Closed
Bug 465205
Opened 16 years ago
Closed 15 years ago
Crash in nanojit when accessing mozilla.org on windows ce arm
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| fennec | 1.0a1-wm+ | --- |
People
(Reporter: blassey, Assigned: vlad)
References
()
Details
(Keywords: mobile)
Attachments
(2 files)
the crash is happening in __utm.js.
The assembly is:
00430E64 eor r9, r9, r9
00430E68 str r9, [r11, #-0xC]
00430E6C ldr r9, [r10]
00430E70 ldr r7, [r10, #0xC]
00430E74 ldr r0, [r9, #-0x28]
00430E78 ldr r8, [r9, #-0x20]
00430E7C ldr r10, [r9, #-0x10]
00430E80 ldr r7, [r7, #0x98]
00430E84 ldr r7, [r7, #0x3C]
00430E88 ldr r6, [pc, #-0xE70]
00430E8C str r6, [r9]
00430E90 str r7, [r9, #8]
00430E94 str r0, [r9, #0x10]
00430E98 ldr r7, [pc, #-0xE84]
00430E9C ldr r7, [r7]
00430EA0 ldr r6, [r7, #4]
00430EA4 ldr r6, [r6, #0x10]
00430EA8 ldr r12, [pc, #-0xE98]
00430EAC cmp r6, r12
00430EB0 bne 00431F60
00430EB4 ldr r7, [r7, #0x20]
00430EB8 ldr r12, [pc, #-0xEAC]
00430EBC cmp r7, r12
00430EC0 bne 00431F78
00430EC4 str r0, [r9, #0x18]
00430EC8 ldr r7, [pc, #-0xEC0]
00430ECC str r7, [r9, #0x10]
00430ED0 str r10, [r9, #0x20]
00430ED4 mov r1, r10
00430ED8 add lr, pc, #4
00430EDC ldr pc, [pc, #-4]
00430EE0 stmvcdb sp, {r5, r6, r9, r10, r12, pc}^
00430EE4 fmsr s14, r0
and the console output is:
prologue
00430E50:
push 4ff0
mov FP,SP
patch entry
00430E58:
sub SP,28
patching 00430FE4 to 00430E5C
00430E5C:
compiling trunk 010C10D0 T1
state = param 0 r0
spill state
str r0, [FP, #-4] r0(state)
mov r10,r0 r0(state)
0
eor r9,r9 r10(state)
spill 0
str r9, [FP, #-12] r9(0) r10(state)
sp = ld state[0]
ldr r9, [r10, #0] r10(state)
cx = ld state[12]
ldr r7, [r10, #12] r9(sp) r10(state)
$_uHash.d = ld sp[-40]
ldr r0, [r9, #-40] r7(cx) r9(sp)
ld10 = ld sp[-32]
ldr r8, [r9, #-32] r0($_uHash.d) r7(cx) r9(sp)
ld12 = ld sp[-16]
ldr r10, [r9, #-16] r0($_uHash.d) r7(cx) r8(ld10) r9(sp)
ld13 = ld cx[152]
ldr r7, [r7, #152] r0($_uHash.d) r7(cx) r8(ld10) r9(sp) r10(ld12)
ld14 = ld ld13[60]
ldr r7, [r7, #60] r0($_uHash.d) r7(ld13) r8(ld10) r9(sp) r10(ld12)
PCVAL_TO_OBJECT(pcval)
ld r6,0x1213bd0 r0($_uHash.d) r7(ld14) r8(ld10) r9(sp) r10(ld12)
ldr r6, [PC, #-3696] r0($_uHash.d) r7(ld14) r8(ld10) r9(sp) r10(ld12)
(-3696(PC) = 0x1213bd0) r0($_uHash.d) r7(ld14) r8(ld10) r9(sp) r10(ld12)
sti sp[0] = PCVAL_TO_OBJECT(pcval)
str r6, [r9, #0] r0($_uHash.d) r6(PCVAL_TO_OBJECT(pcval)) r7(ld14) r8(ld10) r9(sp) r10(ld12)
sti sp[8] = ld14
str r7, [r9, #8] r0($_uHash.d) r7(ld14) r8(ld10) r9(sp) r10(ld12)
sti sp[16] = $_uHash.d
str r0, [r9, #16] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
obj
ld r7,0xce0f00 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
ldr r7, [PC, #-3716] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
(-3716(PC) = 0xce0f00) r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
ld16 = ld obj[0]
ldr r7, [r7, #0] r0($_uHash.d) r7(obj) r8(ld10) r9(sp) r10(ld12)
ops = ld ld16[4]
ldr r6, [r7, #4] r0($_uHash.d) r7(ld16) r8(ld10) r9(sp) r10(ld12)
ld17 = ld ops[16]
ldr r6, [r6, #16] r0($_uHash.d) r6(ops) r7(ld16) r8(ld10) r9(sp) r10(ld12)
guard(native-map) = eq ld17, OP(&js_ObjectOps)
xf4: xf guard(native-map) -> 0:48 sp+24 rp+0
cmp r6,0x794a60b0 r0($_uHash.d) r6(ld17) r7(ld16) r8(ld10) r9(sp) r10(ld12)
ldr IP, [PC, #-3736] r0($_uHash.d) r6(ld17) r7(ld16) r8(ld10) r9(sp) r10(ld12)
(-3736(PC) = 0x794a60b0) r0($_uHash.d) r6(ld17) r7(ld16) r8(ld10) r9(sp) r10(ld12)
jne 0x00431f60 r0($_uHash.d) r7(ld16) r8(ld10) r9(sp) r10(ld12)
b(cnd) 00431F60 r0($_uHash.d) r7(ld16) r8(ld10) r9(sp) r10(ld12)
--------------------------------------- exit block (LIR_xt|LIR_xf)
00431F60:
restore state
ldr r0, [FP, #-4]
ld r2,0x42057c
ldr r2, [PC, #-3888]
(-3888(PC) = 0x42057c)
ld r1,0x10c10d0
ldr r1, [PC, #-3896]
(-3896(PC) = 0x10c10d0)
mov SP,FP
b 00430FEC
--------------------------------------- end exit block 004205CC
shape = ld ld16[32]
ldr r7, [r7, #32] r0($_uHash.d) r7(ld16) r8(ld10) r9(sp) r10(ld12)
guard(kshape) = eq shape, 7572
xf5: xf guard(kshape) -> 0:48 sp+24 rp+0
cmp r7,0x1d94 r0($_uHash.d) r7(shape) r8(ld10) r9(sp) r10(ld12)
ldr IP, [PC, #-3756] r0($_uHash.d) r7(shape) r8(ld10) r9(sp) r10(ld12)
(-3756(PC) = 0x1d94) r0($_uHash.d) r7(shape) r8(ld10) r9(sp) r10(ld12)
jne 0x00431f78 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
b(cnd) 00431F78 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
--------------------------------------- exit block (LIR_xt|LIR_xf)
00431F78:
restore state
ldr r0, [FP, #-4]
ld r2,0x4205e0
ldr r2, [PC, #-3920]
(-3920(PC) = 0x4205e0)
ld r1,0x10c10d0
ldr r1, [PC, #-3928]
(-3928(PC) = 0x10c10d0)
mov SP,FP
b 00430FEC
--------------------------------------- end exit block 00420630
sti sp[24] = $_uHash.d
str r0, [r9, #24] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
PCVAL_TO_OBJECT(pcval)
ld r7,0x1212ea8 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
ldr r7, [PC, #-3776] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
(-3776(PC) = 0x1212ea8) r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
sti sp[16] = PCVAL_TO_OBJECT(pcval)
str r7, [r9, #16] r0($_uHash.d) r7(PCVAL_TO_OBJECT(pcval)) r8(ld10) r9(sp) r10(ld12)
sti sp[32] = ld12
str r10, [r9, #32] r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
js_String_p_charCodeAt2 = js_String_p_charCodeAt ( $_uHash.d ld12 )
mov r1,r10 r0($_uHash.d) r8(ld10) r9(sp) r10(ld12)
bl 794D9660 (32-bit) r8(ld10) r9(sp) r10(ld12)
i2f9 = i2f js_String_p_charCodeAt2
fmsr s14,r0 r0(js_String_p_charCodeAt2) r8(ld10) r9(sp) r10(ld12)
fsitod d6,s14 r0(js_String_p_charCodeAt2) r8(ld10) r9(sp) r10(ld12)
lt2 = lt js_String_p_charCodeAt2, 0
xt4: xt lt2 -> 0:54 sp+40 rp+0
cmp r0,0x0 r0(js_String_p_charCodeAt2) r8(ld10) r9(sp) r10(ld12) d6(i2f9)
jl 0x00431f90 r8(ld10) r9(sp) r10(ld12) d6(i2f9)
b(cnd) 00431F90 r8(ld10) r9(sp) r10(ld12) d6(i2f9)
--------------------------------------- exit block (LIR_xt|LIR_xf)
