Closed
Bug 855133
Opened 11 years ago
Closed 11 years ago
PJS: (ARM) Assertion failure: topIonScript_, at /home/shu/moz/inbound/js/src/ion/Bailouts.h:187
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
Tracking | Status | |
---|---|---|
firefox21 | --- | unaffected |
firefox22 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: shu, Assigned: shu)
Details
(Whiteboard: [adv-main22-])
Attachments
(1 file, 1 obsolete file)
4.13 KB,
patch
|
mjrosenb
:
review+
|
Details | Diff | Splinter Review |
Happens in several jit-tests, like flatten-1.
Assignee | ||
Comment 1•11 years ago
|
||
This is due to us not implementing parallel bailouts on ARM... at all. The obvious fix doesn't work because something wonky is going on with retargeting multiple labels on ARM to go to a common target, as is the case with |ensureOutOfLineParallelAbort|. Namely, this assertion in Assembler-arm.cpp is failing in |retarget|: DebugOnly<uint32_t> prev = target->use(label->offset()); JS_ASSERT((int32_t)prev == Label::INVALID_OFFSET); mjrosenb, could you advise on how to retarget multiple labels to a common, unbound target?
Assignee | ||
Comment 2•11 years ago
|
||
This seems to work.
Attachment #729948 -
Flags: feedback?(mrosenberg)
Assignee | ||
Comment 3•11 years ago
|
||
Less horribly wrong version.
Attachment #729948 -
Attachment is obsolete: true
Attachment #729948 -
Flags: feedback?(mrosenberg)
Attachment #730054 -
Flags: review?(mrosenberg)
Updated•11 years ago
|
Flags: sec-bounty?
Comment 4•11 years ago
|
||
Comment on attachment 730054 [details] [diff] [review] fix Review of attachment 730054 [details] [diff] [review]: ----------------------------------------------------------------- The logic in Assembler-arm.cpp is a bit confusing, it could probably use a comment or two? ::: js/src/ion/arm/Assembler-arm.cpp @@ +2096,5 @@ > bind(label, BufferOffset(target)); > + } else if (target->used()) { > + // The target is not bound but used. Prepend label's branch list > + // onto target's. > + int32_t prev = target->use(label->offset()); Could you move the definition of prev closer to where it is used?
Attachment #730054 -
Flags: review?(mrosenberg) → review+
Assignee | ||
Comment 5•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fa15e3c18ecf try run: https://tbpl.mozilla.org/?tree=Try&rev=b4563bd3b8e7
Comment 6•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fa15e3c18ecf Can we get tests for this?
Assignee: general → shu
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox22:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Assignee | ||
Comment 7•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #6) > https://hg.mozilla.org/mozilla-central/rev/fa15e3c18ecf > > Can we get tests for this? This bug was crashing a number of existing ParallelArray tests already, so there wasn't need to make a new one. The problem, I guess, is that jit-tests aren't run on tbpl for ARM, or so mjrosenb tells me.
Comment 8•11 years ago
|
||
What about a jsreftest?
Updated•11 years ago
|
Flags: sec-bounty?
Assignee | ||
Comment 9•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #8) > What about a jsreftest? Does a reftest make sense for an ARM-only crash on an experimental/unstandardized API?
Comment 10•11 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #9) > (In reply to Ryan VanderMeulen [:RyanVM] from comment #8) > > What about a jsreftest? > > Does a reftest make sense for an ARM-only crash on an > experimental/unstandardized API? Your call, I just get antsy at the thought of possibly regressing a security bug.
Comment 11•11 years ago
|
||
Does this affect the b2g18 branch?
Assignee | ||
Updated•11 years ago
|
Assignee | ||
Comment 12•11 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #11) > Does this affect the b2g18 branch? It shouldn't, ParallelArray is ifdef'd off on b2g.
Flags: needinfo?(shu)
Comment 13•11 years ago
|
||
Was this in Firefox 21?
Assignee | ||
Comment 15•11 years ago
|
||
PJS is ifdef'd off on everything but Nightly, so no worries on Firefox 21.
Flags: needinfo?(shu)
Updated•11 years ago
|
Whiteboard: [adv-main22-]
Updated•11 years ago
|
status-firefox21:
--- → unaffected
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•