Crash [@ vixl::Instruction::InstructionBits]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox68 | --- | fixed |
People
(Reporter: gkw, Assigned: nbp)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 02b89c29412b (build with --enable-simulator=arm64, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --ion-limit-script-size=off):
See attachment.
Backtrace:
#0 vixl::Instruction::InstructionBits (this=0x40000255f) at js/src/jit/arm64/vixl/Instructions-vixl.h:179
#1 vixl::Instruction::Bits (this=0x40000255f, msb=28, lsb=27) at js/src/jit/arm64/vixl/Instructions-vixl.h:191
#2 vixl::Decoder::DecodeInstruction (this=0x7fd92742d100, instr=0x40000255f) at js/src/jit/arm64/vixl/Decoder-vixl.cpp:37
#3 0x000055dbf1d35ffc in vixl::Decoder::Decode (this=0x7fd92742d100, instr=0x40000255f) at js/src/jit/arm64/vixl/Decoder-vixl.h:158
#4 vixl::Simulator::ExecuteInstruction (this=0x7fd92743c800) at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:192
/snip
For detailed crash information, see attachment.
(Note that the testcase takes about 30 seconds to crash)
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Comment 2•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Comment hidden (obsolete) |
Comment 4•6 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
Jan, I'm totally unsure as to whether bug 1382650 is a likely regressor...
It's unlikely but it changed --ion-eager behavior slightly. Does it reproduce before that with --ion-eager instead of --ion-warmup-threshold=0?
Reporter | ||
Comment 5•6 years ago
|
||
You're right, it does, in fact, it goes way back to m-c rev 80a506f7caa7 by using --ion-eager instead of --ion-warmup-threshold=0 before that changeset.
https://hg.mozilla.org/mozilla-central/rev/80a506f7caa7
Setting needinfo? from :sstangl and :nbp then.
Assignee | ||
Updated•6 years ago
|
Updated•5 years ago
|
Comment 6•5 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Assignee | ||
Updated•5 years ago
|
Comment 7•5 years ago
|
||
Hey nbp, is this being worked on for 68? Thanks!
Assignee | ||
Comment 8•5 years ago
|
||
(In reply to Patricia Lawless from comment #7)
Hey nbp, is this being worked on for 68? Thanks!
This is blocked by Bug 1546446, which has a patch waitting for review.
Reporter | ||
Comment 9•5 years ago
|
||
Nicolas, bug 1546446 has been fixed, and I'm seemingly unable to reproduce this anymore, what's next?
Assignee | ||
Comment 10•5 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9)
Nicolas, bug 1546446 has been fixed, and I'm seemingly unable to reproduce this anymore, what's next?
Closing this bug.
Updated•5 years ago
|
Description
•