Closed Bug 465205 Opened 16 years ago Closed 16 years ago

Crash in nanojit when accessing mozilla.org on windows ce arm

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Windows Mobile 6 Professional
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fennec 1.0a1-wm+ ---

People

(Reporter: blassey, Assigned: vlad)

References

(
URL
)

Details

(Keywords: mobile)

Attachments

(2 files)

reduced test case
595 bytes, text/html
Details
vfptest.exe
4.50 KB, application/octet-stream
Details
Attached file reduced test case
the crash is happening in __utm.js. The assembly is: 00430E64 eor r9, r9, r9 00430E68 str r9, [r11, #-0xC] 00430E6C ldr r9, [r10] 00430E70 ldr r7, [r10, #0xC] 00430E74 ldr r0, [r9, #-0x28] 00430E78 ldr r8, [r9, #-0x20] 00430E7C ldr r10, [r9, #-0x10] 00430E80 ldr r7, [r7, #0x98] 00430E84 ldr r7, [r7, #0x3C] 00430E88 ldr r6, [pc, #-0xE70] 00430E8C str r6, [r9] 00430E90 str r7, [r9, #8] 00430E94 str r0, [r9, #0x10] 00430E98 ldr r7, [pc, #-0xE84] 00430E9C ldr r7, [r7] 00430EA0 ldr r6, [r7, #4] 00430EA4 ldr r6, [r6, #0x10] 00430EA8 ldr r12, [pc, #-0xE98] 00430EAC cmp r6, r12 00430EB0 bne 00431F60 00430EB4 ldr r7, [r7, #0x20] 00430EB8 ldr r12, [pc, #-0xEAC] 00430EBC cmp r7, r12 00430EC0 bne 00431F78 00430EC4 str r0, [r9, #0x18] 00430EC8 ldr r7, [pc, #-0xEC0] 00430ECC str r7, [r9, #0x10] 00430ED0 str r10, [r9, #0x20] 00430ED4 mov r1, r10 00430ED8 add lr, pc, #4 00430EDC ldr pc, [pc, #-4] 00430EE0 stmvcdb sp, {r5, r6, r9, r10, r12, pc}^ 00430EE4 fmsr s14, r0 and the console output is: prologue 00430E50: push 4ff0 mov FP,SP patch entry 00430E58: sub SP,28 patching 00430FE4 to 00430E5C 00430E5C: compiling trunk 010C10D0 T1 state = param 0 r0 spill state str r0, [FP, #-4] r0(state) mov r10,r0 r0(state) 0 eor r9,r9 r10(state) spill 0 str r9, [FP, #-12] r9(0) r10(state) sp = ld state[0] ldr r9, [r10, #0] r10(state) cx = ld state[12] ldr r7, [r10, #12] r9(sp) r10(state) $_uHash.d = ld sp[-40] ldr r0, [r9, #-40] r7(cx) r9(sp) ld10 = ld sp[-32] ldr r8, [r9, #-32] r0($_uHash.d) r7(cx) r9(sp) ld12 = ld sp[-16] ldr r10, [r9, #-16] r0($_uHash.d) r7(cx) r8(ld10) r9(sp) ld13 = ld cx[152] ldr r7, [r7, #152] r0($_uHash.d) r7(cx) r8(ld10) r9(sp) r10(ld12) ld14 = ld ld13[60] ldr r7, [r7, #60] r0($_uHash.d) r7(ld13) r8(ld10) r9(sp) r10(ld12) PCVAL_TO_OBJECT(pcval) ld r6,0x1213bd0 r0($_uHash.d) r7(ld14) r8(ld10) r9(sp) r10(ld12) ldr r6, [PC, #-3696] r0($_uHash.d) r7(ld14) r8(ld10) r9(sp) r10(ld12) (-3696(PC) = 0x1213bd0) r0($_uHash.d) r7(ld14) r8(ld10) r9(sp) r10(ld12) sti sp[0] = PCVAL_TO_OBJECT(pcval) str r6, [r9, #0] r0($_uHash.d) r6(PCVAL_TO_OBJECT(pcval)) r7(ld14) r8(ld10) r9(sp) r10(ld12) sti sp[8] = ld14 str r7, [r9, #8] r0($_uHash.d) r7(ld14) r8(ld10) r9(sp) r10(ld12) sti sp[16] = $_uHash.d str r0, [r9, #16] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) obj ld r7,0xce0f00 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) ldr