Closed
Bug 941905
Opened 11 years ago
Closed 11 years ago
OdinMonkey: Crash [@ js::jit::SplitCriticalEdges] or Assertion failure: GetARMFlags() <= ((4294967295U) >> ARCH_BITS), at jit/AsmJSModule.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: gkw, Assigned: dougc)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])
Crash Data
Attachments
(2 files)
|
11.69 KB,
text/plain
|
Details | |
|
863 bytes,
patch
|
mjrosenb
:
review+
|
Details | Diff | Splinter Review |
(function () { "use asm"; })
asserts js debug shell on m-c changeset c7cbfa315d46 without any CLI arguments at Assertion failure: GetARMFlags() <= ((4294967295U) >> ARCH_BITS), at jit/AsmJSModule.cpp on my ARM pandaboard.
My configure flags are:
CC="gcc -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" AR=ar CXX="g++ -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" sh ./configure --target=arm-linux-gnueabi --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
After looking at this with Jesse, this assertion was added in bug 900669. Luke, is bug 900669 likely to have caused this? This blocks fuzzing on ARM due to its simplicity.
Flags: needinfo?(luke)
|
Reporter | |
Comment 1•11 years ago
|
||
I will have to temporarily pass in --no-asmjs to bypass this issue. Moreover this happened on soft floating point ARM Ubuntu Linux, not sure if it occurs in hard floating point systems.
|
|
||
Comment 2•11 years ago
|
||
Given that all the HWCAP_* flags are in bits 0-7, this must be the result of the line
flags = aux.a_un.a_val;
in GetARMFlags(). Anyone know what this means? Are HWCAP_* specifically defined to match whatever is in aux.a_un.a_val? If so, then I guess this assertion just means there are other flags than the 0-7 we are looking at? In that case, the assertion is innocuous, but it would be good to mask them off.
Flags: needinfo?(luke)
|
|
Reporter | |
Updated•11 years ago
|
Summary: Assertion failure: GetARMFlags() <= ((4294967295U) >> ARCH_BITS), at jit/AsmJSModule.cpp → OdinMonkey: Assertion failure: GetARMFlags() <= ((4294967295U) >> ARCH_BITS), at jit/AsmJSModule.cpp
|
Assignee | |
Comment 3•11 years ago
|
||
|
|
Reporter | |
Comment 4•11 years ago
|
||
I get a large testcase that crashes at js::jit::SplitCriticalEdges, that eventually reduces to this assertion.
Crash Signature: [@ js::jit::SplitCriticalEdges]
Summary: OdinMonkey: Assertion failure: GetARMFlags() <= ((4294967295U) >> ARCH_BITS), at jit/AsmJSModule.cpp → OdinMonkey: Crash [@ js::jit::SplitCriticalEdges] or Assertion failure: GetARMFlags() <= ((4294967295U) >> ARCH_BITS), at jit/AsmJSModule.cpp
|
|
Assignee | |
Comment 5•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] (yes, still catching up on bugmail) from comment #4)
> I get a large testcase that crashes at js::jit::SplitCriticalEdges, that
> eventually reduces to this assertion.
Could I ask if this occurred with the above patch applied?
If not then does anyone concur that the above patch would address the issue?
It might also be prudent to check that the upper unused bits are zero in GetARMFlags().
|
|
Reporter | |
Comment 6•11 years ago
|
||
> Could I ask if this occurred with the above patch applied?
This patch does fix the assert. I don't have a nice reduced testcase for the crash, and it is no longer around anymore.
Perhaps we could ask for review for the patch and land it first?
Flags: needinfo?(dtc-moz)
|
|
Assignee | |
Comment 7•11 years ago
|
||
Comment on attachment 8336421 [details] [diff] [review]
Move the HWCAP_ARMv7 flag down to bit 29 to free up the upper two bit for use as an arch id in the asm.js code cache
This flags appears to be defined here only in case the system header file asm/hwcap.h does not define it. The high bit was probably chosen to avoid conflict with system defined flags. It does not appear to cause any conflict to move it down to bit 29, and this makes room for the asm.js cache arch id.
Perhaps it would also be prudent to assert that the upper bits returned by aux.a_un.a_val are zero?
Attachment #8336421 -
Flags: review?(mrosenberg)
|
|
Assignee | |
Updated•11 years ago
|
Flags: needinfo?(dtc-moz)
|
||
Updated•11 years ago
|
Attachment #8336421 -
Flags: review?(mrosenberg) → review+
|
|
Reporter | |
Comment 8•11 years ago
|
||
Helping to land here, to unblock fuzzing asm.js on ARM platforms:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1e96d70a3f9b
Thanks for fixing this, Douglas!
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla28
|
||
Comment 9•11 years ago
|
||
This was backed out and re-landed while investigating frequent B2G reftest timeouts.
https://hg.mozilla.org/integration/mozilla-inbound/rev/ec574743984d
|
||
Comment 10•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Assignee: general → dtc-moz
You need to log in
before you can comment on or make changes to this bug.
Description
•