Closed Bug 963959 Opened 10 years ago Closed 10 years ago

Crash [@ Int32x4Lane0] with SIMD

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
269 bytes, text/plain
Details 
The following testcase crashes on mozilla-central revision 9e06d42c2a6a (run with --fuzzing-safe --ion-compile-try-catch --ion-eager --ion-eager):


assertEq(Object.preventExtensions( SIMD.int32x4.handle(), this) , {});
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
Int32x4Lane0 (cx=0x169ef40, argc=<optimized out>, vp=0x7fffffffaa38) at js/src/builtin/SIMD.cpp:64
64          LANE_ACCESSOR(Int32x4, 0);
#0  Int32x4Lane0 (cx=0x169ef40, argc=<optimized out>, vp=0x7fffffffaa38) at js/src/builtin/SIMD.cpp:64
#1  0x000000000091dc21 in js::CallJSNative (cx=0x169ef40, native=0x487300 <Int32x4Lane0(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:220
#2  0x000000000090ae3d in js::Invoke (cx=0x169ef40, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:464
#3  0x000000000090cb97 in js::Invoke (cx=0x169ef40, thisv=..., fval=..., argc=0, argv=0x0, rval=...) at js/src/vm/Interpreter.cpp:520
#4  0x00000000009101a7 in js::InvokeGetterOrSetter (cx=0x169ef40, obj=0x7ffff6141140, fval=..., argc=0, argv=0x0, rval=...) at js/src/vm/Interpreter.cpp:591
#5  0x00000000008230eb in get (vp=..., pobj=<optimized out>, obj=<optimized out>, receiver=..., cx=0x169ef40, this=<optimized out>) at js/src/vm/Shape-inl.h:68
#6  NativeGetInline<(js::AllowGC)1> (cx=0x169ef40, obj=..., receiver=..., pobj=..., shape=..., vp=...) at js/src/jsobj.cpp:4361
#7  0x000000000084cad3 in GetPropertyHelperInline<(js::AllowGC)1> (cx=0x169ef40, obj=..., receiver=..., id=..., vp=...) at js/src/jsobj.cpp:4558
rax     0x0     0
rip     0x4873e9 <Int32x4Lane0(JSContext*, unsigned int, JS::Value*)+233>
=> 0x4873e9 <Int32x4Lane0(JSContext*, unsigned int, JS::Value*)+233>:   mov    (%rax),%eax
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 879038dcacb7).
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===

The "bad" changeset has the timestamp "20140211112907" and the hash "1a05d8dffc65".
The "good" changeset has the timestamp "20140211114007" and the hash "2ab85f86868a".

Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1a05d8dffc65&tochange=2ab85f86868a
Flags: needinfo?(nmatsakis)
This was due to the incorrect SIMD push that was backed out.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(nmatsakis)
Resolution: --- → FIXED
Actually, I'm not sure.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The handle() API that this bug refers to was removed by bug 969578. Therefore I am going to close the issue. If further SIMD crashes occur, they are probably a separate problem.
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: