Closed
Bug 523581
Opened 15 years ago
Closed 14 years ago
ARM alignment trap caused by aggressive optimization of js/src/jstracer.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: junkmailnotread, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.14) Gecko/2009102016 Gentoo Firefox/3.0.14
Build Identifier: fennec-1.0b5pre
fennec provokes numerous alignment trap warnings on my HP iPAQ hx4700 (armv5tel) PDA. The traps are all at the same program address:
...
Alignment trap: fennec (1774) PC=0x40abc584 Instr=0xe18a60d2 Address=0xbe950eec FSR 0x013
Alignment trap: fennec (1774) PC=0x40abc584 Instr=0xe18a60d2 Address=0xbe950efc FSR 0x013
Alignment trap: fennec (1774) PC=0x40abc584 Instr=0xe18a60d2 Address=0xbe950f04 FSR 0x013
Alignment trap: fennec (1774) PC=0x40abc584 Instr=0xe18a60d2 Address=0xbe950ef4 FSR 0x013
...
I tracked this program address to the file js/src/jstracer.cpp and its function LeaveTree():
d710: e18a60d2 ldrd r6, [sl, r2]
I was not able to match this instruction to any line of C++ source code. Instead it looked like compiler generated function entry code.
So, looking at the Makefile build options, I noticed that -O3 optimization was being used. Reducing this to -O2 fixed the problem.
Here is my fix:
--- mobilebase/xulrunner/js/src/Makefile.orig 2009-10-21 15:01:56.138887402 +0100
+++ mobilebase/xulrunner/js/src/Makefile 2009-10-21 15:06:47.486031614 +0100
@@ -87,9 +87,9 @@
#XXX: do we want different INTERP_OPTIMIZER flags here?
endif
else # not INTEL_CXX
-MODULE_OPTIMIZE_FLAGS = -O3 -fstrict-aliasing $(MOZ_OPTIMIZE_SIZE_TWEAK)
+MODULE_OPTIMIZE_FLAGS = -O2 -fstrict-aliasing $(MOZ_OPTIMIZE_SIZE_TWEAK)
# Special optimization flags for jsinterp.c
-INTERP_OPTIMIZER = -O3 -fstrict-aliasing
+INTERP_OPTIMIZER = -O2 -fstrict-aliasing
endif
else # not GNU_CXX
ifeq ($(OS_ARCH),SunOS)
To summarize: building js/src/jstracer.cpp with -O2 instead of -O3 fixes the alignment trap warnings on my hx4700.
Reproducible: Always
Steps to Reproduce:
1. Build xulrunner and fennec with -march=armv5te
2. Run fennec on HP iPAQ hx4700.
Actual Results:
dmesg output contains numerous Alignment trap warnings from fennec process.
Expected Results:
dmesg output contains no Alignment trap warnings from fennec process.
Reporter | ||
Updated•15 years ago
|
Hardware: Other → ARM
Version: unspecified → Other Branch
Reporter | ||
Comment 1•15 years ago
|
||
The mozilla version is 1.9.3a1pre
Comment 2•15 years ago
|
||
What's the compiler version? It sounds like a compiler bug, to me.
Hardware: ARM → Other
Version: Other Branch → unspecified
Reporter | ||
Comment 3•15 years ago
|
||
% arm-angstrom-linux-gnueabi-gcc -v
Using built-in specs.
Target: arm-angstrom-linux-gnueabi
Configured with: /var/tmp/cross/arm-angstrom-linux-gnueabi/portage/cross-arm-angstrom-linux-gnueabi/gcc-4.3.2-r4/work/gcc-4.3.2/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/arm-angstrom-linux-gnueabi/gcc-bin/4.3.2 --includedir=/usr/lib/gcc/arm-angstrom-linux-gnueabi/4.3.2/include --datadir=/usr/share/gcc-data/arm-angstrom-linux-gnueabi/4.3.2 --mandir=/usr/share/gcc-data/arm-angstrom-linux-gnueabi/4.3.2/man --infodir=/usr/share/gcc-data/arm-angstrom-linux-gnueabi/4.3.2/info --with-gxx-include-dir=/usr/lib/gcc/arm-angstrom-linux-gnueabi/4.3.2/include/g++-v4 --host=x86_64-pc-linux-gnu --target=arm-angstrom-linux-gnueabi --build=x86_64-pc-linux-gnu --disable-altivec --disable-fixed-point --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-multilib --disable-libmudflap --disable-libssp --disable-libgomp --enable-cld --disable-libgcj --enable-languages=c,c++,fortran --with-sysroot=/usr/arm-angstrom-linux-gnueabi --disable-bootstrap --disable-libgomp --enable-__cxa_atexit --enable-clocale=gnu --with-bugurl=http://bugs.gentoo.org/ --with-pkgversion='Gentoo 4.3.2-r4 p1.8, pie-10.1.5'
Thread model: posix
gcc version 4.3.2 (Gentoo 4.3.2-r4 p1.8, pie-10.1.5)
%
Reporter | ||
Comment 4•15 years ago
|
||
I looked on Gentoo's Bugzilla and found no obvious problem with gcc-4.3.2 and ARM.
But I did run across this statement:
"Using -O3 is not recommended for gcc 4.x."
Source: http://www.gentoo.org/doc/en/gcc-optimization.xml
Comment 5•15 years ago
|
||
That would be an interesting statement to find out more about. Do we know why they recommend that? We've been using -O3 for some time, is there a specific suboptimization that causes problems? (And how old is that comment?)
Reporter | ||
Comment 6•15 years ago
|
||
Today I upgraded my cross-compiler from gcc-4.3.2-r4 to gcc-4.3.4. I rebuilt fennec - using the latest source files - and tried again.
In place of alignment traps I now get a segmentation violation, with both -O3 and -O2 optimizations. For example:
fennec: unhandled page fault (11) at 0xe50b5040, code 0x015
Whether this change in behaviour was caused by the compiler upgrade or updated mozilla-central source files (or both) I do not know.
However, I tracked the segmentation violation to the same place that caused the earlier alignment traps, namely the start of LeaveTree() in js/src/jstracer.cpp.
After adding some debug I believe the problem is with the second argument to LeaveTree(), namely lr:
LeaveTree(InterpState& state, VMSideExit* lr)
In the final call to LeaveTree() before the crash, lr had the value 0xe50b500c. The faulting instruction offsets this address by 52 - i.e. 0xe50b5040 - before dereferencing it and crashing. This address matches the kernel's reported faulting address.
My feeling now is that fennec is crashing because of a programming bug, rather than because of buggy -O3 optimization.
Comment 7•15 years ago
|
||
There is an alloca in LeaveTree(). That might cause complications. I am afraid we will need some more data and disassembly since you are using a non-default build environment.
Reporter | ||
Comment 8•15 years ago
|
||
Hello. OK, I added some more debug. Here are some snippets of jstracer.cpp:
6340 static JS_REQUIRES_STACK VMSideExit*
6341 ExecuteTree(JSContext* cx, Fragment* f, uintN& inlineCallCount,
6342 VMSideExit** innermostNestedGuardp)
6343 {
<snip>
6487 VMSideExit* lr = (VMSideExit*)rec->exit;
6488
6489 AUDIT(traceTriggered);
6490
6491 cx->interpState = state->prev;
6492
6493 JS_ASSERT(!cx->bailExit);
6494 JS_ASSERT(lr->exitType != LOOP_EXIT || !lr->calldepth);
6495 tm->tracecx = NULL;
6496 {
6497 FILE *fp;
6498 fp = fopen("/dev/tty0", "w");
6499 fprintf(fp, "calling LeaveTree 2: lr=%p\n", lr);
6500 fclose(fp);
6501 }
6502 LeaveTree(*state, lr);
6503 return state->innermost;
6504 }
6505
6506 static JS_FORCES_STACK void
6507 LeaveTree(InterpState& state, VMSideExit* lr)
6508 {
6509 {
6510 FILE *fp;
6511 fp = fopen("/dev/tty0", "w");
6512 fprintf(fp, "LeaveTree: lr=%p\n", lr);
6513 fclose(fp);
6514 }
6515 VOUCH_DOES_NOT_REQUIRE_STACK();
6516
6517 JSContext* cx = state.cx;
6518 FrameInfo** callstack = state.callstackBase;
6519 double* stack = state.stackBase;
6520
6521 /*
6522 * Except if we find that this is a nested bailout, the guard the call
6523 * returned is the one we have to use to adjust pc and sp.
6524 */
6525 VMSideExit* innermost = lr;
6526
6527 /*
<snip>
6538 */
6539 FrameInfo** rp = (FrameInfo**)state.rp;
6540 if (lr->exitType == NESTED_EXIT) {
And here are the last 8 lines printed on the screen (typed in here by hand):
calling LeaveTree 2: lr=0x4471d9f8
LeaveTree: lr=0x4471d9f8
calling LeaveTree 2: lr=0x446f0370
LeaveTree: lr=0x446f0370
calling LeaveTree 2: lr=0x447c2388
LeaveTree: lr=0x447c2388
calling LeaveTree 2: lr=0xe50b500c
LeaveTree: lr=0xe50b500c
According to /proc/<pid>/maps, there is nothing at - or anywhere near - address 0xe50b500c. Hence the crash.
So the problem is the 2nd argument (lr) passed to LeaveTree() on line 6502.
Here is the full kernel crash report:
fennec: unhandled page fault (11) at 0xe50b5040, code 0x015
pgd = c1198000
[e50b5040] *pgd=00000000
Pid: 1004, comm: fennec
CPU: 0
PC is at 0x40a945bc
LR is at 0x4002f6f0
pc : [<40a945bc>] lr : [<4002f6f0>] Not tainted
sp : bec178a8 ip : 00000001 fp : bec209a4
r10: 4064e200 r9 : bec178f8 r8 : 446ddcc8
r7 : 40ac1000 r6 : e50b500c r5 : 44878650 r4 : 44878650
r3 : 00000001 r2 : 40360040 r1 : 00000000 r0 : 00000000
Flags: nZCv IRQs on FIQs on Mode USER_32 Segment user
Control: 397F
Table: A1198000 DAC: 00000015
[<c001b368>] (show_regs+0x0/0x50) from [<c0021060>] (__do_user_fault+0x5c/0xa4)
r4 = C0380CE0
[<c0021004>] (__do_user_fault+0x0/0xa4) from [<c00213a4>] (do_bad_area+0x50/0x6c)
r7 = C0007940 r6 = A1198000 r5 = 00003940 r4 = 00000000
[<c0021354>] (do_bad_area+0x0/0x6c) from [<c0021434>] (do_translation_fault+0x74/0x80)
[<c00213c0>] (do_translation_fault+0x0/0x80) from [<c00214ac>] (do_DataAbort+0x38/0x98)
r7 = 00000015 r6 = C0237E98 r5 = 44878650 r4 = C0237E48
[<c0021474>] (do_DataAbort+0x0/0x98) from [<c0019c88>] (ret_from_exception+0x0/0x10)
The program counter 0x40a945bc corresponds to libmozjs.so offset 0xd45bc (since libmozjs.so is loaded at address 0x409c0000).
Here is the disassembly of libmozjs.so:
000d4570 <LeaveTree(InterpState&, VMSideExit*)>:
d4570: e92d4ff0 push {r4, r5, r6, r7, r8, r9, sl, fp, lr}
d4574: e59f7668 ldr r7, [pc, #1640] ; d4be4 <LeaveTree(InterpState&, VMSideExit*)+0x674>
d4578: e1a09000 mov r9, r0
d457c: e1a06001 mov r6, r1
d4580: e59f0660 ldr r0, [pc, #1632] ; d4be8 <LeaveTree(InterpState&, VMSideExit*)+0x678>
d4584: e59f1660 ldr r1, [pc, #1632] ; d4bec <LeaveTree(InterpState&, VMSideExit*)+0x67c>
d4588: e08f7007 add r7, pc, r7
d458c: e24dd02c sub sp, sp, #44 ; 0x2c
d4590: e0871001 add r1, r7, r1
d4594: e0870000 add r0, r7, r0
d4598: ebfcefbf bl 1049c <_init+0x34c>
d459c: e59f264c ldr r2, [pc, #1612] ; d4bf0 <LeaveTree(InterpState&, VMSideExit*)+0x680>
d45a0: e1a03006 mov r3, r6
d45a4: e3a01001 mov r1, #1 ; 0x1
d45a8: e0872002 add r2, r7, r2
d45ac: e1a04000 mov r4, r0
d45b0: ebfcf196 bl 10c10 <_init+0xac0>
d45b4: e1a00004 mov r0, r4
d45b8: ebfcef7e bl 103b8 <_init+0x268>
d45bc: e5963034 ldr r3, [r6, #52]
Instruction d45bc offsets lr (in r6) by 52 which yields &lr->exitType I believe. So my guess is the program crashes on line 6540.
Reporter | ||
Comment 9•15 years ago
|
||
Obviously lr is loaded on line 6487. So the suspected culprit is the rec->exit value.
Incidentally, line 6487 seems suspicious to me:
6487 VMSideExit* lr = (VMSideExit*)rec->exit;
The type of rec->exit is struct SideExit*. However SideExit is a base class of VMSideExit. My C++ is a bit rusty but I'm pretty sure you can't safely cast a pointer to a base object into a pointer to one of its derived objects, because the base object is smaller. Maybe I'm missing something.
Comment 10•15 years ago
|
||
The cast should be fine. Can you break on this line in gdb? (b jstracer.cpp:6487)
And then print the structure (p/x *rec)
Continue a couple of times if needed to hit the error condition (c)
Reporter | ||
Comment 11•15 years ago
|
||
I gave up with gdb after passing the breakpoint 500 times and still with nothing on the screen. Something was wrong.
So instead I used fprintf to write the rec structure to a file. Here's the full output:
jmp=0x40022fb0, next=(nil), exit=0x43491ab0
jmp=0x40022b58, next=(nil), exit=0x435404c0
jmp=0x40022bac, next=(nil), exit=0x43495558
jmp=0x40022bac, next=(nil), exit=0x43495558
jmp=0x40022ec0, next=(nil), exit=0x4348f540
jmp=0x40022bac, next=(nil), exit=0x43495558
jmp=0x40022ec0, next=(nil), exit=0x4348f540
jmp=0x40022ec0, next=(nil), exit=0x4348f540
jmp=0x40022bac, next=(nil), exit=0x43495558
jmp=0x40022698, next=(nil), exit=0x43495b18
jmp=0x40022698, next=(nil), exit=0x43495b18
jmp=0x40022358, next=(nil), exit=0x435ec9b0
jmp=0x40022358, next=(nil), exit=0x435ec9b0
jmp=0x40023e48, next=(nil), exit=0x435ecf68
jmp=0x40023e48, next=(nil), exit=0x435ecf68
jmp=0x404ffbac, next=(nil), exit=0x446eea08
jmp=0x404ff974, next=(nil), exit=0x446eed90
jmp=0x404ff974, next=(nil), exit=0x446eed90
jmp=0x404ff824, next=(nil), exit=0x446efc88
jmp=0x404ff7cc, next=(nil), exit=0x446efb18
jmp=0x404ff618, next=(nil), exit=0x446efe80
jmp=0x404ff618, next=(nil), exit=0x446efe80
jmp=0x404feb60, next=(nil), exit=0x446f0370
jmp=0x404ffb28, next=(nil), exit=0x446ee818
jmp=0xe24dd030, next=0xe50b4008, exit=0xe50b500c
Comment 12•15 years ago
|
||
The addresses on which you're seeing this crash look suspiciously like instructions.
> jmp=0xe24dd030, next=0xe50b4008, exit=0xe50b500c
These disassemble to the following instructions:
e24dd030 sub sp, sp, #48 ; 0x30
e50b4008 str r4, [fp, #-8]
e50b500c str r5, [fp, #-12]
I don't know how that's relevant, but it might be a clue.
Comment 13•15 years ago
|
||
(In reply to comment #0)
> fennec provokes numerous alignment trap warnings on my HP iPAQ hx4700
> (armv5tel) PDA. The traps are all at the same program address:
>
> [...]
>
> I tracked this program address to the file js/src/jstracer.cpp and its function
> LeaveTree():
>
> d710: e18a60d2 ldrd r6, [sl, r2]
>
> I was not able to match this instruction to any line of C++ source code.
> Instead it looked like compiler generated function entry code.
Ah, that could explain things. I'm not terribly familiar with the alignment rules of ARMv5, but from the ARMv5 ARM: "If the load address is not doubleword-aligned, the results are UNPREDICTABLE."
ARMv6 (such as ARM1176) has a (deprecated) compatibility mode to comply with ARMv5's behaviour for LDRD, but can also support word-aligned LDRD.
ARMv7 requires that the processor implements unaligned accesses, but for instructions that load or store multiple words (such as LDRD), word-alignment is still required.
----
So, if ((sl+r2) & 0b111) != (0b000), we would expect to hit an alignment fault on your processor, but not on ARMv6 (not in legacy mode) or ARMv7. Since we test mostly on ARMv6 and ARMv7, it would make sense that we haven't seen this before.
Another clue :-)
Reporter | ||
Comment 14•15 years ago
|
||
I added the value of rec to the debug output, hoping it might be pointing to a text segment when the crash occurs. But no such luck:
pid=893, rec=0x43491b10, jmp=0x40022fb0, next=(nil), exit=0x43491ab0
pid=893, rec=0x43540520, jmp=0x40022b58, next=(nil), exit=0x435404c0
pid=893, rec=0x434955b8, jmp=0x40022bac, next=(nil), exit=0x43495558
pid=893, rec=0x434955b8, jmp=0x40022bac, next=(nil), exit=0x43495558
pid=893, rec=0x4348f5a0, jmp=0x40022ec0, next=(nil), exit=0x4348f540
pid=893, rec=0x434955b8, jmp=0x40022bac, next=(nil), exit=0x43495558
pid=893, rec=0x4348f5a0, jmp=0x40022ec0, next=(nil), exit=0x4348f540
pid=893, rec=0x4348f5a0, jmp=0x40022ec0, next=(nil), exit=0x4348f540
pid=893, rec=0x434955b8, jmp=0x40022bac, next=(nil), exit=0x43495558
pid=893, rec=0x43495b70, jmp=0x40022698, next=(nil), exit=0x43495b18
pid=893, rec=0x43495b70, jmp=0x40022698, next=(nil), exit=0x43495b18
pid=893, rec=0x435eca08, jmp=0x40022358, next=(nil), exit=0x435ec9b0