r7, [PC, #-3716] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) (-3716(PC) = 0xce0f00) r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) ld16 = ld obj[0] ldr r7, [r7, #0] r0($_uHash.d) r7(obj) r8(ld10) r9(sp) r10(ld12) ops = ld ld16[4] ldr r6, [r7, #4] r0($_uHash.d) r7(ld16) r8(ld10) r9(sp) r10(ld12) ld17 = ld ops[16] ldr r6, [r6, #16] r0($_uHash.d) r6(ops) r7(ld16) r8(ld10) r9(sp) r10(ld12) guard(native-map) = eq ld17, OP(&js_ObjectOps) xf4: xf guard(native-map) -> 0:48 sp+24 rp+0 cmp r6,0x794a60b0 r0($_uHash.d) r6(ld17) r7(ld16) r8(ld10) r9(sp) r10(ld12) ldr IP, [PC, #-3736] r0($_uHash.d) r6(ld17) r7(ld16) r8(ld10) r9(sp) r10(ld12) (-3736(PC) = 0x794a60b0) r0($_uHash.d) r6(ld17) r7(ld16) r8(ld10) r9(sp) r10(ld12) jne 0x00431f60 r0($_uHash.d) r7(ld16) r8(ld10) r9(sp) r10(ld12) b(cnd) 00431F60 r0($_uHash.d) r7(ld16) r8(ld10) r9(sp) r10(ld12) --------------------------------------- exit block (LIR_xt|LIR_xf) 00431F60: restore state ldr r0, [FP, #-4] ld r2,0x42057c ldr r2, [PC, #-3888] (-3888(PC) = 0x42057c) ld r1,0x10c10d0 ldr r1, [PC, #-3896] (-3896(PC) = 0x10c10d0) mov SP,FP b 00430FEC --------------------------------------- end exit block 004205CC shape = ld ld16[32] ldr r7, [r7, #32] r0($_uHash.d) r7(ld16) r8(ld10) r9(sp) r10(ld12) guard(kshape) = eq shape, 7572 xf5: xf guard(kshape) -> 0:48 sp+24 rp+0 cmp r7,0x1d94 r0($_uHash.d) r7(shape) r8(ld10) r9(sp) r10(ld12) ldr IP, [PC, #-3756] r0($_uHash.d) r7(shape) r8(ld10) r9(sp) r10(ld12) (-3756(PC) = 0x1d94) r0($_uHash.d) r7(shape) r8(ld10) r9(sp) r10(ld12) jne 0x00431f78 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) b(cnd) 00431F78 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) --------------------------------------- exit block (LIR_xt|LIR_xf) 00431F78: restore state ldr r0, [FP, #-4] ld r2,0x4205e0 ldr r2, [PC, #-3920] (-3920(PC) = 0x4205e0) ld r1,0x10c10d0 ldr r1, [PC, #-3928] (-3928(PC) = 0x10c10d0) mov SP,FP b 00430FEC --------------------------------------- end exit block 00420630 sti sp[24] = $_uHash.d str r0, [r9, #24] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) PCVAL_TO_OBJECT(pcval) ld r7,0x1212ea8 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) ldr r7, [PC, #-3776] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) (-3776(PC) = 0x1212ea8) r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) sti sp[16] = PCVAL_TO_OBJECT(pcval) str r7, [r9, #16] r0($_uHash.d) r7(PCVAL_TO_OBJECT(pcval)) r8(ld10) r9(sp) r10(ld12) sti sp[32] = ld12 str r10, [r9, #32] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) js_String_p_charCodeAt2 = js_String_p_charCodeAt ( $_uHash.d ld12 ) mov r1,r10 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12) bl 794D9660 (32-bit) r8(ld10) r9(sp) r10(ld12) i2f9 = i2f js_String_p_charCodeAt2 fmsr s14,r0 r0(js_String_p_charCodeAt2) r8(ld10) r9(sp) r10(ld12) fsitod d6,s14 r0(js_String_p_charCodeAt2) r8(ld10) r9(sp) r10(ld12) lt2 = lt js_String_p_charCodeAt2, 0 xt4: xt lt2 -> 0:54 sp+40 rp+0 cmp r0,0x0 r0(js_String_p_charCodeAt2) r8(ld10) r9(sp) r10(ld12) d6(i2f9) jl 0x00431f90 r8(ld10) r9(sp) r10(ld12) d6(i2f9) b(cnd) 00431F90 r8(ld10) r9(sp) r10(ld12) d6(i2f9) --------------------------------------- exit block (LIR_xt|LIR_xf) 00431F90: restore state ldr r0, [FP, #-4] ld r2,0x420668 ldr r2, [PC, #-3952] (-3952(PC) = 0x420668) ld r1,0x10c10d0 ldr r1, [PC, #-3960] (-3960(PC) = 0x10c10d0) mov SP,FP b 00430FEC --------------------------------------- end exit block 004206B8 ParseIntDouble2 = ParseIntDouble ( i2f9 ) fmrrd r0,r1,d6 r8(ld10) r9(sp) r10(ld12) d6(i2f9) bl 7949E98C (32-bit) r8(ld10) r9(sp) r10(ld12) str r1, [FP, #-20] r8(ld10) r9(sp) r10(ld12) str r0, [FP, #-24] r8(ld10) r9(sp) r10(ld12) restore ParseIntDouble2 fldd d6,FP(-24) r8(ld10) r9(sp) r10(ld12) stqi sp[-8] = ParseIntDouble2 fstd d6,r9(-8) r8(ld10) r9(sp) r10(ld12) d6(ParseIntDouble2) lsh3 = lsh ld10, 6 lsl r8,6 r8(ld10) r9(sp) r10(ld12) d6(ParseIntDouble2) #0FFFFFFF ld r7,0xfffffff r8(lsh3) r9(sp) r10(ld12) d6(ParseIntDouble2) ldr r7, [PC, #-3860] r8(lsh3) r9(sp) r10(ld12) d6(ParseIntDouble2) (-3860(PC) = 0xfffffff) r8(lsh3) r9(sp) r10(ld12) d6(ParseIntDouble2) and3 = and lsh3, #0FFFFFFF and r8,r7 r7(#0FFFFFFF) r8(lsh3) r9(sp) r10(ld12) d6(ParseIntDouble2) i2f11 = i2f and3 fmsr s14,r8 r8(and3) r9(sp) r10(ld12) d6(ParseIntDouble2) fsitod d5,s14 r8(and3) r9(sp) r10(ld12) d6(ParseIntDouble2) fadd3 = fadd i2f11, ParseIntDouble2 faddd d5,d5,d6 r9(sp) r10(ld12) d5(i2f11) d6(ParseIntDouble2) spill fadd3 fstd d5,FP(-24) r9(sp) r10(ld12) d5(fadd3) d6(ParseIntDouble2) stqi sp[8] = ParseIntDouble2 fstd d6,r9(8) r9(sp) r10(ld12) d6(ParseIntDouble2) js_DoubleToInt32_3 = js_DoubleToInt32 ( ParseIntDouble2 ) fmrrd r0,r1,d6 r9(sp) r10(ld12) d6(ParseIntDouble2) bl 79529F98 (32-bit) r9(sp) r10(ld12) restore fadd3 fldd d6,FP(-24) r9(sp) r10(ld12) mov r8,r0 r0(js_DoubleToInt32_3) r9(sp) r10(ld12) d6(fadd3) lsh4 = lsh js_DoubleToInt32_3, 14 lsl r8,14 r8(js_DoubleToInt32_3) r9(sp) r10(ld12) d6(fadd3) i2f12 = i2f lsh4 fmsr s14,r8 r8(lsh4) r9(sp) r10(ld12) d6(fadd3) fsitod d5,s14 r8(lsh4) r9(sp) r10(ld12) d6(fadd3) fadd4 = fadd fadd3, i2f12 faddd d6,d6,d5 r9(sp) r10(ld12) d5(i2f12) d6(fadd3) stqi sp[-32] = fadd4 fstd d6,r9(-32) r9(sp) r10(ld12) d6(fadd4) stqi sp[0] = fadd4 fstd d6,r9(0) r9(sp) r10(ld12) d6(fadd4) #0FE00000 ld r8,0xfe00000 r9(sp) r10(ld12) d6(fadd4) ldr r8, [PC, #-3940] r9(sp) r10(ld12) d6(fadd4) (-3940(PC) = 0xfe00000) r9(sp) r10(ld12) d6(fadd4) spill #0FE00000 str r8, [FP, #-8] r8(#0FE00000) r9(sp) r10(ld12) d6(fadd4) js_DoubleToInt32_4 = js_DoubleToInt32 ( fadd4 ) fmrrd r0,r1,d6 r9(sp) r10(ld12) d6(fadd4) bl 79529F98 (32-bit) r9(sp) r10(ld12) restore 0 ldr r6, [FP, #-12] r9(sp) r10(ld12) restore #0FE00000 ldr r5, [FP, #-8] r6(0) r9(sp) r10(ld12) mov r7,r0 r0(js_DoubleToInt32_4) r5(#0FE00000) r6(0) r9(sp) r10(ld12) restore