Closed
Bug 718852
Opened 13 years ago
Closed 13 years ago
[ARM] Assertion failure: lastResort != FrameState::InvalidIndex, at methodjit/ImmutableSync.cpp:133 or crash [@ JSC::ARMAssembler::nameGpReg]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox12 | --- | unaffected |
| firefox13 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical] js-triage-done [advisory-tracking+])
Crash Data
The following test asserts on mozilla-central revision 0b4c58200e3a (options -m -n -a):
function fannkuch(n) {
var perm1 = Array(n);
while (true) {
if (check < 30){
for(var i=0; i<n; i++) s += (perm1[i]+1).toString();
while (i < r) {
var j = this.abstract + 1;
perm1[i] = perm1[j];
}
}
}
}
fannkuch(8);
S-s because this triggers quite a few additional assertions when continuing, and then crashes:
Program received signal SIGSEGV, Segmentation fault.
0x0023b8fc in JSC::ARMAssembler::nameGpReg (reg=-1) at ../assembler/assembler/ARMAssembler.h:1233
1233 ASSERT(reg >= 0);
(gdb) bt
#0 0x0023b8fc in JSC::ARMAssembler::nameGpReg (reg=-1) at ../assembler/assembler/ARMAssembler.h:1233
#1 0x0023ae36 in JSC::ARMAssembler::dtr_u (this=0x64fbf0, isLoad=true, rd=-1, rb=10, offset=64, cc=JSC::ARMAssembler::AL) at ../assembler/assembler/ARMAssembler.h:651
#2 0x002ac5c2 in JSC::ARMAssembler::dataTransfer32 (this=0x64fbf0, isLoad=true, srcDst=4294967295, base=JSC::ARMRegisters::r10, offset=64)
at /home/decoder/mozilla-central/js/src/assembler/assembler/ARMAssembler.cpp:356
#3 0x0023c43a in JSC::MacroAssemblerARM::load32 (this=0x64fbf0, address=..., dest=4294967295) at ../assembler/assembler/MacroAssemblerARM.h:303
#4 0x00247838 in js::mjit::NunboxAssembler::loadPayload<JSC::AbstractMacroAssembler<JSC::ARMAssembler>::Address> (this=0x64fbf0, address=..., reg=4294967295)
at /home/decoder/mozilla-central/js/src/methodjit/NunboxAssembler.h:134
#5 0x002a1094 in js::mjit::ImmutableSync::ensureDataReg (this=0xbee3ea20, fe=0x64a540, e=...) at /home/decoder/mozilla-central/js/src/methodjit/ImmutableSync.cpp:222
#6 0x002a1190 in js::mjit::ImmutableSync::syncCopy (this=0xbee3ea20, fe=0x64a600) at /home/decoder/mozilla-central/js/src/methodjit/ImmutableSync.cpp:244
#7 0x002a0e82 in js::mjit::ImmutableSync::sync (this=0xbee3ea20, fe=0x64a600) at /home/decoder/mozilla-central/js/src/methodjit/ImmutableSync.cpp:179
#8 0x0025c744 in js::mjit::FrameState::syncFancy (this=0xbee3e9f8, masm=..., avail=..., trackerIndex=5) at /home/decoder/mozilla-central/js/src/methodjit/FrameState.cpp:1280
#9 0x0025cb78 in js::mjit::FrameState::sync (this=0xbee3e9f8, masm=..., uses=...) at /home/decoder/mozilla-central/js/src/methodjit/FrameState.cpp:1382
#10 0x00288caa in js::mjit::StubCompiler::syncExit (this=0xbee413a8, uses=...) at /home/decoder/mozilla-central/js/src/methodjit/StubCompiler.cpp:83
#11 0x00288d40 in js::mjit::StubCompiler::linkExit (this=0xbee413a8, j=..., uses=...) at /home/decoder/mozilla-central/js/src/methodjit/StubCompiler.cpp:120
#12 0x00277976 in js::mjit::Compiler::jsop_setelem (this=0xbee3ddb0, popGuaranteed=true) at /home/decoder/mozilla-central/js/src/methodjit/FastOps.cpp:1592
#13 0x0022568a in js::mjit::Compiler::generateMethod (this=0xbee3ddb0) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:2046
#14 0x0021e3b6 in js::mjit::Compiler::performCompilation (this=0xbee3ddb0, jitp=0x40a061b8) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:539
#15 0x0021d562 in js::mjit::Compiler::compile (this=0xbee3ddb0) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:157
#16 0x0021eb90 in js::mjit::TryCompile (cx=0x640fb0, script=0x40a06128, construct=false) at /home/decoder/mozilla-central/js/src/methodjit/Compiler.cpp:647
#17 0x000d2ea4 in js::mjit::CanMethodJIT (cx=0x640fb0, script=0x40a06128, construct=false, request=js::mjit::CompileRequest_Interpreter)
at /home/decoder/mozilla-central/js/src/methodjit/MethodJIT-inl.h:77
#18 0x000e0b88 in js::Interpret (cx=0x640fb0, entryFrame=0x40422020, interpMode=js::JSINTERP_NORMAL) at /home/decoder/mozilla-central/js/src/jsinterp.cpp:3046
#19 0x002197c6 in js::mjit::EnterMethodJIT (cx=0x640fb0, fp=0x40422020, code=0x40216070, stackLimit=0x40802000, partial=false)
at /home/decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079
(gdb) x /2i $pc
=> 0x23b8fc <JSC::ARMAssembler::nameGpReg(int)+100>: str r2, [r3, #0]
0x23b8fe <JSC::ARMAssembler::nameGpReg(int)+102>: mov.w r3, #0
(gdb) info register r2 r3
r2 0x0 0
r3 0xbbadbeef 3148725999
Judging the assert/crash with my professional JS developer skills (! ;D) this could be a register allocation problem during compilation.
Comment 1•13 years ago
|
||
Marking sg:critical until claimed otherwise.
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
Comment 2•13 years ago
|
||
I think this one was a problem with one of billm's commits that then got backed out? I'm CC'ing him to confirm.
Yeah, this should be fixed now.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-done
Comment 4•13 years ago
|
||
Are any shipped versions of Firefox affected by this bug?
tracking-firefox-esr10:
--- → ?
Updated•13 years ago
|
Group: core-security
status-firefox-esr10:
--- → unaffected
status-firefox12:
--- → unaffected
status-firefox13:
--- → fixed
tracking-firefox-esr10:
? → ---
| Reporter | ||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Whiteboard: [sg:critical] js-triage-done → [sg:critical] js-triage-done [advisory-tracking+]
Comment 5•12 years ago
|
||
| Reporter | ||
Updated•12 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•