00431F90:
restore state
ldr r0, [FP, #-4]
ld r2,0x420668
ldr r2, [PC, #-3952]
(-3952(PC) = 0x420668)
ld r1,0x10c10d0
ldr r1, [PC, #-3960]
(-3960(PC) = 0x10c10d0)
mov SP,FP
b 00430FEC
--------------------------------------- end exit block 004206B8
ParseIntDouble2 = ParseIntDouble ( i2f9 )
fmrrd r0,r1,d6 r8(ld10) r9(sp) r10(ld12) d6(i2f9)
bl 7949E98C (32-bit) r8(ld10) r9(sp) r10(ld12)
str r1, [FP, #-20] r8(ld10) r9(sp) r10(ld12)
str r0, [FP, #-24] r8(ld10) r9(sp) r10(ld12)
restore ParseIntDouble2
fldd d6,FP(-24) r8(ld10) r9(sp) r10(ld12)
stqi sp[-8] = ParseIntDouble2
fstd d6,r9(-8) r8(ld10) r9(sp) r10(ld12) d6(ParseIntDouble2)
lsh3 = lsh ld10, 6
lsl r8,6 r8(ld10) r9(sp) r10(ld12) d6(ParseIntDouble2)
#0FFFFFFF
ld r7,0xfffffff r8(lsh3) r9(sp) r10(ld12) d6(ParseIntDouble2)
ldr r7, [PC, #-3860] r8(lsh3) r9(sp) r10(ld12) d6(ParseIntDouble2)
(-3860(PC) = 0xfffffff) r8(lsh3) r9(sp) r10(ld12) d6(ParseIntDouble2)
and3 = and lsh3, #0FFFFFFF
and r8,r7 r7(#0FFFFFFF) r8(lsh3) r9(sp) r10(ld12) d6(ParseIntDouble2)
i2f11 = i2f and3
fmsr s14,r8 r8(and3) r9(sp) r10(ld12) d6(ParseIntDouble2)
fsitod d5,s14 r8(and3) r9(sp) r10(ld12) d6(ParseIntDouble2)
fadd3 = fadd i2f11, ParseIntDouble2
faddd d5,d5,d6 r9(sp) r10(ld12) d5(i2f11) d6(ParseIntDouble2)
spill fadd3
fstd d5,FP(-24) r9(sp) r10(ld12) d5(fadd3) d6(ParseIntDouble2)
stqi sp[8] = ParseIntDouble2
fstd d6,r9(8) r9(sp) r10(ld12) d6(ParseIntDouble2)
js_DoubleToInt32_3 = js_DoubleToInt32 ( ParseIntDouble2 )
fmrrd r0,r1,d6 r9(sp) r10(ld12) d6(ParseIntDouble2)
bl 79529F98 (32-bit) r9(sp) r10(ld12)
restore fadd3
fldd d6,FP(-24) r9(sp) r10(ld12)
mov r8,r0 r0(js_DoubleToInt32_3) r9(sp) r10(ld12) d6(fadd3)
lsh4 = lsh js_DoubleToInt32_3, 14
lsl r8,14 r8(js_DoubleToInt32_3) r9(sp) r10(ld12) d6(fadd3)
i2f12 = i2f lsh4
fmsr s14,r8 r8(lsh4) r9(sp) r10(ld12) d6(fadd3)
fsitod d5,s14 r8(lsh4) r9(sp) r10(ld12) d6(fadd3)
fadd4 = fadd fadd3, i2f12
faddd d6,d6,d5 r9(sp) r10(ld12) d5(i2f12) d6(fadd3)
stqi sp[-32] = fadd4
fstd d6,r9(-32) r9(sp) r10(ld12) d6(fadd4)
stqi sp[0] = fadd4
fstd d6,r9(0) r9(sp) r10(ld12) d6(fadd4)
#0FE00000
ld r8,0xfe00000 r9(sp) r10(ld12) d6(fadd4)
ldr r8, [PC, #-3940] r9(sp) r10(ld12) d6(fadd4)
(-3940(PC) = 0xfe00000) r9(sp) r10(ld12) d6(fadd4)
spill #0FE00000
str r8, [FP, #-8] r8(#0FE00000) r9(sp) r10(ld12) d6(fadd4)
js_DoubleToInt32_4 = js_DoubleToInt32 ( fadd4 )
fmrrd r0,r1,d6 r9(sp) r10(ld12) d6(fadd4)
bl 79529F98 (32-bit) r9(sp) r10(ld12)
restore 0
ldr r6, [FP, #-12] r9(sp) r10(ld12)
restore #0FE00000
ldr r5, [FP, #-8] r6(0) r9(sp) r10(ld12)
mov r7,r0 r0(js_DoubleToInt32_4) r5(#0FE00000) r6(0) r9(sp) r10(ld12)
restore state
ldr r0, [FP, #-4] r5(#0FE00000) r6(0) r9(sp) r10(ld12)
and4 = and js_DoubleToInt32_4, #0FE00000
mov r8,r7 r0(state) r5(#0FE00000) r6(0) r7(js_DoubleToInt32_4) r9(sp) r10(ld12)
and r8,r5 r0(state) r5(#0FE00000) r6(0) r7(js_DoubleToInt32_4) r9(sp) r10(ld12)
sti sp[0] = and4
