Closed
Bug 1353681
Opened 7 years ago
Closed 7 years ago
Crash [@ js::jit::Simulator::decodeType01] or Assertion failure: !cycleEnd_, at jit/MoveResolver.h:278
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1299147
| Tracking | Status | |
|---|---|---|
| firefox55 | --- | affected |
People
(Reporter: gkw, Assigned: sstangl)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
9.86 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 7a3f514cf849 (build with --32 --enable-more-deterministic --enable-simulator=arm, run with --fuzzing-safe --no-threads --ion-eager --ion-gvn=off --ion-check-range-analysis):
function f1(f, inputs) {
var x = [];
for (var j = 0; j < 2; ++j) {
for (var k = 0; k < 1; ++k) {
try {
x.push(f(inputs[j], inputs[k]));
} catch (e) {}
}
}
}
function f2(x) {
Math.fround(-Math.fround(Math.fround()))
Math.min(undefined) ? (Math.tan, Math.tan | 0 | 0) :
+(Math.fround(0) > Math.fround() > -Infinity)
}
f1(f2, [Infinity]);
f1(f2, [Infinity, 0]);
Backtrace:
#0 js::jit::Simulator::decodeType01 (this=0xf7123000, instr=0x247eb08c) at js/src/jit/arm/Simulator-arm.cpp:3185
#1 0x083dc20a in js::jit::Simulator::instructionDecode (this=0xf7123000, instr=0x247eb08c) at js/src/jit/arm/Simulator-arm.cpp:4687
#2 0x083dc76a in js::jit::Simulator::execute<false> (this=0xf7123000) at js/src/jit/arm/Simulator-arm.cpp:4760
#3 js::jit::Simulator::callInternal (this=0xf7123000, entry=0x247c87b8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4848
#4 0x083dca2c in js::jit::Simulator::call (this=0xf7123000, entry=0x247c87b8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4931
/snip
For detailed crash information, see attachment.
Build configuration:
CXX="g++ -m32 -msse2 -mfpmath=sse" CC="gcc -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh ./configure --target=i686-pc-linux --enable-simulator=arm --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
This seems to differ from bug 1299147 even though the assert (and stack) seems similar, this one crashes opt shell whereas that one does not.
|
|
Reporter | |
Comment 3•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/b7adf3986079 user: Sander Mathijs van Veen date: Tue Feb 07 07:18:00 2017 +0100 summary: Bug 1337367 - Postpone spilling bundles till after regalloc main loop r=bhackett Sander, is bug 1337367 a likely regressor?
Blocks: 1337367
Flags: needinfo?(sandervv)
|
|
Reporter | |
Comment 4•7 years ago
|
||
I discovered I may have filed some related dupe(?) bugs previously, e.g. bug 1337967, but this seems to be the first one which crashes opt builds as well. Moving needinfo? to Jan/Hannes. It will be nice to have this fixed.
Flags: needinfo?(sandervv)
Flags: needinfo?(jdemooij)
Flags: needinfo?(hv1989)
|
||
Comment 5•7 years ago
|
||
Hannes weren't you working on this signature a while ago? Either that or I'm confusing it with another bug..
Flags: needinfo?(jdemooij)
| Comment hidden (spam) |
|
||
Comment 7•7 years ago
|
||
Ignore previous comment. We do save d0. We go wrong somewhere else. Further investigating.
|
|
||
Comment 8•7 years ago
|
||
This is most likely a range analysis bug. I manually looked at the two places where the "move resolver" came into trouble. I looked at the generated code and like I noticed in bug 1299147, this actually outputs correct code. In this case too. When removing the "cycle" asserts in a debug release I get an extra clue: Assertion failure: Double input should be lower or equal than Upperbound., at /home/h4writer/Build/mozilla-inbound/js/src/jit/MacroAssembler.cpp:1654 This bug is a range analysis bug and not a "move resolver" bug.
Flags: needinfo?(hv1989)
|
|
Reporter | |
Comment 9•7 years ago
|
||
If you can give me a testcase or a patch that causes that Double input assert, I can try to bisect as well.
Flags: needinfo?(hv1989)
|
||
Updated•7 years ago
|
Group: core-security
|
|
Reporter | |
Comment 10•7 years ago
|
||
Likely range analysis bug + Hannes is unlikely to be working on this in the future, so redirecting needinfo? to Jan.
Flags: needinfo?(hv1989) → needinfo?(jdemooij)
|
Assignee | |
Comment 11•7 years ago
|
||
Needs re-testing now that Bug 1299147 landed. If that didn't fix it, I'll take a look.
Assignee: nobody → sstangl
Flags: needinfo?(jdemooij)
|
|
Reporter | |
Comment 12•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 358107:8178250f3a8b user: Sean Stangl date: Thu May 04 15:39:52 2017 -0700 summary: Bug 1299147 - Split double MoveOperands that conflict with floats. r=jandem I verify using autobisect that this is indeed FIXED by bug 1299147.
|
|
Assignee | |
Comment 13•7 years ago
|
||
Great!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•4 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•