Closed Bug 1697846 Opened 3 years ago Closed 3 years ago

Arm64 simulator misexecutes fcvtn

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox88 --- fixed

People

(Reporter: yury, Assigned: yury)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1697846 - Fix ARM64 simulator execution for FCVTN. r?nbp
48 bytes, text/x-phabricator-request
Details | Review

Per Aarch64 instruction description: "the FCVTN instruction writes the vector to the lower half of the destination register and clears the upper half". The https://searchfox.org/mozilla-central/source/js/src/jit/arm64/vixl/Logic-vixl.cpp#4303 does not include logic for the latter part.

I run the following "assertion" code:

 {
    ScratchSimd128Scope scratch(*this);
    vixl::UseScratchRegisterScope temps(this);

    loadConstantSimd128(SimdConstant::SplatX2(333333333333333333.0),
                                    scratch);
    Fcvtn(Simd2S(scratch), Simd2D(scratch));
    const ARMRegister scratch2 = temps.AcquireX();
    Mov(scratch2, Simd2D(scratch), 1);
    Cmp(scratch2, Operand(0));
    Label done;
    branch(Assembler::Zero, &done);
    breakpoint();
    bind(&done);
  }

It fails on the simulator, but not on the hardware.

No longer blocks: 1687949
No longer depends on: 1687936

cc nbp

lots of bugs in the armsim. the upstream sources sometimes fix these, see file added by nbp only yesterday for pointer.

Reducing severity to the lowest, as the simulator is not used when running Firefox.

Severity: S2 → S4
Blocks: 1687629
Assignee: nobody → ydelendik
Status: NEW → ASSIGNED
Assignee: nobody → ydelendik
Status: NEW → ASSIGNED

(In reply to Yury Delendik (:yury) from comment #0)

Per Aarch64 instruction description: "the FCVTN instruction writes the vector to the lower half of the destination register and clears the upper half".

The AArch64 documentation I have does not state this. Do you have a link to this documentation?

(In reply to Nicolas B. Pierron [:nbp] from comment #5)

(In reply to Yury Delendik (:yury) from comment #0)

Per Aarch64 instruction description: "the FCVTN instruction writes the vector to the lower half of the destination register and clears the upper half".

The AArch64 documentation I have does not state this. Do you have a link to this documentation?

page 1571 of "DDI0487Fc_armv8_arm.pdf" book has this text

I reported the issue to the https://git.linaro.org/arm/vixl.git/about/ -- so far they agree with the report and fix is being tested.

The fix is available at https://github.com/Linaro/vixl/commit/5319db71bd868385fc61bfbd57867453aab2b116 . Which of the fixes we want to use?

Pushed by ydelendik@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5123b27b3f7e
Fix ARM64 simulator execution for FCVTN. r=nbp

https://hg.mozilla.org/mozilla-central/rev/5123b27b3f7e

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox88: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
Blocks: 1700458
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: