[Webkit-unassigned] [Bug 98857] [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 25 01:16:16 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=98857





--- Comment #7 from Gabor Ballabas <gaborb at inf.u-szeged.hu>  2012-10-25 01:17:23 PST ---
(In reply to comment #6)

> Or we should disable DFG JIT on ARM as a workaround. Gábor,
> so you think if the bug would disappear with disabling DFG JIT?

Unfortunately disabling the DFG JIT wouldn't solve this problem.

I have some debugging information about the crash maybe Filip or someone else with more expertise could figure out something from it:


(gdb) info breakpoints
Num     Type           Disp Enb Address    What
1       breakpoint     keep y   0x002cffd4 in JSC::JIT::privateCompileGetByVal(JSC::ByValInfo*, JSC::ReturnAddressPtr, JSC::JITArrayMode) 
                                           at /home/bgabor/WebKit/Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1468
2       breakpoint     keep n   0x0008f0c0 in JSC::ARMAssembler::getLdrImmAddress(unsigned int*) at /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h:780
(gdb) r
Starting program: /home/bgabor/jsc/test-crash/jsc -s -f ecma_3/shell.js -f ecma_3/Object/shell.js -f ecma_3/Object/class-001.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
[New Thread 0x42850450 (LWP 4914)]

Breakpoint 1, JSC::JIT::privateCompileGetByVal (this=0xbeffdae0, byValInfo=0x82b6c8, returnAddress=..., arrayMode=JSC::JITArrayStorage)
    at /home/bgabor/WebKit/Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1468
1468        repatchBuffer.relink(byValInfo->badTypeJump, CodeLocationLabel(byValInfo->stubRoutine->code().code()));
(gdb) p byValInfo->badTypeJump
$1 = {<JSC::CodeLocationCommon> = {<JSC::MacroAssemblerCodePtr> = {m_value = 0x40022c10}, <No data fields>}, <No data fields>}
(gdb) x/i 0x40022c10
   0x40022c10:  ldr     r4, [r0, #3071384]
(gdb) enable 2
(gdb) c
Continuing.

Breakpoint 2, JSC::ARMAssembler::getLdrImmAddress (insn=0x40022c0c) at /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h:783
783                 if ((*insn & LdrPcImmediateInstructionMask) != LdrPcImmediateInstruction) {
(gdb) x/i 0x40022c0c
   0x40022c0c:  bne     0x40022e60
(gdb) x/i (0x40022c0c + 0x4)
   0x40022c10:  ldr     r4, [r0, #3071384]
(gdb) c
Continuing.
ASSERTION FAILED: (*insn & BlxInstructionMask) == BlxInstruction
/home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h(785) : static JSC::ARMWord* JSC::ARMAssembler::getLdrImmAddress(JSC::ARMWord*)
1   0x8f134 /home/bgabor/jsc/test-crash/jsc() [0x8f134]
2   0x93b08 /home/bgabor/jsc/test-crash/jsc() [0x93b08]
3   0x20c6bc /home/bgabor/jsc/test-crash/jsc() [0x20c6bc]
4   0x20ce7c /home/bgabor/jsc/test-crash/jsc() [0x20ce7c]
5   0x20cd84 /home/bgabor/jsc/test-crash/jsc() [0x20cd84]
6   0x2d0028 /home/bgabor/jsc/test-crash/jsc() [0x2d0028]
7   0x2edb88 /home/bgabor/jsc/test-crash/jsc() [0x2edb88]
8   0x2e3da0 /home/bgabor/jsc/test-crash/jsc() [0x2e3da0]
9   0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
10  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
11  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
12  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
13  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
14  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
15  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
16  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
17  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
18  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
19  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
20  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
21  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
22  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
23  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
24  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
25  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
26  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
27  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
28  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
29  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
30  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
31  0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]

Program received signal SIGSEGV, Segmentation fault.
0x0008f144 in JSC::ARMAssembler::getLdrImmAddress (insn=0x40022c0c) at /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h:785
785                     ASSERT((*insn & BlxInstructionMask) == BlxInstruction);
(gdb)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list