pid=893, rec=0x435eca08, jmp=0x40022358, next=(nil), exit=0x435ec9b0
pid=893, rec=0x435ecfc0, jmp=0x40023e48, next=(nil), exit=0x435ecf68
pid=893, rec=0x435ecfc0, jmp=0x40023e48, next=(nil), exit=0x435ecf68
pid=893, rec=0x446eea70, jmp=0x404ffbac, next=(nil), exit=0x446eea08
pid=893, rec=0x446eee00, jmp=0x404ff974, next=(nil), exit=0x446eed90
pid=893, rec=0x446eee00, jmp=0x404ff974, next=(nil), exit=0x446eed90
pid=893, rec=0x446efcf0, jmp=0x404ff824, next=(nil), exit=0x446efc88
pid=893, rec=0x446efb88, jmp=0x404ff7cc, next=(nil), exit=0x446efb18
pid=893, rec=0x446efef0, jmp=0x404ff618, next=(nil), exit=0x446efe80
pid=893, rec=0x446efef0, jmp=0x404ff618, next=(nil), exit=0x446efe80
pid=893, rec=0x446ee888, jmp=0x404ffb28, next=(nil), exit=0x446ee818
pid=893, rec=0x446eea70, jmp=0x404ffbac, next=(nil), exit=0x446eea08
pid=893, rec=0x446eee00, jmp=0x404ff974, next=(nil), exit=0x446eed90
pid=893, rec=0x4471b9f8, jmp=0x404ff338, next=(nil), exit=0x4471b988
pid=893, rec=0x446efcf0, jmp=0x404ff824, next=(nil), exit=0x446efc88
pid=893, rec=0x446efef0, jmp=0x404ff618, next=(nil), exit=0x446efe80
pid=893, rec=0x4471da68, jmp=0x42268e20, next=(nil), exit=0x4471d9f8
pid=893, rec=0x446f03d8, jmp=0x404feb60, next=(nil), exit=0x446f0370
pid=893, rec=0x447c2408, jmp=0x422febf0, next=(nil), exit=0x447c2388
pid=893, rec=0x455ce9bc, jmp=0xe24dd080, next=0xe50b4008, exit=0xe50b500c
Here's the tail of /proc/<pid>/maps:
42c01000-43600000 rw-p 42c01000 00:00 0
43600000-43601000 ---p 43600000 00:00 0
43601000-43e00000 rw-p 43601000 00:00 0
43e00000-43e01000 ---p 43e00000 00:00 0
43e01000-44a00000 rw-p 43e01000 00:00 0
44a00000-44a01000 ---p 44a00000 00:00 0
44a01000-45200000 rw-p 44a01000 00:00 0
45200000-45459000 r--p 00000000 1f:02 21828 /usr/lib/fennec/xulrunner/chrome/toolkit.jar
45459000-454ab000 r--p 00000000 1f:02 21819 /usr/lib/fennec/xulrunner/chrome/en-US.jar
454ab000-45575000 r--p 00000000 1f:02 21785 /usr/lib/fennec/chrome/chrome.jar
45575000-455c5000 rw-p 45575000 00:00 0
455c5000-455d7000 rwxp 455c5000 00:00 0
45600000-45700000 rw-p 45600000 00:00 0
45700000-45701000 ---p 45700000 00:00 0
45701000-46400000 rw-p 45701000 00:00 0
bedd4000-bede9000 rw-p bedd4000 00:00 0 [stack]
Reporter | ||
Comment 15•15 years ago
|
||
I just updated mobile-browser (rather than mozilla-central) to the latest sources. Previously my snapshot of mobile-browser was about 2 weeks old.
The segmentation violation has now moved to js_CallTree(). This time fennec starts OK and crashes only after I move the main panel from side to side.