state ldr r0, [FP, #-4] r5(#0FE00000) r6(0) r9(sp) r10(ld12) and4 = and js_DoubleToInt32_4, #0FE00000 mov r8,r7 r0(state) r5(#0FE00000) r6(0) r7(js_DoubleToInt32_4) r9(sp) r10(ld12) and r8,r5 r0(state) r5(#0FE00000) r6(0) r7(js_DoubleToInt32_4) r9(sp) r10(ld12) sti sp[0] = and4 str r8, [r9, #0] r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12) sti sp[-24] = and4 str r8, [r9, #-24] r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12) sti sp[8] = 0 str r6, [r9, #8] r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12) eq3 = eq and4, 0 xt5: xt eq3 -> 0:104 sp+16 rp+0 test r8,r8 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12) je 0x00431fa8 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12) b(cnd) 00431FA8 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12) --------------------------------------- exit block (LIR_xt|LIR_xf) 00431FA8: skip r0 ld r2,0x4207a8 ldr r2, [PC, #-3980] (-3980(PC) = 0x4207a8) ld r1,0x10c10d0 ldr r1, [PC, #-3988] (-3988(PC) = 0x10c10d0) mov SP,FP b 00430FEC --------------------------------------- end exit block 004207F8 rsh2 = rsh and4, 21 mov r5,r8 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12) asr r5,21 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12) xor2 = xor js_DoubleToInt32_4, rsh2 eor r7,r5 r0(state) r5(rsh2) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12) sti sp[-32] = xor2 str r7, [r9, #-32] r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(ld12) -1 ld r5,0xffffffff r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(ld12) add2 = add ld12, -1 add r10,r10+r5 r0(state) r5(-1) r6(0) r7(xor2) r8(and4) r9(sp) r10(ld12) ov2 = ov add2 xt6: xt ov2 -> 0:122 sp+0 rp+0 bvs 0x00431fbc r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2) b(cnd) 00431FBC r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2) --------------------------------------- exit block (LIR_xt|LIR_xf) 00431FBC: skip r0 ld r2,0x42084c ldr r2, [PC, #-4008] (-4008(PC) = 0x42084c) ld r1,0x10c10d0 ldr r1, [PC, #-4016] (-4016(PC) = 0x10c10d0) mov SP,FP b 00430FEC --------------------------------------- end exit block 0042089C sti sp[-16] = add2 str r10, [r9, #-16] r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2) sti sp[0] = add2 str r10, [r9, #0] r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2) sti sp[8] = 0 str r6, [r9, #8] r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2) ge2 = ge add2, 0 xf6: xf ge2 -> 0:130 sp+16 rp+0 cmp r10,0x0 r0(state) r7(xor2) r8(and4) r9(sp) r10(add2) jnge 0x00431fd0 r0(state) r7(xor2) r8(and4) r9(sp) r10(add2) b(cnd) 00431FD0 r0(state) r7(xor2) r8(and4) r9(sp) r10(add2) --------------------------------------- exit block (LIR_xt|LIR_xf) 00431FD0: skip r0 ld r2,0x4208b8 ldr r2, [PC, #-4036] (-4036(PC) = 0x4208b8) ld r1,0x10c10d0 ldr r1, [PC, #-4044] (-4044(PC) = 0x10c10d0) mov SP,FP b 00430FEC --------------------------------------- end