Closed
Bug 1522248
Opened 6 years ago
Closed 6 years ago
ARM64: Crash in TypedObject/jit-read-u16-from-mdim-array.js
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1521092
People
(Reporter: sstangl, Unassigned)
References
Details
(Keywords: crash, Whiteboard: [arm64:m3])
When run on ARM64 hardware, this test fails: TypedObject/jit-read-u16-from-mdim-array.js
The arguments passed are as follows:
--ion-eager --ion-offthread-compile=off --more-compartments TypedObject/jit-read-u16-from-mdim-array.js
--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads TypedObject/jit-read-u16-from-mdim-array.js
The crash signature is as follows:
Thread 1 "js" received signal SIGSEGV, Segmentation fault.
0x0000ffffb1652000 in ?? ()
(gdb) x/i $pc
=> 0xffffb1652000: str h24, [x11, #1528]
(gdb) p/x $x11
$1 = 0x1
(gdb) p/x $h24
$2 = {u = 0x0, s = 0x0}
(gdb) x/8i $pc-12
0xffffb1651ff4: .inst 0x00000000 ; undefined
0xffffb1651ff8: .inst 0x00000000 ; undefined
0xffffb1651ffc: .inst 0x00000000 ; undefined
=> 0xffffb1652000: str h24, [x11, #1528]
0xffffb1652004: .inst 0x00002da6 ; undefined
0xffffb1652008: adds x20, x22, #0x3f9, lsl #12
0xffffb165200c: .inst 0x0000ffff ; undefined
0xffffb1652010: .inst 0x000017b8 ; undefined
Possibly related to Bug 1522242.
|
||
Comment 1•6 years ago
|
||
[arm64:m3] because we should fix reproducible test crashes before letting ARM64 Fennec Nightly ride the trains to Beta.
status-firefox64:
--- → wontfix
status-firefox65:
--- → wontfix
status-firefox66:
--- → affected
status-firefox-esr60:
--- → wontfix
Keywords: crash
Whiteboard: [arm64:m3]
|
||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•