Closed
Bug 915903
Opened 11 years ago
Closed 11 years ago
IonMonkey: Crash [@ js::jit::MTruncateToInt32::accept] or Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla27
| Tracking | Status | |
|---|---|---|
| firefox24 | --- | unaffected |
| firefox25 | --- | unaffected |
| firefox26 | --- | fixed |
| firefox27 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.2 | --- | fixed |
People
(Reporter: gkw, Assigned: bbouvier)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files, 1 obsolete file)
|
27.44 KB,
text/plain
|
Details | |
|
1.83 KB,
patch
|
bbouvier
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
x = {};
x.toString = (function(stdlib, heap) {
Int8ArrayView = stdlib.Int8Array(heap);
Float32ArrayView = stdlib.Float32Array(heap);
function f() {
Int8ArrayView[0] = Float32ArrayView[0]
}
return f
})(this, ArrayBuffer);
x + 1
asserts js debug shell on m-c changeset c38b60b9063e with --ion-eager at Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp and crashes js opt shell at js::jit::MTruncateToInt32::accept
I tested that the opt crash happens on Windows 8. Setting needinfo from bbouvier since I just spoke to him in-person about this.
My configure flags are:
Opt shell:
--enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe <other NSPR options>
Debug shell:
--enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe <other NSPR options>
Flags: needinfo?(bbouvier)
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/a43cf13bd6a6
user: Benjamin Bouvier
date: Thu Jul 18 15:13:15 2013 -0700
summary: Bug 888109: Float32 general optimizations for IonMonkey: framework and arithmetic operations; r=sstangl,nbp
This iteration took 0.976 seconds to run.
|
Assignee | |
Comment 2•11 years ago
|
||
Not a Odin bug as the outer function doesn't contain the "use asm" token, but still a very good catch :)
A patch in bug 913282 fixes that behavior, it should land early next week.
Summary: OdinMonkey: Crash [@ js::jit::MTruncateToInt32::accept] or Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp → IonMonkey: Crash [@ js::jit::MTruncateToInt32::accept] or Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp
|
Reporter | |
Updated•11 years ago
|
status-firefox24:
--- → unaffected
status-firefox25:
--- → unaffected
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
|
|
Assignee | |
Comment 3•11 years ago
|
||
Looks like the ARM patches are now needed and blocking progression of bug 913282, so here is a workaround that just converts Float32 to Doubles before storing them in an Int*Array.
The TruncateToInt32 patch of bug 913282 will remove this part.
Assignee: general → bbouvier
Status: NEW → ASSIGNED
Attachment #808769 -
Flags: review?(sstangl)
Flags: needinfo?(bbouvier)
|
|
Assignee | |
Comment 5•11 years ago
|
||
Auto nit: I added the test case on my local patch.
|
|
||
Comment 6•11 years ago
|
||
Unfortunately, bug 919118 still hangs even with this patch applied.
|
||
Comment 7•11 years ago
|
||
Comment on attachment 808769 [details] [diff] [review]
bug915903.patch
Review of attachment 808769 [details] [diff] [review]:
-----------------------------------------------------------------
Acceptable as a workaround.
::: js/src/jit/TypePolicy.cpp
@@ +652,5 @@
> case ScalarTypeRepresentation::TYPE_UINT16:
> case ScalarTypeRepresentation::TYPE_INT32:
> case ScalarTypeRepresentation::TYPE_UINT32:
> if (value->type() != MIRType_Int32) {
> + if (value->type() == MIRType_Float32) {
Could you leave a comment above this line, reading "Workaround for Bug 915903."?
Attachment #808769 -
Flags: review?(sstangl) → review+
|
|
Assignee | |
Comment 8•11 years ago
|
||
|
|
Assignee | |
Comment 9•11 years ago
|
||
Carrying forward r+ from sstangl.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 888109
User impact if declined: crashes / hangs on some web sites (e.g. Google Maps...)
Testing completed (on m-c, etc.): testing completed on m-i, all tests pass
Risk to taking this patch (and alternatives if risky): very low, if not no risk
String or IDL/UUID changes made by this patch: N/A
Attachment #808769 -
Attachment is obsolete: true
Attachment #810058 -
Flags: review+
Attachment #810058 -
Flags: approval-mozilla-aurora?
|
||
Comment 10•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
|
|
||
Updated•11 years ago
|
Flags: in-testsuite+
|
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 11•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•11 years ago
|
Attachment #810058 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 12•11 years ago
|
||
|
|
||
Updated•11 years ago
|
status-b2g-v1.2:
--- → fixed
|
||
Comment 13•11 years ago
|
||
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.
status-b2g18:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•