exit block 00420908 sti sp[-32] = xor2 str r7, [r9, #-32] r0(state) r7(xor2) r8(and4) r9(sp) r10(add2) sti sp[-24] = and4 str r8, [r9, #-24] r0(state) r8(and4) r9(sp) r10(add2) sti sp[-16] = add2 str r10, [r9, #-16] r0(state) r9(sp) r10(add2) 1 loop b 00000000 --------------------------------------- exit block (LIR_xt|LIR_xf) 00431FE4: restore state ldr r0, [FP, #-4] ld r2,0x420914 ldr r2, [PC, #-4068] (-4068(PC) = 0x420914) ld r1,0x10c10d0 ldr r1, [PC, #-4076] (-4076(PC) = 0x10c10d0) mov SP,FP b 00430FEC --------------------------------------- end exit block 00420970 epilogue: 00430FEC: mov r0,r2 mov SP,FP pop 4ff0 bx LR fragment 010C10D0: ENTRY: 0 0 4 1 1 1 2 recording completed at resource://gre/test.html:11@42 via closeLoop Looking for compat peer 11@42, from 010C10D0 (ip: 00D5BBDE, hits=2) checking vm types 010C10D0 (ip: 00D5BBDE): callee0=O/O this0=O/O argv0=S/S vars0=I/I vars1=I/I vars2=I/I vars3=I/D entering trace at resource://gre/test.html:11@42, native stack slots: 13 code: 00430E50 stack: callee0=object<008D28F8:Function> this0=object<00B138E0:Window> argv0=string<00BA18C8> vars0=int<50382577> vars1=int<50331648> vars2=int<7> vars3=double<105> Undefined Instruction: Thread=9e7b0000 Proc=800971c0 'xulrunner.exe' AKY=00010001 PC=00430ee4(xulrunner.exe+0x00420ee4) RA=00000000(???+0x00000000) BVA=22881968 FSR=00000405 Unhandled exception at 0x00430ee4 in xulrunner.exe: 0xC000001D: Illegal Instruction.
(In reply to comment #0) > 00430EE4 fmsr s14, r0 Are you on a platform without VFP? If so, we need to build with a different set of nanojit flags -- no NJ_ARM_VFP, and NJ_SOFTFLOAT. That path is somewhat less tested, but should be ok. I have some work in progress to make this runtime selectable, though actually detecting if VFP is present is rocket science.
Attached file vfptest.exe
Here's a quick test, just compiled straight with cl with QRfpe- . It uses VFP to do some math, and then puts up a messagebox saying OK if it succeeded... check if this works?
it crashes on the HTC Touch Pro Undefined Instruction: Thread=8b94a000 Proc=80458af0 'vfptest.exe' AKY=02000001 PC=00011010(vfptest.exe+0x00001010) RA=00011074(vfptest.exe+0x00001074) BVA=35ffc9d4 FSR=00000005 Unhandled exception at 0x00011010 in vfptest.exe: 0xC000001D: Illegal Instruction.
Here's the disassembly: 00011000 mov r12, sp 00011004 stmdb sp!, {r0 - r3} 00011008 stmdb sp!, {r12, lr} 0001100C sub sp, sp, #8 ->00011010 fldd d1, [sp,#+16] 00011014 fldd d0, [sp,#+24] 00011018 fmuld d1, d1, d0 0001101C ldr r3, [pc, #0x20] 00011020 fldd d0, [r3] 00011024 faddd d0, d1, d0 00011028 mrrc p11, 1, r2, r3, c0
tracking-fennec: --- → 1.0b1+
tracking-fennec: 1.0b1+ → 1.0a1-wm+
Assignee: general → vladimir
Status: NEW → ASSIGNED
This should be fixed by detecting the supported instruction set features at runtime, in bug 480796.
Depends on: 480796
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: