Closed
Bug 951573
Opened 11 years ago
Closed 11 years ago
Assertion failure: (uint32_t)(const uint32_t *)val == uint32_t(expectedValue.value), at jit/arm/Assembler-arm.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
| Tracking | Status | |
|---|---|---|
| firefox26 | --- | unaffected |
| firefox27 | --- | unaffected |
| firefox28 | --- | unaffected |
| firefox29 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
| b2g-v1.3 | --- | unaffected |
| b2g-v1.4 | --- | fixed |
People
(Reporter: gkw, Assigned: mjrosenb)
References
Details
(4 keywords, Whiteboard: [fuzzblocker])
Attachments
(2 files)
|
2.00 KB,
text/plain
|
Details | |
|
909 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
s = []
for (var j = 0; j < 999999; j++) {}
asserts js debug shell on m-c changeset 862cb6a1cc88 without any CLI arguments at Assertion failure: (uint32_t)(const uint32_t *)val == uint32_t(expectedValue.value), at jit/arm/Assembler-arm.cpp
My configure flags are:
CC="gcc -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" AR=ar CXX="g++ -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" sh ./configure --target=arm-linux-gnueabi --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/9db2450f2a16
user: Hannes Verschore
date: Wed Sep 18 17:53:41 2013 +0200
summary: Bug 910960 - IonMonkey: Improve codegen of TypeBarriers, r=nbp
Hannes, is bug 910960 a likely regressor?Flags: needinfo?(hv1989)
|
||
Comment 1•11 years ago
|
||
The place it is failing, cannot be introduced by Bug 910960. (Though I didn't try to debug myself. This is solely based on the data in comment 0).
Flags: needinfo?(hv1989)
|
Reporter | |
Comment 2•11 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #1) > The place it is failing, cannot be introduced by Bug 910960. (Though I > didn't try to debug myself. This is solely based on the data in comment 0). In that case, we need some ARM folks to take a look - it's occurring very often on ARM.
Flags: needinfo?(mrosenberg)
Whiteboard: [fuzzblocker]
|
|
Reporter | |
Updated•11 years ago
|
status-firefox29:
--- → affected
tracking-firefox29:
--- → ?
|
Assignee | |
Comment 4•11 years ago
|
||
Attachment #8349312 -
Flags: review?(jdemooij)
Flags: needinfo?(mrosenberg)
|
||
Comment 5•11 years ago
|
||
Comment on attachment 8349312 [details] [diff] [review] updateIonScriptLabels-r0.patch Review of attachment 8349312 [details] [diff] [review]: ----------------------------------------------------------------- Oops, thanks!
Attachment #8349312 -
Flags: review?(jdemooij) → review+
|
|
Reporter | |
Comment 6•11 years ago
|
||
Marty, does this bug affect other branches? (it might need sec-approval, for that matter)
Flags: needinfo?(mrosenberg)
|
|
Assignee | |
Comment 7•11 years ago
|
||
it probably isn't a big deal. The added code that is causing this failure is:
jdemooij 1b91cf5c8407: #ifdef DEBUG
jdemooij 1b91cf5c8407: for (size_t i = 0; i < ionScriptLabels_.length(); i++) {
mrosenberg 440213a072ac: ionScriptLabels_[i].fixup(&masm);
jdemooij 1b91cf5c8407: Assembler::patchDataWithValueCheck(CodeLocationLabel(code, ionScriptLabels_[i]),
jdemooij 1b91cf5c8407: ImmPtr(ionScript),
jdemooij 1b91cf5c8407: ImmPtr((void*)-1));
jdemooij 1b91cf5c8407: }
jdemooij 1b91cf5c8407: #endif
which was landed on the 14th, and is actually only active in debug builds, so it isn't that there is a bad patch that is only guarded in debug builds, the relevant code only exists in debug builds.Flags: needinfo?(mrosenberg)
|
|
Reporter | |
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e4d49705cdfe Helping to land since this seems to affect only m-c as per comment 7. Thanks!
status-firefox26:
--- → unaffected
status-firefox27:
--- → unaffected
status-firefox28:
--- → unaffected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
tracking-firefox29:
? → ---
|
||
Comment 9•11 years ago
|
||
Backed out for Win7 debug xpcshell orange. https://hg.mozilla.org/integration/mozilla-inbound/rev/343f2a3934ef https://tbpl.mozilla.org/php/getParsedLog.php?id=32177582&tree=Mozilla-Inbound
Assignee: nobody → mrosenberg
|
|
Reporter | |
Updated•11 years ago
|
Flags: needinfo?(mrosenberg)
|
|
||
Comment 10•11 years ago
|
||
This wasn't at fault. Relanded. https://hg.mozilla.org/integration/mozilla-inbound/rev/14eaffaa838a
Flags: needinfo?(mrosenberg)
https://hg.mozilla.org/mozilla-central/rev/14eaffaa838a
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
|
||
Comment 12•10 years ago
|
||
Marking b2g affected-ness based on comment 7.
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
|
|
||
Updated•10 years ago
|
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.4:
--- → fixed
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•