[Webkit-unassigned] [Bug 86335] New: Calling convetion errors in DFG JIT with thumb2
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun May 13 22:42:18 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=86335
Summary: Calling convetion errors in DFG JIT with thumb2
Product: WebKit
Version: 528+ (Nightly build)
Platform: Other
OS/Version: Linux
Status: UNCONFIRMED
Severity: Critical
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: hojong.han at samsung.com
There's a crash occured right after running SunSpider benchmark.
Here's logs below.
DFG compiling code block 0x4803b7d8(0x48045958), number of instructions = 33.
Parsing code block 0x4803b7d8. codeType = FunctionCode, numCapturedVars = 0, needsFullScopeChain = false, needsActivation = false, isStrictMode = false
Parsing bytecode with limit 0x4782fba0 bc#33 at inline depth 1.
Creating basic block 0x4803bca0, #0 for 0x4782fba0 bc#0 at inline depth 1.
Lazy operand [@4, bc#1, r-7] prediction: None
Lazy operand [@8, bc#6, r-8] prediction: None
Lazy operand [@10, bc#9, r-9] prediction: None
Lazy operand [@12, bc#12, r-10] prediction: None
Slow case count for PutById @18 bc#22: 222; exit profile: 0
Marking basic block 0x4803bca0 as linked.
Argument [0] prediction: Other
Argument [1] prediction: Int
Argument [2] prediction: Int
Argument [3] prediction: Int
Preserved vars: -------------------------------
Num callee registers: 5
Graph after optimization:
Block #0 (bc#0):
vars before: (Top, TOP) (Int, []) (Int, []) (Int, []) : (None, []) (None, []) (None, []) (None, []) (None, [])
var links: @0 @1 @2 @3 : - - - - -
0: < 1:-> SetArgument(arg0(A)) predicting Other, double ratio 0.000000
1: < 1:-> SetArgument(arg1(B)) predicting Int, double ratio 0.000000
2: < 1:-> SetArgument(arg2(C)) predicting Int, double ratio 0.000000
3: < 1:-> SetArgument(arg3(D)) predicting Int, double ratio 0.000000
4: < 1:0> GetLocal(@0, arg0(A)) predicting Other, double ratio 0.000000
5: < 1:0> ConvertThis(@4)
6: skipped < 0:-> SetLocal(@5, arg0(E))
7: skipped < 0:-> SetLocal(@5, r0(F))
8: < 1:1> GetLocal(@1, arg1(B)) predicting Int, double ratio 0.000000
9: skipped < 0:-> SetLocal(@8, r1(G))
10: < 1:2> GetLocal(@2, arg2(C)) predicting Int, double ratio 0.000000
11: skipped < 0:-> SetLocal(@10, r2(H))
12: < 1:3> GetLocal(@3, arg3(D)) predicting Int, double ratio 0.000000
13: skipped < 0:-> SetLocal(@12, r3(I))
14: < 1:4> JSConstant($0 = Int32: 1)
15: skipped < 0:-> SetLocal(@14, r4(J))
16: < 1:4> NewArray(@8, @10, @12, @14)
17: skipped < 0:-> SetLocal(@16, r1(K))
18: <!0:-> PutById(@5, @16, id0{V})
19: < 1:4> JSConstant($1 = Undefined)
20: <!0:-> Return(@19)
vars after: (None, []) (None, []) (None, []) (None, []) : (None, []) (None, []) (None, []) (None, []) (None, [])
SpeculativeJIT generating Node @0 (bc#0) at JIT offset 0x8a
SpeculativeJIT generating Node @1 (bc#0) at JIT offset 0x8a
SpeculativeJIT generating Node @2 (bc#0) at JIT offset 0x8a
SpeculativeJIT generating Node @3 (bc#0) at JIT offset 0x8a
SpeculativeJIT generating Node @4 (bc#1) at JIT offset 0x8a GetLocal > format(8) -> JS, vr#0, r1 r0
SpeculativeJIT generating Node @5 (bc#1) at JIT offset 0x92 ConvertThis > isOtherPrediction -> Cell, vr#0, r2
SpeculativeJIT skipping Node @6 (bc#1) at JIT offset 0xb0
SpeculativeJIT skipping Node @7 (bc#3) at JIT offset 0xb0
SpeculativeJIT generating Node @8 (bc#6) at JIT offset 0xb0 -> Integer, vr#1, r4
SpeculativeJIT skipping Node @9 (bc#6) at JIT offset 0xb4
SpeculativeJIT generating Node @10 (bc#9) at JIT offset 0xb4 -> Integer, vr#2, r7
SpeculativeJIT skipping Node @11 (bc#9) at JIT offset 0xb8
SpeculativeJIT generating Node @12 (bc#12) at JIT offset 0xb8 -> Integer, vr#3, r8
SpeculativeJIT skipping Node @13 (bc#12) at JIT offset 0xbc
SpeculativeJIT generating Node @14 (bc#15) at JIT offset 0xbc -> None, vr#4
SpeculativeJIT skipping Node @15 (bc#15) at JIT offset 0xbc
SpeculativeJIT generating Node @16 (bc#18) at JIT offset 0xbc -> Cell, vr#4, r0
SpeculativeJIT skipping Node @17 (bc#18) at JIT offset 0x168
SpeculativeJIT generating Node @18 (bc#22) at JIT offset 0x168 SpecCell at 5
SpeculativeJIT generating Node @19 (bc#31) at JIT offset 0x1ec -> None, vr#4
SpeculativeJIT generating Node @20 (bc#31) at JIT offset 0x1ec
JIT code for 0x4803b7d8 start at [0x47706d00, 0x47706f88). Size = 648.
=============================================================================================================
Breakpoint 1, JSC::DFG::operationPutByIdNonStrictOptimizeWithReturnAddress
(exec=0x49e630e8, encodedValue=0x4776f2c0fffffffb, base=0x48007790, propertyName=0x47706e99, returnAddress=...)
(gdb) i r
r0 0x49e630e8 1239822568 <-- exec
r1 0x477565a0 1198876064 <-- payload of encodedValue
r2 0xfffffffb 4294967291 <-- tag of encodedValue
r3 0x4776f2c0 1198977728 <-- base
r4 0x0 0
r5 0x49e630e8 1239822568
r6 0xe9 233
r7 0x4776f2c0 1198977728
r8 0x0 0
r9 0x4776f2c0 1198977728
r10 0xffffffff 4294967295
r11 0xffffffff 4294967295
r12 0x4154b299 1096069785
sp 0xbeffe5f0 0xbeffe5f0
lr 0x47706e99 1198550681
pc 0x4154b29e 0x4154b29e
cpsr 0x60000030 1610612784
=============================================================================================================
I think there is not any problem in register values.
but argument values used in "operationPutByIdNonStrictOptimizeWithReturnAddress" are something wrong.
According to ARM calling convention,
if one of the parameters is 64 bits long, then either r0 and r1 or r2 and r3 will be used - but not r1 and r2.
Is there any other step to gratify this convention?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list