Closed
Bug 1301797
Opened 5 years ago
Closed 5 years ago
MOZ_CRASH("Unexpected type") in js::jit::CodeGeneratorX86::visitLoadTypedArrayElementStatic
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | fixed |
People
(Reporter: jchen, Unassigned)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
|
1.34 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-679c4130-578c-4623-8668-2e9762160909. ============================================================= Low volume crash that started with the 09-08 nightly (regression range [1]). So far, there have been 6 crashes for the 09-08 nightly on Windows, making it the #31 crash. Luke, could this be caused by one of the bugs you landed recently? [1] https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=91c2b9d5c1354ca79e5b174591dbb03b32b15bbf&tochange=938ce16be25f9c551c19ef8938e8717ed3d41ff5
Flags: needinfo?(luke)
|
||
Comment 1•5 years ago
|
||
Ah crud, I just looked at the cset, and it looks like I left out Uint8Clamped when I inlined the switch (asm.js doesn't have Uint8Clamped but JS does). Fix in a sec.
Flags: needinfo?(luke)
|
|
||
Comment 2•5 years ago
|
||
I tried for a while to actually reproduce this (feeding it various asm.js patterns) but the type analysis is apparently super-fickle.
Attachment #8789948 -
Flags: review?(sunfish)
|
||
Comment 3•5 years ago
|
||
Comment on attachment 8789948 [details] [diff] [review] re-add-uint8-clamped Review of attachment 8789948 [details] [diff] [review]: ----------------------------------------------------------------- Trivial, stealing.
Attachment #8789948 -
Flags: review?(sunfish) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1808f8757cb0 Ion: re-add Uint8Clamped case to CodeGeneratorX86::visitLoadTypedArrayElementStatic (r=bbouvier)
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1808f8757cb0
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox51:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
I was catching up on backlog and found that jsfunfuzz actually caught this, and the issue is fixed by the patch. new Uint8ClampedArray(4277 << 4277) + 0; Run with --fuzzing-safe --no-threads --ion-eager on m-c rev 6138e059bacb and the following configuration command: LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin14.5.0 --disable-jemalloc --enable-profiling --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests Setting needinfo? from Luke in case he would like to have a testcase as per comment 2.
Flags: needinfo?(luke)
|
|
||
Comment 9•5 years ago
|
||
Oh hah, I see: I was stepping through the IonBuilder optimization, saw it failing on the isSingleton check and I couldn't find out how to get a singleton. Turns out, it only works for typed arrays bigger than TypedArrayObject::SINGLETON_BYTE_LENGTH (10mb) and created via view (not ArrayBuffer). Fragile indeed.
|
||
Comment 10•5 years ago
|
||
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/36835c15063d add Uint8ClampedArray test (r=me)
|
|
||
Comment 11•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/36835c15063d
|
|
||
Comment 12•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/36835c15063d
You need to log in
before you can comment on or make changes to this bug.
Description
•