Closed Bug 718852 Opened 13 years ago Closed 13 years ago

[ARM] Assertion failure: lastResort != FrameState::InvalidIndex, at methodjit/ImmutableSync.cpp:133 or crash [@ JSC::ARMAssembler::nameGpReg]

Categories

(Core :: JavaScript Engine, defect)

ARM
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox12 --- unaffected
firefox13 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical] js-triage-done [advisory-tracking+])

Crash Data

The following test asserts on mozilla-central revision 0b4c58200e3a (options -m -n -a): function fannkuch(n) { var perm1 = Array(n); while (true) { if (check < 30){ for(var i=0; i<n; i++) s += (perm1[i]+1).toString(); while (i < r) { var j = this.abstract + 1; perm1[i] = perm1[j]; } } } } fannkuch(8); S-s because this triggers quite a few additional assertions when continuing, and then crashes: Program received signal SIGSEGV, Segmentation fault. 0x0023b8fc in JSC::ARMAssembler::nameGpReg (reg=-1) at ../assembler/assembler/ARMAssembler.h:1233 1233 ASSERT(reg >= 0); (gdb) bt #0 0x0023b8fc in JSC::ARMAssembler::nameGpReg (reg=-1) at ../assembler/assembler/ARMAssembler.h:1233 #1 0x0023ae36 in JSC::ARMAssembler::dtr_u (this=0x64fbf0, isLoad=true, rd=-1, rb=10, offset=64, cc=JSC::ARMAssembler::AL) at ../assembler/assembler/ARMAssembler.h:651 #2 0x002ac5c2 in JSC::ARMAssembler::dataTransfer32 (this=0x64fbf0, isLoad=true, srcDst=4294967295, base=JSC::ARMRegisters::r10, offset=64) at /home/decoder/mozilla-central/js/src/assembler/assembler/ARMAssembler.cpp:356 #3 0x0023c43a in JSC::MacroAssemblerARM::load32 (this=0x64fbf0, address=..., dest=4294967295) at ../assembler/assembler/MacroAssemblerARM.h:303 #4 0x00247838 in js::mjit::NunboxAssembler::loadPayload<JSC::AbstractMacroAssembler<JSC::ARMAssembler>::Address> (this=0x64fbf0, address=..., reg=4294967295) at /home/decoder/mozilla-central/js/src/methodjit/NunboxAssembler.h:134 #5 0x002a1094 in js::mjit::ImmutableSync::ensureDataReg (this=0xbee3ea20, fe=0x64a540, e=...) at /home/decoder/mozilla-central/js/src/methodjit/ImmutableSync.cpp:222 #6 0x002a1190 in js::mjit::ImmutableSync::syncCopy (this=0xbee3ea20, fe=0x64a600) at /home/decoder/mozilla-central/js/src/methodjit/ImmutableSync.cpp:244 #7 0x002a0e82 in js::mjit::ImmutableSync::sync (this=0xbee3ea20, fe=0x64a600) at /home/decoder/mozilla-central/js/src/methodjit/ImmutableSync.cpp:179 #8 0x0025c744 in js::mjit::FrameState::syncFancy (this=0xbee3e9f8, masm=..., avail=..., trackerIndex=5) at /home/decoder/mozilla-central/js/src/methodjit/FrameState.cpp:1280 #9 0x0025cb78 in js::mjit::FrameState::sync (this=0xbee3e9f8, masm=..., uses=...) at /home/decoder/mozilla-central/js/src/methodjit/FrameState.cpp:1382 #10 0x00288caa in js::mjit::StubCompiler::syncExit (this=0xbee413a8, uses=...) at /home/decoder/mozilla-central/js/src/methodjit/StubCompiler.cpp:83 #11 0x00288d40 in js::mjit::StubCompiler::linkExit (this=0xbee413a8, j=..., uses=...) at /home/decoder/mozilla-central/js/src/methodjit/StubCompiler.cpp:120 #12 0x00277976 in js::mjit::Compiler::jsop_setelem (this=0xbee3ddb0, popGuaranteed=true) at /home/decoder/mozilla-central/js/src/methodjit/FastOps.cpp:1592 #13 0x0022568a in js::mjit::Compiler::generateMethod (this=0xbee3ddb0) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:2046 #14 0x0021e3b6 in js::mjit::Compiler::performCompilation (this=0xbee3ddb0, jitp=0x40a061b8) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:539 #15 0x0021d562 in js::mjit::Compiler::compile (this=0xbee3ddb0) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:157 #16 0x0021eb90 in js::mjit::TryCompile (cx=0x640fb0, script=0x40a06128, construct=false) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:647 #17 0x000d2ea4 in js::mjit::CanMethodJIT (cx=0x640fb0, script=0x40a06128, construct=false, request=js::mjit::CompileRequest_Interpreter) at /home/decoder/mozilla-central/js/src/methodjit/MethodJIT-inl.h:77 #18 0x000e0b88 in js::Interpret (cx=0x640fb0, entryFrame=0x40422020, interpMode=js::JSINTERP_NORMAL) at /home/decoder/mozilla-central/js/src/jsinterp.cpp:3046 #19 0x002197c6 in js::mjit::EnterMethodJIT (cx=0x640fb0, fp=0x40422020, code=0x40216070, stackLimit=0x40802000, partial=false) at /home/decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079 (gdb) x /2i $pc => 0x23b8fc <JSC::ARMAssembler::nameGpReg(int)+100>: str r2, [r3, #0] 0x23b8fe <JSC::ARMAssembler::nameGpReg(int)+102>: mov.w r3, #0 (gdb) info register r2 r3 r2 0x0 0 r3 0xbbadbeef 3148725999 Judging the assert/crash with my professional JS developer skills (! ;D) this could be a register allocation problem during compilation.
Marking sg:critical until claimed otherwise.
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
I think this one was a problem with one of billm's commits that then got backed out? I'm CC'ing him to confirm.
Yeah, this should be fixed now.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-done
Are any shipped versions of Firefox affected by this bug?
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical] js-triage-done → [sg:critical] js-triage-done [advisory-tracking+]
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.