Crash in asm.js emulator application |
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2816.1 Safari/537.36 Steps to reproduce the problem: In Chrome Canary, on OSX (tested on 10.12 Beta4) or Windows (tested on Windows7): 1. go to http://floooh.github.io/virtualkc/ 2. wait till the emulator has booted, than press Tab a few times (this would open the overlay UI) 3. page crashes What is the expected behavior? What went wrong? aw-snap! Crashed report ID: Absturz-ID e01c980d-4325-4499-b41d-457b0c2f29f8 (Server-ID: 14da3e7e00000000) How much crashed? Just one tab Is it a problem with a plugin? No Did this work before? Yes one or two weeks ago in Canary Chrome version: 54.0.2816.1 Channel: canary OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 23.0 r0 This emulator has been triggering at least one other JS engine crash/hang in the recent past: https://bugs.chromium.org/p/chromium/issues/detail?id=611976
,
Aug 5 2016
,
Aug 10 2016
I can repro this on my MAC too. Andreas PTAL
,
Aug 10 2016
,
Aug 10 2016
,
Aug 10 2016
I can repro this on Linux with Chrome/54.0.2824.0
,
Aug 10 2016
+epertoso
,
Aug 16 2016
Hi Jaro, Could you take a look at this? Could this CL: https://codereview.chromium.org/2145683004 be the cause of this problem. I noticed that if you revert this CL in chromium 54.0.2797, then the webpage does not crash anymore. The error message back then was # # Fatal error in ../../v8/src/compiler/representation-change.cc, line 784 # RepresentationChangerError: node #13839:Phi of kMachNone (None) cannot be changed to kRepFloat32 # This crash happened immediately at startup. The crash looks differently in 54.0.2830 because you have to wait for the page to load completely and then press tab. However, it could be the case that newer changes only cover the original problem.
,
Aug 16 2016
Reverting the CL https://codereview.chromium.org/2145683004 in ToT would fix the problem.
,
Aug 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b190d13331ba454a416e03c63804f1873252b24f commit b190d13331ba454a416e03c63804f1873252b24f Author: jarin <jarin@chromium.org> Date: Wed Aug 17 08:45:02 2016 [turbofan] Only do value numbering when types are compatible. At the moment, two NumberConstant nodes get different type even if their value is the same because we always allocate a new heap number for each number constant. This can lead to replacing a node with a node of disjoint type in value numbering, which can result in incorrect code down the line because of inconsistent types. This fix makes sure that we only replace a node with a sub-type node. Once we introduce a proper type for number constants, we can move back to the intersection typing in value numbering. Unfortunately, it is quite hard to write a repro for this because we cache NumberConstant nodes. We only throw away cached values that have too many conflicts (>5), so the test has to contain values that fall into the same bucket. That's where the magic floating point numbers in the test come from (they have the same low 8-bits of their hashes). BUG= chromium:633497 Review-Url: https://codereview.chromium.org/2251833002 Cr-Commit-Position: refs/heads/master@{#38675} [modify] https://crrev.com/b190d13331ba454a416e03c63804f1873252b24f/src/compiler/value-numbering-reducer.cc [add] https://crrev.com/b190d13331ba454a416e03c63804f1873252b24f/test/mjsunit/compiler/regress-633497.js
,
Aug 21 2016
Looks like I'm not able to reproduce the problem anymore in Canary Version 54.0.2835.0 canary (64-bit) on OSX 10.12 beta 5.
,
Aug 22 2016
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by flo...@gmail.com
, Aug 3 2016