[Webkit-unassigned] [Bug 98857] [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 25 09:54:18 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=98857





--- Comment #9 from Filip Pizlo <fpizlo at apple.com>  2012-10-25 09:55:26 PST ---
(In reply to comment #7)
> (In reply to comment #6)
> 
> > Or we should disable DFG JIT on ARM as a workaround. Gábor,
> > so you think if the bug would disappear with disabling DFG JIT?
> 
> Unfortunately disabling the DFG JIT wouldn't solve this problem.
> 
> I have some debugging information about the crash maybe Filip or someone else with more expertise could figure out something from it:
> 
> 
> (gdb) info breakpoints
> Num     Type           Disp Enb Address    What
> 1       breakpoint     keep y   0x002cffd4 in JSC::JIT::privateCompileGetByVal(JSC::ByValInfo*, JSC::ReturnAddressPtr, JSC::JITArrayMode) 
>                                            at /home/bgabor/WebKit/Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1468
> 2       breakpoint     keep n   0x0008f0c0 in JSC::ARMAssembler::getLdrImmAddress(unsigned int*) at /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h:780
> (gdb) r
> Starting program: /home/bgabor/jsc/test-crash/jsc -s -f ecma_3/shell.js -f ecma_3/Object/shell.js -f ecma_3/Object/class-001.js
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/libthread_db.so.1".
> [New Thread 0x42850450 (LWP 4914)]
> 
> Breakpoint 1, JSC::JIT::privateCompileGetByVal (this=0xbeffdae0, byValInfo=0x82b6c8, returnAddress=..., arrayMode=JSC::JITArrayStorage)
>     at /home/bgabor/WebKit/Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1468
> 1468        repatchBuffer.relink(byValInfo->badTypeJump, CodeLocationLabel(byValInfo->stubRoutine->code().code()));
> (gdb) p byValInfo->badTypeJump
> $1 = {<JSC::CodeLocationCommon> = {<JSC::MacroAssemblerCodePtr> = {m_value = 0x40022c10}, <No data fields>}, <No data fields>}
> (gdb) x/i 0x40022c10
>    0x40022c10:  ldr     r4, [r0, #3071384]

This looks suspicious.  Why are we loading from r0 at such a *HUGE* offset?

> (gdb) enable 2
> (gdb) c
> Continuing.
> 
> Breakpoint 2, JSC::ARMAssembler::getLdrImmAddress (insn=0x40022c0c) at /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h:783
> 783                 if ((*insn & LdrPcImmediateInstructionMask) != LdrPcImmediateInstruction) {
> (gdb) x/i 0x40022c0c
>    0x40022c0c:  bne     0x40022e60

So, you're emitting a bne for patchableBranch32, and then you're trying to patch a blx when relink() is called.

That's your bug.

Either make relink() work with bne, or make patchableBranch32 emit a blx.

> (gdb) x/i (0x40022c0c + 0x4)
>    0x40022c10:  ldr     r4, [r0, #3071384]
> (gdb) c
> Continuing.
> ASSERTION FAILED: (*insn & BlxInstructionMask) == BlxInstruction
> /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h(785) : static JSC::ARMWord* JSC::ARMAssembler::getLdrImmAddress(JSC::ARMWord*)
> 1   0x8f134 /home/bgabor/jsc/test-crash/jsc() [0x8f134]
> 2   0x93b08 /home/bgabor/jsc/test-crash/jsc() [0x93b08]
> 3   0x20c6bc /home/bgabor/jsc/test-crash/jsc() [0x20c6bc]
> 4   0x20ce7c /home/bgabor/jsc/test-crash/jsc() [0x20ce7c]
> 5   0x20cd84 /home/bgabor/jsc/test-crash/jsc() [0x20cd84]
> 6   0x2d0028 /home/bgabor/jsc/test-crash/jsc() [0x2d0028]
> 7   0x2edb88 /home/bgabor/jsc/test-crash/jsc() [0x2edb88]
> 8   0x2e3da0 /home/bgabor/jsc/test-crash/jsc() [0x2e3da0]
> 9   0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 10  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 11  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 12  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 13  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 14  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 15  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 16  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 17  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 18  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 19  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 20  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 21  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 22  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 23  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 24  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 25  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 26  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 27  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 28  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 29  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 30  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 31  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x0008f144 in JSC::ARMAssembler::getLdrImmAddress (insn=0x40022c0c) at /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h:785
> 785                     ASSERT((*insn & BlxInstructionMask) == BlxInstruction);
> (gdb)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list