str r8, [r9, #0] r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12)
sti sp[-24] = and4
str r8, [r9, #-24] r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12)
sti sp[8] = 0
str r6, [r9, #8] r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12)
eq3 = eq and4, 0
xt5: xt eq3 -> 0:104 sp+16 rp+0
test r8,r8 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12)
je 0x00431fa8 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12)
b(cnd) 00431FA8 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12)
--------------------------------------- exit block (LIR_xt|LIR_xf)
00431FA8:
skip r0
ld r2,0x4207a8
ldr r2, [PC, #-3980]
(-3980(PC) = 0x4207a8)
ld r1,0x10c10d0
ldr r1, [PC, #-3988]
(-3988(PC) = 0x10c10d0)
mov SP,FP
b 00430FEC
--------------------------------------- end exit block 004207F8
rsh2 = rsh and4, 21
mov r5,r8 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12)
asr r5,21 r0(state) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12)
xor2 = xor js_DoubleToInt32_4, rsh2
eor r7,r5 r0(state) r5(rsh2) r6(0) r7(js_DoubleToInt32_4) r8(and4) r9(sp) r10(ld12)
sti sp[-32] = xor2
str r7, [r9, #-32] r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(ld12)
-1
ld r5,0xffffffff r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(ld12)
add2 = add ld12, -1
add r10,r10+r5 r0(state) r5(-1) r6(0) r7(xor2) r8(and4) r9(sp) r10(ld12)
ov2 = ov add2
xt6: xt ov2 -> 0:122 sp+0 rp+0
bvs 0x00431fbc r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2)
b(cnd) 00431FBC r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2)
--------------------------------------- exit block (LIR_xt|LIR_xf)
00431FBC:
skip r0
ld r2,0x42084c
ldr r2, [PC, #-4008]
(-4008(PC) = 0x42084c)
ld r1,0x10c10d0
ldr r1, [PC, #-4016]
(-4016(PC) = 0x10c10d0)
mov SP,FP
b 00430FEC
--------------------------------------- end exit block 0042089C
sti sp[-16] = add2
str r10, [r9, #-16] r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2)
sti sp[0] = add2
str r10, [r9, #0] r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2)
sti sp[8] = 0
str r6, [r9, #8] r0(state) r6(0) r7(xor2) r8(and4) r9(sp) r10(add2)
ge2 = ge add2, 0
xf6: xf ge2 -> 0:130 sp+16 rp+0
cmp r10,0x0 r0(state) r7(xor2) r8(and4) r9(sp) r10(add2)
jnge 0x00431fd0 r0(state) r7(xor2) r8(and4) r9(sp) r10(add2)
b(cnd) 00431FD0 r0(state) r7(xor2) r8(and4) r9(sp) r10(add2)
--------------------------------------- exit block (LIR_xt|LIR_xf)
00431FD0:
skip r0
ld r2,0x4208b8
ldr r2, [PC, #-4036]
(-4036(PC) = 0x4208b8)
ld r1,0x10c10d0
ldr r1, [PC, #-4044]
(-4044(PC) = 0x10c10d0)
mov SP,FP
b 00430FEC
--------------------------------------- end exit block 00420908
sti sp[-32] = xor2
str r7, [r9, #-32] r0(state) r7(xor2) r8(and4) r9(sp) r10(add2)
sti sp[-24] = and4
str r8, [r9, #-24] r0(state) r8(and4) r9(sp) r10(add2)
sti sp[-16] = add2
str r10, [r9, #-16] r0(state) r9(sp) r10(add2)
1
loop
b 00000000
--------------------------------------- exit block (LIR_xt|LIR_xf)
00431FE4:
restore state
ldr r0, [FP, #-4]
ld r2,0x420914
ldr r2, [PC, #-4068]
(-4068(PC) = 0x420914)
ld r1,0x10c10d0
ldr r1, [PC, #-4076]
(-4076(PC) = 0x10c10d0)
mov SP,FP
b 00430FEC
--------------------------------------- end exit block 00420970
epilogue:
00430FEC:
mov r0,r2
mov SP,FP
pop 4ff0
bx LR
fragment 010C10D0:
ENTRY: 0 0 4 1 1 1 2
recording completed at resource://gre/test.html:11@42 via closeLoop
Looking for compat peer 11@42, from 010C10D0 (ip: 00D5BBDE, hits=2)
checking vm types 010C10D0 (ip: 00D5BBDE): callee0=O/O this0=O/O argv0=S/S vars0=I/I vars1=I/I vars2=I/I vars3=I/D
entering trace at resource://gre/test.html:11@42, native stack slots: 13 code: 00430E50
stack: callee0=object<008D28F8:Function> this0=object<00B138E0:Window> argv0=string<00BA18C8> vars0=int<50382577> vars1=int<50331648> vars2=int<7> vars3=double<105>
Undefined Instruction: Thread=9e7b0000 Proc=800971c0 'xulrunner.exe'
AKY=00010001 PC=00430ee4(xulrunner.exe+0x00420ee4) RA=00000000(???+0x00000000) BVA=22881968 FSR=00000405
Unhandled exception at 0x00430ee4 in xulrunner.exe: 0xC000001D: Illegal Instruction.
|
Assignee | |
Comment 1•15 years ago
|
||
(In reply to comment #0) > 00430EE4 fmsr s14, r0 Are you on a platform without VFP? If so, we need to build with a different set of nanojit flags -- no NJ_ARM_VFP, and NJ_SOFTFLOAT. That path is somewhat less tested, but should be ok. I have some work in progress to make this runtime selectable, though actually detecting if VFP is present is rocket science.
|
|
Assignee | |
Comment 2•15 years ago
|
||
Here's a quick test, just compiled straight with cl with QRfpe- . It uses VFP to do some math, and then puts up a messagebox saying OK if it succeeded... check if this works?
|
Reporter | |
Comment 3•15 years ago
|
||
it crashes on the HTC Touch Pro Undefined Instruction: Thread=8b94a000 Proc=80458af0 'vfptest.exe' AKY=02000001 PC=00011010(vfptest.exe+0x00001010) RA=00011074(vfptest.exe+0x00001074) BVA=35ffc9d4 FSR=00000005 Unhandled exception at 0x00011010 in vfptest.exe: 0xC000001D: Illegal Instruction.
|
|
Reporter | |
Comment 4•15 years ago
|
||
Here's the disassembly:
00011000 mov r12, sp
00011004 stmdb sp!, {r0 - r3}
00011008 stmdb sp!, {r12, lr}
0001100C sub sp, sp, #8
->00011010 fldd d1, [sp,#+16]
00011014 fldd d0, [sp,#+24]
00011018 fmuld d1, d1, d0
0001101C ldr r3, [pc, #0x20]
00011020 fldd d0, [r3]
00011024 faddd d0, d1, d0
00011028 mrrc p11, 1, r2, r3, c0
|
||
Updated•15 years ago
|
tracking-fennec: --- → 1.0b1+
|
|
||
Updated•15 years ago
|
tracking-fennec: 1.0b1+ → 1.0a1-wm+
|
|
Reporter | |
Updated•15 years ago
|
Assignee: general → vladimir
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•15 years ago
|
||
This should be fixed by detecting the supported instruction set features at runtime, in bug 480796.
Depends on: 480796
|
|
Reporter | |
Updated•15 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•