Closed Bug 1352500 Opened 7 years ago Closed 7 years ago

Hit MOZ_CRASH(ARM simulator breakpoint) at js/src/jit/arm/Simulator-arm.cpp:3185 with asm.js

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox52 --- wontfix
firefox-esr52 --- disabled
firefox53 --- wontfix
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

setperformcall.patch
3.23 KB, patch
luke
: review+
gchang
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 8df9fabf2587 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --arm-hwcap=vfp --ion-offthread-compile=off):

function asmCompile() {
    var f = Function.apply(null, arguments);
    return f;
}
setJitCompilerOption('asmjs.atomics.enable', 1);
var m1 = asmCompile("stdlib", "ffi", "heap", `
    "use asm";
    var i8 = new stdlib.Int8Array(heap);
    var add = stdlib.Atomics.add;
    function f() {
	add(i8, 0, 1);
    }
    return { f:f }
`);
var { f } = m1(this, {}, new SharedArrayBuffer(65536));
f();



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x08513288 in js::jit::Simulator::decodeType01 (this=0xf7968000, instr=0x5ace2028) at js/src/jit/arm/Simulator-arm.cpp:3185
#0  0x08513288 in js::jit::Simulator::decodeType01 (this=0xf7968000, instr=0x5ace2028) at js/src/jit/arm/Simulator-arm.cpp:3185
#1  0x0850fdba in js::jit::Simulator::instructionDecode (this=0xf7968000, instr=0x5ace2028) at js/src/jit/arm/Simulator-arm.cpp:4687
#2  0x0851390a in js::jit::Simulator::execute<false> (this=0xf7968000) at js/src/jit/arm/Simulator-arm.cpp:4760
#3  js::jit::Simulator::callInternal (this=0xf7968000, entry=0x5ace2068 "\004\340-\345\360\037-\351\020\212", <incomplete sequence \355>) at js/src/jit/arm/Simulator-arm.cpp:4848
#4  0x08513bf1 in js::jit::Simulator::call (this=<optimized out>, entry=0x5ace2068 "\004\340-\345\360\037-\351\020\212", <incomplete sequence \355>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4931
#5  0x08929790 in js::wasm::Instance::callExport (this=0xf5175280, cx=0xf791d000, funcIndex=4097, args=...) at js/src/wasm/WasmInstance.cpp:655
#6  0x0892a1ec in WasmCall (cx=0xf791d000, argc=0, vp=0xf5056058) at js/src/wasm/WasmJS.cpp:1114
#7  0x0817a537 in js::CallJSNative (cx=0xf791d000, native=0x892a140 <WasmCall(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:282
[...]
#21 main (argc=5, argv=0xffffcda4, envp=0xffffcdbc) at js/src/shell/js.cpp:8664
eax	0x0	0
ebx	0x8cdfff4	147718132
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0x8cdfff4	147718132
edi	0xf7da3df8	-136692232
ebp	0xffffbd58	4294950232
esp	0xffffbd00	4294950144
eip	0x8513288 <js::jit::Simulator::decodeType01(js::jit::SimInstruction*)+5112>
=> 0x8513288 <js::jit::Simulator::decodeType01(js::jit::SimInstruction*)+5112>:	movl   $0x0,0x0
   0x8513292 <js::jit::Simulator::decodeType01(js::jit::SimInstruction*)+5122>:	ud2    


This seems pretty much identical to bug 1350552 but still reproduces on tip.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED

        Attachment #8853487 -
        Flags: review?(luke)

    
  

        Attachment #8853487 -
        Flags: review?(luke) → review+

    
    

    
  
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/26c12944db87
Baldr: Force stack alignment for asm.js atomics callouts on ARM; r=luke

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/26c12944db87
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox55:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55

    
    

    
  
At the risk of repeating myself, Tier3 (ARMv6) bugs really ought not be labeled critical.

    
    

    
  
(In reply to Lars T Hansen [:lth] from comment #4)
> At the risk of repeating myself, Tier3 (ARMv6) bugs really ought not be
> labeled critical.

We file bugs with templates and the default template has "critical" for the severity because that has always been the standard severity for JS bugs. We often cannot determine is something is Tier1 or Tier3 so this should be changed by JS triage when appropriate.

    
    

    
  
Should we consider backporting this or can it ride the trains?
Blocks: 1277973

          status-firefox52:
          --- → wontfix

          status-firefox53:
          --- → affected

          status-firefox54:
          --- → affected

          status-firefox-esr52:
          --- → disabled
Flags: needinfo?(bbouvier)

    
    

    
  
We could backport for fuzzing.
Flags: needinfo?(bbouvier)

    
    

    
  
Comment on attachment 8853487 [details] [diff] [review]
setperformcall.patch

Approval Request Comment
[Feature/Bug causing the regression]: atomics in asm.js
[User impact if declined]: crashes on tier-3 platforms (arm v6)
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not much
[Why is the change risky/not risky?]: patch is only a few lines of code
[String changes made/needed]: n/a

        Attachment #8853487 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8853487 [details] [diff] [review]
setperformcall.patch

We can take this in Aurora to fix crashes on tier-3 platforms. Aurora54+.

        Attachment #8853487 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

          You need to log in
          before you can comment on or make changes to this bug.