entry=0xf45ffd48, stub_=stub_@entry=0xf7aa80b0, argc=argc@entry=2, vp=vp@entry=0xf45ffcf0, res=res@entry=...) at js/src/jit/BaselineIC.cpp:6140
#25 0x0850323e in js::jit::Simulator::softwareInterrupt (this=0xf7a22000, instr=0xf41e9344) at js/src/jit/arm/Simulator-arm.cpp:2380
#26 0x08503526 in js::jit::Simulator::decodeType7 (this=0xf7a22000, instr=0xf41e9344) at js/src/jit/arm/Simulator-arm.cpp:3502
#27 0x08501485 in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a22000, instr=instr@entry=0xf41e9344) at js/src/jit/arm/Simulator-arm.cpp:4424
#28 0x08505314 in execute<false> (this=0xf7a22000) at js/src/jit/arm/Simulator-arm.cpp:4479
#29 js::jit::Simulator::callInternal (this=this@entry=0xf7a22000, entry=entry@entry=0xf7fc8ab8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4567
#30 0x08505835 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8ab8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4650
#31 0x08250d86 in EnterBaseline (cx=cx@entry=0xf7a75020, data=...) at js/src/jit/BaselineJIT.cpp:150
#32 0x0826b69e in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a75020, state=...) at js/src/jit/BaselineJIT.cpp:188
#33 0x0871a81b in js::RunScript (cx=cx@entry=0xf7a75020, state=...) at js/src/vm/Interpreter.cpp:416
#34 0x0871aab6 in js::Invoke (cx=0xf7a75020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:494
#35 0x0871b3ee in js::Invoke (cx=cx@entry=0xf7a75020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:528
#36 0x0851e2d0 in JS_CallFunction (cx=0xf7a75020, obj=..., fun=fun@entry=..., args=..., rval=rval@entry=...) at js/src/jsapi.cpp:2864
#37 0x086a59b2 in OOMTest (cx=0xf7a75020, argc=1, vp=0xffffbcb0) at js/src/builtin/TestingFunctions.cpp:1297
[...]
#59 main (argc=4, argv=0xffffccd4, envp=0xffffcce8) at js/src/shell/js.cpp:7305
eax 0x0 0
ebx 0x9884430 159925296
ecx 0xf7e3a88c -136075124
edx 0x0 0
esi 0xf7c8a0ac -137846612
edi 0xf7a5cb34 -140129484
ebp 0xffff90c8 4294938824
esp 0xffff90b0 4294938800
eip 0x8466d1a <js::jit::Instruction::extractCond()+42>
=> 0x8466d1a <js::jit::Instruction::extractCond()+42>: movl $0x7c3,0x0
0x8466d24 <js::jit::Instruction::extractCond()+52>: call 0x80fffa0 <abort()>
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/23f8c4fb046e user: Luke Wagner date: Wed Feb 10 09:23:15 2016 -0600 summary: Bug 1240583 - Odin: fix long jumps/calls on ARM for large modules (r=bbouvier) This iteration took 363.351 seconds to run.
|
||
Comment 2•7 years ago
|
||
Looking.
|
||
Comment 5•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/6efe1b395bcf
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•