Closed Bug 1522284 Opened 7 years ago Closed 7 years ago

ARM64: Crash in ion/nursery-getter-setter.js

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla67

Tracking Flags:

Tracking

Status

firefox-esr60

---

wontfix

firefox64

---

wontfix

firefox65

---

wontfix

firefox66

---

wontfix

firefox67

---

fixed

People

(Reporter: sstangl, Assigned: nbp)

References

Details

(Keywords: crash, Whiteboard: [arm64:m3])

Attachments

(1 file)

Bug 1522284 - ARM64: record when JitCode is storing nursery pointers. 7 years ago Nicolas B. Pierron [:nbp] 47 bytes, text/x-phabricator-request		Details

Sean Stangl [:sstangl]

Reporter

Description

•

7 years ago

When run on ARM64 hardware, this test fails: ion/nursery-getter-setter.js

The arguments passed are as follows:

--ion-eager --ion-offthread-compile=off --more-compartments ion/nursery-getter-setter.js
--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads ion/nursery-getter-setter.js

The crash signature is as follows:

Thread 1 "js" received signal SIGSEGV, Segmentation fault.
0x000036f793643cf8 in ?? ()
(gdb) x/8i $pc-12
   0x36f793643cec:	sub	sp, x28, #0x8
   0x36f793643cf0:	str	x16, [x28, #-8]!
   0x36f793643cf4:	ldr	x2, [x2, #48]
=> 0x36f793643cf8:	ldr	x2, [x2]
   0x36f793643cfc:	mov	sp, x28
   0x36f793643d00:	blr	x2
   0x36f793643d04:	add	x28, x28, #0x48
   0x36f793643d08:	ldr	d0, [x28]
(gdb) p/x $x2
$1 = 0xfffe2f2f2f2f2f2f

Chris Peterson [:cpeterson]

Comment 1

•

7 years ago

[arm64:m3] because we should fix reproducible test crashes before letting ARM64 Fennec Nightly ride the trains to Beta.

status-firefox64: --- → wontfix

status-firefox65: --- → wontfix

status-firefox66: --- → affected

status-firefox-esr60: --- → wontfix

Keywords: crash

Whiteboard: [arm64:m3]

Nicolas B. Pierron [:nbp]

Assignee

Updated

•

7 years ago

Assignee: nobody → nicolas.b.pierron

Status: NEW → ASSIGNED

Nicolas B. Pierron [:nbp]

Assignee

Comment 2

•

7 years ago

Attached file Bug 1522284 - ARM64: record when JitCode is storing nursery pointers. — Details

Pulsebot

Comment 3

•

7 years ago

Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/611a26ed535b ARM64: record when JitCode is storing nursery pointers. r=sstangl

Razvan Maries

Comment 4

•

7 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/611a26ed535b

Status: ASSIGNED → RESOLVED

Closed: 7 years ago

status-firefox67: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla67

Ryan VanderMeulen [:RyanVM]

Updated

•

7 years ago

status-firefox66: affected → wontfix

You need to log in before you can comment on or make changes to this bug.

Bugzilla

ARM64: Crash in ion/nursery-getter-setter.js

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Tracking

()

People

(Reporter: sstangl, Assigned: nbp)

References

Details

(Keywords: crash, Whiteboard: [arm64:m3])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Updated

Attachment

General

Description

File Name

Content Type