Last Comment Bug 718852 - [ARM] Assertion failure: lastResort != FrameState::InvalidIndex, at methodjit/ImmutableSync.cpp:133 or crash [@ JSC::ARMAssembler::nameGpReg]
: [ARM] Assertion failure: lastResort != FrameState::InvalidIndex, at methodjit...
[sg:critical] js-triage-done [advisor...
: assertion, crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: ARM Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2012-01-17 15:16 PST by Christian Holler (:decoder)
Modified: 2013-03-20 04:50 PDT (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Christian Holler (:decoder) 2012-01-17 15:16:39 PST
The following test asserts on mozilla-central revision 0b4c58200e3a (options -m -n -a):

function fannkuch(n) {
   var perm1 = Array(n);
   while (true) {
      if (check < 30){
         for(var i=0; i<n; i++) s += (perm1[i]+1).toString();
         while (i < r) {
            var j = this.abstract + 1;
            perm1[i] = perm1[j];

S-s because this triggers quite a few additional assertions when continuing, and then crashes:

Program received signal SIGSEGV, Segmentation fault.
0x0023b8fc in JSC::ARMAssembler::nameGpReg (reg=-1) at ../assembler/assembler/ARMAssembler.h:1233
1233                ASSERT(reg >= 0);
(gdb) bt
#0  0x0023b8fc in JSC::ARMAssembler::nameGpReg (reg=-1) at ../assembler/assembler/ARMAssembler.h:1233
#1  0x0023ae36 in JSC::ARMAssembler::dtr_u (this=0x64fbf0, isLoad=true, rd=-1, rb=10, offset=64, cc=JSC::ARMAssembler::AL) at ../assembler/assembler/ARMAssembler.h:651
#2  0x002ac5c2 in JSC::ARMAssembler::dataTransfer32 (this=0x64fbf0, isLoad=true, srcDst=4294967295, base=JSC::ARMRegisters::r10, offset=64)
    at /home/decoder/mozilla-central/js/src/assembler/assembler/ARMAssembler.cpp:356
#3  0x0023c43a in JSC::MacroAssemblerARM::load32 (this=0x64fbf0, address=..., dest=4294967295) at ../assembler/assembler/MacroAssemblerARM.h:303
#4  0x00247838 in js::mjit::NunboxAssembler::loadPayload<JSC::AbstractMacroAssembler<JSC::ARMAssembler>::Address> (this=0x64fbf0, address=..., reg=4294967295)
    at /home/decoder/mozilla-central/js/src/methodjit/NunboxAssembler.h:134
#5  0x002a1094 in js::mjit::ImmutableSync::ensureDataReg (this=0xbee3ea20, fe=0x64a540, e=...) at /home/decoder/mozilla-central/js/src/methodjit/ImmutableSync.cpp:222
#6  0x002a1190 in js::mjit::ImmutableSync::syncCopy (this=0xbee3ea20, fe=0x64a600) at /home/decoder/mozilla-central/js/src/methodjit/ImmutableSync.cpp:244
#7  0x002a0e82 in js::mjit::ImmutableSync::sync (this=0xbee3ea20, fe=0x64a600) at /home/decoder/mozilla-central/js/src/methodjit/ImmutableSync.cpp:179
#8  0x0025c744 in js::mjit::FrameState::syncFancy (this=0xbee3e9f8, masm=..., avail=..., trackerIndex=5) at /home/decoder/mozilla-central/js/src/methodjit/FrameState.cpp:1280
#9  0x0025cb78 in js::mjit::FrameState::sync (this=0xbee3e9f8, masm=..., uses=...) at /home/decoder/mozilla-central/js/src/methodjit/FrameState.cpp:1382
#10 0x00288caa in js::mjit::StubCompiler::syncExit (this=0xbee413a8, uses=...) at /home/decoder/mozilla-central/js/src/methodjit/StubCompiler.cpp:83
#11 0x00288d40 in js::mjit::StubCompiler::linkExit (this=0xbee413a8, j=..., uses=...) at /home/decoder/mozilla-central/js/src/methodjit/StubCompiler.cpp:120
#12 0x00277976 in js::mjit::Compiler::jsop_setelem (this=0xbee3ddb0, popGuaranteed=true) at /home/decoder/mozilla-central/js/src/methodjit/FastOps.cpp:1592
#13 0x0022568a in js::mjit::Compiler::generateMethod (this=0xbee3ddb0) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:2046
#14 0x0021e3b6 in js::mjit::Compiler::performCompilation (this=0xbee3ddb0, jitp=0x40a061b8) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:539
#15 0x0021d562 in js::mjit::Compiler::compile (this=0xbee3ddb0) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:157
#16 0x0021eb90 in js::mjit::TryCompile (cx=0x640fb0, script=0x40a06128, construct=false) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:647
#17 0x000d2ea4 in js::mjit::CanMethodJIT (cx=0x640fb0, script=0x40a06128, construct=false, request=js::mjit::CompileRequest_Interpreter)
    at /home/decoder/mozilla-central/js/src/methodjit/MethodJIT-inl.h:77
#18 0x000e0b88 in js::Interpret (cx=0x640fb0, entryFrame=0x40422020, interpMode=js::JSINTERP_NORMAL) at /home/decoder/mozilla-central/js/src/jsinterp.cpp:3046
#19 0x002197c6 in js::mjit::EnterMethodJIT (cx=0x640fb0, fp=0x40422020, code=0x40216070, stackLimit=0x40802000, partial=false)
    at /home/decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079

(gdb) x /2i $pc
=> 0x23b8fc <JSC::ARMAssembler::nameGpReg(int)+100>:    str     r2, [r3, #0]
   0x23b8fe <JSC::ARMAssembler::nameGpReg(int)+102>:    mov.w   r3, #0
(gdb) info register r2 r3
r2             0x0      0
r3             0xbbadbeef       3148725999

Judging the assert/crash with my professional JS developer skills (! ;D) this could be a register allocation problem during compilation.
Comment 1 User image Johnny Stenback (:jst, 2012-02-15 16:44:59 PST
Marking sg:critical until claimed otherwise.
Comment 2 User image Marty Rosenberg [:mjrosenb] 2012-02-18 11:33:30 PST
I think this one was a problem with one of billm's commits that then got backed out? I'm CC'ing him to confirm.
Comment 3 User image Bill McCloskey (:billm) 2012-02-22 17:42:25 PST
Yeah, this should be fixed now.
Comment 4 User image Alex Keybl [:akeybl] 2012-03-15 16:52:46 PDT
Are any shipped versions of Firefox affected by this bug?
Comment 5 User image Ed Morley [:emorley] 2013-03-20 04:49:30 PDT

Note You need to log in before you can comment on or make changes to this bug.