Here's the kernel crash report:
fennec: unhandled page fault (11) at 0xe50b5040, code 0x0f5
pgd = c27b4000
[e50b5040] *pgd=00000000
Pid: 979, comm: fennec
CPU: 0
PC is at 0x40aadf20
LR is at 0x447bcc60
pc : [<40aadf20>] lr : [<447bcc60>] Not tainted
sp : beb2b370 ip : 000035be fp : beb2b3a0
r10: 00000000 r9 : beb2bc88 r8 : 00000000
r7 : 00000000 r6 : beb344bc r5 : beb33c68 r4 : beb2b3b8
r3 : 00003b72 r2 : 447990e0 r1 : beb33c68 r0 : e50b500c
Flags: nzCv IRQs on FIQs on Mode USER_32 Segment user
Control: 397F
Table: A27B4000 DAC: 00000015
[<c001b368>] (show_regs+0x0/0x50) from [<c0021060>] (__do_user_fault+0x5c/0xa4)
r4 = C03D4360
[<c0021004>] (__do_user_fault+0x0/0xa4) from [<c00213a4>] (do_bad_area+0x50/0x6c)
r7 = C0007940 r6 = A27B4000 r5 = 00003940 r4 = 00000000
[<c0021354>] (do_bad_area+0x0/0x6c) from [<c0021434>] (do_translation_fault+0x74/0x80)
[<c00213c0>] (do_translation_fault+0x0/0x80) from [<c00214ac>] (do_DataAbort+0x38/0x98)
r7 = 000000F5 r6 = C0237E98 r5 = BEB33C68 r4 = C0237E48
[<c0021474>] (do_DataAbort+0x0/0x98) from [<c0019c88>] (ret_from_exception+0x0/0x10)
The program counter 0x40aadf20 corresponds to libmozjs.so offset 0xedf20 (since
libmozjs.so is loaded at address 0x409c0000).
This is in js_CallTree() in jsbuiltins.cpp:
000edf08 <js_CallTree(InterpState*, nanojit::Fragment*)>:
edf08: e591301c ldr r3, [r1, #28]
edf0c: e92d4010 push {r4, lr}
edf10: e3a01000 mov r1, #0 ; 0x0
edf14: e1a04000 mov r4, r0
edf18: e12fff33 blx r3
edf1c: e5900008 ldr r0, [r0, #8]
edf20: e5903034 ldr r3, [r0, #52]
edf24: e3530004 cmp r3, #4 ; 0x4
edf28: 15840018 strne r0, [r4, #24]
edf2c: 0a000001 beq edf38 <js_CallTree(InterpState*, nanojit::Fragment*)+0x30>
edf30: e5840024 str r0, [r4, #36]
edf34: e8bd8010 pop {r4, pc}
edf38: e594301c ldr r3, [r4, #28]
edf3c: e3530000 cmp r3, #0 ; 0x0
edf40: 1afffffa bne edf30 <js_CallTree(InterpState*, nanojit::Fragment*)+0x28>
edf44: e5903024 ldr r3, [r0, #36]
edf48: e5942004 ldr r2, [r4, #4]
edf4c: e1a03103 lsl r3, r3, #2
edf50: e0822003 add r2, r2, r3
edf54: e5842020 str r2, [r4, #32]
edf58: e584001c str r0, [r4, #28]
edf5c: eafffff3 b edf30 <js_CallTree(InterpState*, nanojit::Fragment*)+0x28>
Instruction 0xedf20 is again offsetting a pointer by 52. Looking at the source code my guess is line 246:
230 SideExit* FASTCALL
231 js_CallTree(InterpState* state, Fragment* f)
232 {
233 union { NIns *code; GuardRecord* (FASTCALL *func)(InterpState*, Fragment*); } u;
234
235 u.code = f->code();
236 JS_ASSERT(u.code);
237
238 GuardRecord* rec;
239 #if defined(JS_NO_FASTCALL) && defined(NANOJIT_IA32)
240 SIMULATE_FASTCALL(rec, state, NULL, u.func);
241 #else
242 rec = u.func(state, NULL);
243 #endif
244 VMSideExit* lr = (VMSideExit*)rec->exit;
245
246 if (lr->exitType == NESTED_EXIT) {
Is this the same crash in a different function?
Reporter | ||
Comment 16•14 years ago
|
||
About a week ago I upgraded my cross-compiler from gcc-4.3.4 to gcc-4.4.3. I rebuilt fennec - using 4-week old source files - and tried again.
Now fennec works fine. I can browse websites with no alignment traps or crashes.
Whether it is the new compiler, the newer source files, or the disabling of nanojit (bug 565312) which fixed it I cannot tell. Whatever the reason, I have no incentive to pursue this further unless it recurs.
So I am happy for this bug to be closed.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•