Closed Bug 1319232 Opened 8 years ago Closed 8 years ago

Assertion failure: cmpret == 0, at js/src/jit/arm/Simulator-arm.cpp:1085

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox53 --- fixed

People

(Reporter: gkw, Assigned: sstangl)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
29.95 KB, text/plain
Details
0001-Bug-1319232-Correctly-set-cacheInvalidatedBySignalHa.patch
945 bytes, patch
luke
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 0534254e9a40 (build with --enable-debug --enable-more-deterministic --32 --enable-simulator=arm, run with --fuzzing-safe --no-threads --ion-eager --arm-sim-icache-checks --no-asmjs): // Adapted from randomly chosen test: js/src/jit-test/tests/asm.js/testTimeout4.js var f = Function("\ function g() {\ while (true) {};\ }\ return g;\ ").apply(); timeout(1); f(); Backtrace: 0 js-dbg-32-dm-clang-armSim-darwin-0534254e9a40 0x004fed16 js::jit::Simulator::checkICacheLocked(js::HashMap<void*, js::jit::CachePage*, js::jit::Simulator::ICacheHasher, js::SystemAllocPolicy>&, js::jit::SimInstruction*) + 326 (Simulator-arm.cpp:1085) 1 js-dbg-32-dm-clang-armSim-darwin-0534254e9a40 0x004fe887 js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) + 151 (Simulator-arm.cpp:379) 2 js-dbg-32-dm-clang-armSim-darwin-0534254e9a40 0x0050783a void js::jit::Simulator::execute<false>() + 138 (Simulator-arm.cpp:4753) 3 js-dbg-32-dm-clang-armSim-darwin-0534254e9a40 0x00507111 js::jit::Simulator::callInternal(unsigned char*) + 225 (Simulator-arm.cpp:4842) 4 js-dbg-32-dm-clang-armSim-darwin-0534254e9a40 0x00507a2b js::jit::Simulator::call(unsigned char*, int, ...) + 283 (Simulator-arm.cpp:4926) /snip For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/39a7161b9628 user: Sean Stangl date: Fri Nov 18 14:29:00 2016 -0500 summary: Bug 1285074 - Make ICacheMap manipulation signal-safe. r=luke Sean, is bug 1285074 a likely regressor?
Blocks: 1285074
Flags: needinfo?(sstangl)
The atomic was never toggled.
Flags: needinfo?(sstangl)
Attachment #8812931 - Flags: review?(luke)
Comment on attachment 8812931 [details] [diff] [review] 0001-Bug-1319232-Correctly-set-cacheInvalidatedBySignalHa.patch Review of attachment 8812931 [details] [diff] [review]: ----------------------------------------------------------------- oops
Attachment #8812931 - Flags: review?(luke) → review+
Assignee: nobody → sstangl
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/eb9fb9a30fd9 Correctly set cacheInvalidatedBySignalHandler_. r=luke
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/eb9fb9a30fd9
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox53: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: