Closed Bug 963959 Opened 11 years ago Closed 11 years ago

Crash [@ Int32x4Lane0] with SIMD

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
269 bytes, text/plain
Details
The following testcase crashes on mozilla-central revision 9e06d42c2a6a (run with --fuzzing-safe --ion-compile-try-catch --ion-eager --ion-eager): assertEq(Object.preventExtensions( SIMD.int32x4.handle(), this) , {});
Crash trace: Program received signal SIGSEGV, Segmentation fault. Int32x4Lane0 (cx=0x169ef40, argc=<optimized out>, vp=0x7fffffffaa38) at js/src/builtin/SIMD.cpp:64 64 LANE_ACCESSOR(Int32x4, 0); #0 Int32x4Lane0 (cx=0x169ef40, argc=<optimized out>, vp=0x7fffffffaa38) at js/src/builtin/SIMD.cpp:64 #1 0x000000000091dc21 in js::CallJSNative (cx=0x169ef40, native=0x487300 <Int32x4Lane0(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:220 #2 0x000000000090ae3d in js::Invoke (cx=0x169ef40, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:464 #3 0x000000000090cb97 in js::Invoke (cx=0x169ef40, thisv=..., fval=..., argc=0, argv=0x0, rval=...) at js/src/vm/Interpreter.cpp:520 #4 0x00000000009101a7 in js::InvokeGetterOrSetter (cx=0x169ef40, obj=0x7ffff6141140, fval=..., argc=0, argv=0x0, rval=...) at js/src/vm/Interpreter.cpp:591 #5 0x00000000008230eb in get (vp=..., pobj=<optimized out>, obj=<optimized out>, receiver=..., cx=0x169ef40, this=<optimized out>) at js/src/vm/Shape-inl.h:68 #6 NativeGetInline<(js::AllowGC)1> (cx=0x169ef40, obj=..., receiver=..., pobj=..., shape=..., vp=...) at js/src/jsobj.cpp:4361 #7 0x000000000084cad3 in GetPropertyHelperInline<(js::AllowGC)1> (cx=0x169ef40, obj=..., receiver=..., id=..., vp=...) at js/src/jsobj.cpp:4558 rax 0x0 0 rip 0x4873e9 <Int32x4Lane0(JSContext*, unsigned int, JS::Value*)+233> => 0x4873e9 <Int32x4Lane0(JSContext*, unsigned int, JS::Value*)+233>: mov (%rax),%eax
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 879038dcacb7).
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: === Tinderbox Build Bisection Results by autoBisect === The "bad" changeset has the timestamp "20140211112907" and the hash "1a05d8dffc65". The "good" changeset has the timestamp "20140211114007" and the hash "2ab85f86868a". Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1a05d8dffc65&tochange=2ab85f86868a
Flags: needinfo?(nmatsakis)
This was due to the incorrect SIMD push that was backed out.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(nmatsakis)
Resolution: --- → FIXED
Actually, I'm not sure.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The handle() API that this bug refers to was removed by bug 969578. Therefore I am going to close the issue. If further SIMD crashes occur, they are probably a separate problem.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: