Closed Bug 1545379 Opened 6 years ago Closed 5 years ago

Crash [@ vixl::Instruction::InstructionBits]

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED DUPLICATE of bug 1546446
Tracking Status
firefox68 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 02b89c29412b (build with --enable-simulator=arm64, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --ion-limit-script-size=off):

See attachment.

Backtrace:

#0 vixl::Instruction::InstructionBits (this=0x40000255f) at js/src/jit/arm64/vixl/Instructions-vixl.h:179
#1 vixl::Instruction::Bits (this=0x40000255f, msb=28, lsb=27) at js/src/jit/arm64/vixl/Instructions-vixl.h:191
#2 vixl::Decoder::DecodeInstruction (this=0x7fd92742d100, instr=0x40000255f) at js/src/jit/arm64/vixl/Decoder-vixl.cpp:37
#3 0x000055dbf1d35ffc in vixl::Decoder::Decode (this=0x7fd92742d100, instr=0x40000255f) at js/src/jit/arm64/vixl/Decoder-vixl.h:158
#4 vixl::Simulator::ExecuteInstruction (this=0x7fd92743c800) at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:192
/snip

For detailed crash information, see attachment.

(Note that the testcase takes about 30 seconds to crash)

Attached file Testcase

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)

Jan, I'm totally unsure as to whether bug 1382650 is a likely regressor...

It's unlikely but it changed --ion-eager behavior slightly. Does it reproduce before that with --ion-eager instead of --ion-warmup-threshold=0?

Flags: needinfo?(jdemooij)
No longer regressed by: 1382650

You're right, it does, in fact, it goes way back to m-c rev 80a506f7caa7 by using --ion-eager instead of --ion-warmup-threshold=0 before that changeset.

https://hg.mozilla.org/mozilla-central/rev/80a506f7caa7

Setting needinfo? from :sstangl and :nbp then.

Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)
Depends on: 1546446
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Priority: -- → P1
Depends on: 1548843

Hey nbp, is this being worked on for 68? Thanks!

Flags: needinfo?(nicolas.b.pierron)

(In reply to Patricia Lawless from comment #7)

Hey nbp, is this being worked on for 68? Thanks!

This is blocked by Bug 1546446, which has a patch waitting for review.

Flags: needinfo?(nicolas.b.pierron)

Nicolas, bug 1546446 has been fixed, and I'm seemingly unable to reproduce this anymore, what's next?

Flags: needinfo?(nicolas.b.pierron)

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9)

Nicolas, bug 1546446 has been fixed, and I'm seemingly unable to reproduce this anymore, what's next?

Closing this bug.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: