Closed
Bug 1548843
Opened 6 years ago
Closed 6 years ago
Assertion failure: is_int19(imm19), at /js/src/jit/arm64/vixl/Assembler-vixl.h:3645
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: nbp, Assigned: nbp)
References
Details
Running the testcase from Bug 1545379, with the same arguments and fixing the issue reported in Bug 1546446 highlights the following new issue (after running for ~20 minutes):
Thread 1 received signal SIGSEGV, Segmentation fault.
0x000055d12f28e7f3 in vixl::Assembler::ImmCondBranch (imm19=262145) at /home/nicolas/mozilla/wksp-7/js/src/jit/arm64/vixl/Assembler-vixl
3645 VIXL_ASSERT(is_int19(imm19));
(rr) p /t imm19
$1 = 1000000000000000001
(rr) bt
#0 0x000055d12f28e7f3 in vixl::Assembler::ImmCondBranch (imm19=262145) at /home/nicolas/mozilla/wksp-7/js/src/jit/arm64/vixl/Assembler-vixl.h:3645
#1 0x000055d12f2855cd in vixl::Instruction::SetBranchImmTarget (this=0x55d137bda054, target=0x55d137cda058) at /home/nicolas/mozilla/wksp-7/js/src/jit/arm64/vixl/Instructions-vixl.cpp:409
#2 0x000055d12f2ca139 in vixl::Instruction::SetImmPCRawOffset (this=0x55d137bda054, offset=262145) at /home/nicolas/mozilla/wksp-7/js/src/jit/arm64/vixl/MozInstructions-vixl.cpp:159
#3 0x000055d12f2cc0e4 in vixl::MozBaseAssembler::PatchShortRangeBranchToVeneer (buffer=0x55d13df2a240, rangeIdx=1, deadline=..., veneer=...) at /home/nicolas/mozilla/wksp-7/js/src/jit/arm64/vixl/MozAssembler-vixl.cpp:526
#4 0x000055d12f2318bf in js::jit::AssemblerBufferWithConstantPools<1024ul, 4ul, vixl::Instruction, vixl::MozBaseAssembler, 2u>::finishPool (this=0x55d13df2a240, reservedBytes=128)
at /home/nicolas/mozilla/wksp-7/js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:1012
#5 0x000055d12f230632 in js::jit::AssemblerBufferWithConstantPools<1024ul, 4ul, vixl::Instruction, vixl::MozBaseAssembler, 2u>::insertEntryForwards (this=0x55d13df2a240, numInst=1, numPoolEntries=0, inst=0x7fff37df8444 "\037 \003\325", data=0x0)
at /home/nicolas/mozilla/wksp-7/js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:786
#6 0x000055d12f230142 in js::jit::AssemblerBufferWithConstantPools<1024ul, 4ul, vixl::Instruction, vixl::MozBaseAssembler, 2u>::allocEntry (this=0x55d13df2a240, numInst=1, numPoolEntries=0, inst=0x7fff37df8444 "\037 \003\325", data=0x0, pe=0x0)
at /home/nicolas/mozilla/wksp-7/js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:852
#7 0x000055d12f23089d in js::jit::AssemblerBufferWithConstantPools<1024ul, 4ul, vixl::Instruction, vixl::MozBaseAssembler, 2u>::putInt (this=0x55d13df2a240, value=3573751839) at /home/nicolas/mozilla/wksp-7/js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:894
#8 0x000055d12f22dfbd in vixl::MozBaseAssembler::Emit (this=0x55d13df29f08, instruction=3573751839, isBranch=false) at /home/nicolas/mozilla/wksp-7/js/src/jit/arm64/vixl/MozBaseAssembler-vixl.h:231
#9 0x000055d12f2cba73 in vixl::Assembler::hint (this=0x55d13df29f08, code=vixl::NOP) at /home/nicolas/mozilla/wksp-7/js/src/jit/arm64/vixl/MozAssembler-vixl.cpp:392
#10 0x000055d12f180f17 in vixl::Assembler::nop (this=0x55d13df29f08) at /home/nicolas/mozilla/wksp-7/js/src/jit/arm64/vixl/Assembler-vixl.h:1807
#11 0x000055d12f208247 in js::jit::CodeGeneratorARM64::generateInvalidateEpilogue (this=0x55d13df29ec0) at /home/nicolas/mozilla/wksp-7/js/src/jit/arm64/CodeGenerator-arm64.cpp:1544
#12 0x000055d12f3ecc41 in js::jit::CodeGenerator::generate (this=0x55d13df29ec0) at /home/nicolas/mozilla/wksp-7/js/src/jit/CodeGenerator.cpp:10728
#13 0x000055d12f471cd7 in js::jit::GenerateCode (mir=0x55d137f7c238, lir=0x55d1336f3d60) at /home/nicolas/mozilla/wksp-7/js/src/jit/Ion.cpp:1729
#14 0x000055d12f471e12 in js::jit::CompileBackEnd (mir=0x55d137f7c238) at /home/nicolas/mozilla/wksp-7/js/src/jit/Ion.cpp:1750
#15 0x000055d12f4e5aeb in js::jit::IonCompile (cx=0x55d131dc5680, script=0xa11f4ab4b80, baselineFrame=0x7f13977dbed0, osrPc=0x55d131fe4434 "\343\063>", recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal)
at /home/nicolas/mozilla/wksp-7/js/src/jit/Ion.cpp:2068
#16 0x000055d12f4732c2 in js::jit::Compile (cx=0x55d131dc5680, script=..., osrFrame=0x7f13977dbed0, osrPc=0x55d131fe4434 "\343\063>", forceRecompile=false) at /home/nicolas/mozilla/wksp-7/js/src/jit/Ion.cpp:2277
#17 0x000055d12f473d67 in BaselineCanEnterAtBranch (cx=0x55d131dc5680, script=..., osrFrame=0x7f13977dbed0, pc=0x55d131fe4434 "\343\063>") at /home/nicolas/mozilla/wksp-7/js/src/jit/Ion.cpp:2469
#18 0x000055d12f47371c in js::jit::IonCompileScriptForBaseline (cx=0x55d131dc5680, frame=0x7f13977dbed0, pc=0x55d131fe4434 "\343\063>") at /home/nicolas/mozilla/wksp-7/js/src/jit/Ion.cpp:2532
Apparently vixl::MozBaseAssembler::PatchShortRangeBranchToVeneer is inserted too late, and this should be compensated by triggering the spilling of branches sooner.
The issue might be related to a miss-computed secondaryVeneers in hasSpaceForInsts.
|
Assignee | |
Comment 1•6 years ago
|
||
This bug is introduced by the patch added in Bug 1546446, I will update the patch which is present on this other bug.
|
|
Assignee | |
Updated•6 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
Group: javascript-core-security → core-security-release
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•