Closed Bug 855133 Opened 11 years ago Closed 11 years ago

PJS: (ARM) Assertion failure: topIonScript_, at /home/shu/moz/inbound/js/src/ion/Bailouts.h:187

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: shu, Assigned: shu)

Details

(Whiteboard: [adv-main22-])

Attachments

(1 file, 1 obsolete file)

fix
4.13 KB, patch
mjrosenb
: review+
Details | Diff | Splinter Review 
Happens in several jit-tests, like flatten-1.
This is due to us not implementing parallel bailouts on ARM... at all. The obvious fix doesn't work because something wonky is going on with retargeting multiple labels on ARM to go to a common target, as is the case with |ensureOutOfLineParallelAbort|. Namely, this assertion in Assembler-arm.cpp is failing in |retarget|: 

            DebugOnly<uint32_t> prev = target->use(label->offset());
            JS_ASSERT((int32_t)prev == Label::INVALID_OFFSET);

mjrosenb, could you advise on how to retarget multiple labels to a common, unbound target?
Attached patch fix (obsolete) — Splinter Review 
This seems to work.
Attachment #729948 - Flags: feedback?(mrosenberg)
Attached patch fixSplinter Review 
Less horribly wrong version.
Attachment #729948 - Attachment is obsolete: true
Attachment #729948 - Flags: feedback?(mrosenberg)
Attachment #730054 - Flags: review?(mrosenberg)
Comment on attachment 730054 [details] [diff] [review]
fix

Review of attachment 730054 [details] [diff] [review]:
-----------------------------------------------------------------

The logic in Assembler-arm.cpp is a bit confusing, it could probably use a comment or two?

::: js/src/ion/arm/Assembler-arm.cpp
@@ +2096,5 @@
>              bind(label, BufferOffset(target));
> +        } else if (target->used()) {
> +            // The target is not bound but used. Prepend label's branch list
> +            // onto target's.
> +            int32_t prev = target->use(label->offset());

Could you move the definition of prev closer to where it is used?
Attachment #730054 - Flags: review?(mrosenberg) → review+
https://hg.mozilla.org/mozilla-central/rev/fa15e3c18ecf

Can we get tests for this?
Assignee: general → shu
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox22: --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
(In reply to Ryan VanderMeulen [:RyanVM] from comment #6)
> https://hg.mozilla.org/mozilla-central/rev/fa15e3c18ecf
> 
> Can we get tests for this?

This bug was crashing a number of existing ParallelArray tests already, so there wasn't need to make a new one. The problem, I guess, is that jit-tests aren't run on tbpl for ARM, or so mjrosenb tells me.
What about a jsreftest?
Flags: sec-bounty?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
> What about a jsreftest?

Does a reftest make sense for an ARM-only crash on an experimental/unstandardized API?
(In reply to Shu-yu Guo [:shu] from comment #9)
> (In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
> > What about a jsreftest?
> 
> Does a reftest make sense for an ARM-only crash on an
> experimental/unstandardized API?

Your call, I just get antsy at the thought of possibly regressing a security bug.
Does this affect the b2g18 branch?
status-b2g18: --- → ?
status-firefox-esr17: --- → unaffected
Flags: needinfo?(shu)
status-b2g18: ?unaffected
(In reply to Daniel Veditz [:dveditz] from comment #11)
> Does this affect the b2g18 branch?

It shouldn't, ParallelArray is ifdef'd off on b2g.
Flags: needinfo?(shu)
Was this in Firefox 21?
I'm assuming comment 13 was directed at shu
Flags: needinfo?(shu)
PJS is ifdef'd off on everything but Nightly, so no worries on Firefox 21.
Flags: needinfo?(shu)
Whiteboard: [adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: