Closed Bug 1534834 Opened 6 years ago Closed 6 years ago

Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h:778

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1534810
Tracking Flags:
Tracking Status
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

Detailed Crash Information
(deleted), text/plain
Details
Testcase
(deleted), text/plain
Details
stack
(deleted), text/plain
Details

The following testcase crashes on mozilla-central revision c89f024c023f (build with --enable-debug --enable-simulator=arm64 and with asan, run with --fuzzing-safe --wasm-compiler=ion --wasm-gc --test-wasm-await-tier2 --no-asmjs --ion-sincos=on --execute="setJitCompilerOption("ion.forceinlineCaches",1)" --ion-warmup-threshold=100 --ion-edgecase-analysis=off --ion-limit-script-size=off --ion-inlining=off --ion-gvn=off --more-compartments --nursery-strings=off --spectre-mitigations=off --ion-offthread-compile=off --gc-zeal=17,296 --no-threads --baseline-eager):

See attachment.

See backtrace for Asan stack.

For detailed crash information, see attachment.

I wasn't able to reproduce this, but hopefully the Asan stack is useful.

Attached file Testcase (deleted) —
Blocks: arm64-js-fuzz-bugs
Summary: Assertion failure: (ptrBits & 0x7) == 0, at /home/ubuntu/shell-cache/js-dbg-64-clang-asan-armsim64-linux-x86_64-c89f024c023f/objdir-js/dist/include/js/Value.h:778 → Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h:778

This seems likely related to IonMonkey on ARM64 again.

Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)
Hardware: x86_64 → ARM64
Attached file stack (deleted) — 
function h(f, inputs) {
    var x = [];
    for (var j = 0; j < 36; ++j) {
        for (var k = 0; k < 36; ++k) {
            try {
                x.push(f(inputs[j]));
            } catch {}
        }
    }
    uneval(x);
}
function g(x, y) {
    return (Math.imul(x, (y, ~y) >= Math.fround(-0x7fffffff) | 0));
}
h(g, [0, 2, 0, 0, 1, -Number, Math.PI, 0xf, -Number.R, 1, 2, 1, 0, 0, -Number.I, 3, 2, 0, 1, 0, -Number.R, 0, 0, 2,
      2, Number.MIN_VALUE, 0, 8, 2, Number.MAX_VALUE, 1, 0, Number.MAX_SAFE_INTEGER, 1, Number.MIN_SAFE_INTEGER, 1])

Actually here is the testcase.

$ ./js-dbg-64-dm-armsim64-linux-x86_64-aecb76a0cd77 --fuzzing-safe --no-threads testcase.js
Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h:781
Segmentation fault (core dumped)

I can reproduce the issue mentioned in comment 4.

Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)
Priority: -- → P1

Nicolas, is this on target for a fix in 67?

Flags: needinfo?(nicolas.b.pierron)

(In reply to Neha Kochar [:neha] from comment #6)

Nicolas, is this on target for a fix in 67?

I do not know yet, this would depend whether this is a Baseline / IonMonkey issue.

My understanding is that this is likely an IonMonkey bug, and thus we might not backport it unless IonMonkey ARM64 is also enabled on 67, which isn't the case by default.

Flags: needinfo?(nicolas.b.pierron)

Checking with and without applied patches, this bug is a duplicate of bug 1534810.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: