[Webkit-unassigned] [Bug 103146] ARMv7 replaceWithJump ASSERT failure after r135330.

Sat Nov 24 07:04:24 PST 2012

https://bugs.webkit.org/show_bug.cgi?id=103146

--- Comment #2 from Balazs Kilvady <kilvadyb at homejinni.com>  2012-11-24 07:06:30 PST ---
(In reply to comment #1)
> (In reply to comment #0)
> > Running v8 test v7 with jsc in debug mode on our ARMv7 board I received this ASSERT failure:
> > 
> > Starting program: /data/kilvadyb/webkit-arm/webkit/WebKitBuild/Debug/bin/jsc run.js
> > [Thread debugging using libthread_db enabled]
> > [New Thread 0x42dc4400 (LWP 1111)]
> > Richards: 161
> > DeltaBlue: 21.8
> > Crypto: 110
> > RayTrace: 101
> > ASSERTION FAILED: canBeJumpT4(instruction, target)
> > /data/kilvadyb/webkit-arm/webkit/Source/JavaScriptCore/assembler/ARMv7Assembler.h(2475) : static void JSC::ARMv7Assembler::linkJumpT4(uint16_t*, void*)
> > 
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x4040b38c in JSC::ARMv7Assembler::linkJumpT4 (instruction=0x455695f6, target=0x43599dc0)
> >     at /data/kilvadyb/webkit-arm/webkit/Source/JavaScriptCore/assembler/ARMv7Assembler.h:2475
> > 2475            ASSERT(canBeJumpT4(instruction, target));
> > (gdb)
> > 
> > I had similar problem on MIPS where a replaceWithJump would be easier to implement with direct jump instead of jump via register.
> 
> Actually, it looks like that assert is just wrong. I'll look more in a bit.

Thank you for checking it. On MIPS I have this problem (at exactly the same test step) when the "jump to a direct address" one word (4 bytes) instruction has boundaries and the target address of the jump is out of these boundaries. I guess the same happens on ARM when the target range of T4 type jump is not enough. On MIPS I could use
target -> register
jump via register
but it would take 4 word (4 bytes == word) instructions so replaceWithJump might overwrite some useful already generated instructions and it would cause problems when replace-jump code should be reverted. I could solve it only with using nop instruction words to make place the 4 words replace-jump to make it possible to revert.

On MIPS the usually replaced/overwritten code:
lui t0, 0xXXXX
ori t0, t0, 0xYYYY
bne t0, t4, address
nop

(The same usually replaced code on ARM:
movw r12, YYYY
movt r12, XXXX
cmp r12, rN
bne address
)

and the jump via register:

lui t0, 0xXXXX
ori t0, t0, 0xXXXX
jr t0
nop ; necessary in "jump/branch slot".

So this kind of jump replacement overwrites the "bne reg1, reg0, address" instruction and address value would be lost.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.