Closed Bug 1521092 Opened 5 years ago Closed 5 years ago

ARM64: Assertion failed: got 5, expected 4 at _[0] (basic/array-copyWithin.js)

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
Unspecified
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- fixed

People

(Reporter: nbp, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [arm64:m3])

Attachments

(2 files)

Codegen Spew: Output the name of the CacheIR functions.
121.54 KB, patch
sstangl
: review+
Details | Diff | Splinter Review
ARM64: pop(FloatRegister) use ARMFPRegister instead of the register code.
1.01 KB, patch
sstangl
: review+
Details | Diff | Splinter Review
No description provided.
This patch adds a bunch more context information to CacheIR generated code, by
displaying the name of the function like we already do with the LIR instruction
name in IonMonkey.

I would not have been able to locate the issue without this patch.
Attachment #9038604 - Flags: review?(sstangl)
The issue was that CacheIRCompiler::emitGuardIsInt32Index would, only in the
IonMonkey case, push and pop a Float register on the stack.

The problem was that that MacroAssemblerCompat::pop(FloatRegister) was
implemented using the register code instead of using the ARMFPRegister
constructor which does the conversion from FloatRegister to an ARMFPRegister.

Therefore, we poped the doubled value in the x0 register instead of popping the
value in d0, erasing the previous value and causing either differential
behaviours or crashes.
Attachment #9038607 - Flags: review?(sstangl)
Attachment #9038604 - Flags: review?(sstangl) → review+
Comment on attachment 9038607 [details] [diff] [review]
ARM64: pop(FloatRegister) use ARMFPRegister instead of the register code.

Review of attachment 9038607 [details] [diff] [review]:
-----------------------------------------------------------------

Argh. What a footgun.
Attachment #9038607 - Flags: review?(sstangl) → review+

The codegen spew patch needs rebasing.

Flags: needinfo?(nicolas.b.pierron)
Keywords: checkin-needed

[arm64:m3] because we should fix reproducible test crashes before letting ARM64 Fennec Nightly ride the trains to Beta.

status-firefox64: --- → wontfix
status-firefox65: --- → wontfix
status-firefox66: --- → affected
status-firefox-esr60: --- → wontfix
Keywords: crash
Whiteboard: [arm64:m3]
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/35d94075e745
Codegen Spew: Output the name of the CacheIR functions. r=sstangl
https://hg.mozilla.org/integration/mozilla-inbound/rev/9c28047982f2
ARM64: pop(FloatRegister) use ARMFPRegister instead of the register code. r=sstangl

https://hg.mozilla.org/mozilla-central/rev/35d94075e745
https://hg.mozilla.org/mozilla-central/rev/9c28047982f2

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Flags: needinfo?(nicolas.b.pierron)
You need to log in before you can comment on or make changes to this bug.