[Webkit-unassigned] [Bug 98857] [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 25 09:54:18 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=98857
--- Comment #9 from Filip Pizlo <fpizlo at apple.com> 2012-10-25 09:55:26 PST ---
(In reply to comment #7)
> (In reply to comment #6)
>
> > Or we should disable DFG JIT on ARM as a workaround. Gábor,
> > so you think if the bug would disappear with disabling DFG JIT?
>
> Unfortunately disabling the DFG JIT wouldn't solve this problem.
>
> I have some debugging information about the crash maybe Filip or someone else with more expertise could figure out something from it:
>
>
> (gdb) info breakpoints
> Num Type Disp Enb Address What
> 1 breakpoint keep y 0x002cffd4 in JSC::JIT::privateCompileGetByVal(JSC::ByValInfo*, JSC::ReturnAddressPtr, JSC::JITArrayMode)
> at /home/bgabor/WebKit/Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1468
> 2 breakpoint keep n 0x0008f0c0 in JSC::ARMAssembler::getLdrImmAddress(unsigned int*) at /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h:780
> (gdb) r
> Starting program: /home/bgabor/jsc/test-crash/jsc -s -f ecma_3/shell.js -f ecma_3/Object/shell.js -f ecma_3/Object/class-001.js
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/libthread_db.so.1".
> [New Thread 0x42850450 (LWP 4914)]
>
> Breakpoint 1, JSC::JIT::privateCompileGetByVal (this=0xbeffdae0, byValInfo=0x82b6c8, returnAddress=..., arrayMode=JSC::JITArrayStorage)
> at /home/bgabor/WebKit/Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1468
> 1468 repatchBuffer.relink(byValInfo->badTypeJump, CodeLocationLabel(byValInfo->stubRoutine->code().code()));
> (gdb) p byValInfo->badTypeJump
> $1 = {<JSC::CodeLocationCommon> = {<JSC::MacroAssemblerCodePtr> = {m_value = 0x40022c10}, <No data fields>}, <No data fields>}
> (gdb) x/i 0x40022c10
> 0x40022c10: ldr r4, [r0, #3071384]
This looks suspicious. Why are we loading from r0 at such a *HUGE* offset?
> (gdb) enable 2
> (gdb) c
> Continuing.
>
> Breakpoint 2, JSC::ARMAssembler::getLdrImmAddress (insn=0x40022c0c) at /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h:783
> 783 if ((*insn & LdrPcImmediateInstructionMask) != LdrPcImmediateInstruction) {
> (gdb) x/i 0x40022c0c
> 0x40022c0c: bne 0x40022e60
So, you're emitting a bne for patchableBranch32, and then you're trying to patch a blx when relink() is called.
That's your bug.
Either make relink() work with bne, or make patchableBranch32 emit a blx.
> (gdb) x/i (0x40022c0c + 0x4)
> 0x40022c10: ldr r4, [r0, #3071384]
> (gdb) c
> Continuing.
> ASSERTION FAILED: (*insn & BlxInstructionMask) == BlxInstruction
> /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h(785) : static JSC::ARMWord* JSC::ARMAssembler::getLdrImmAddress(JSC::ARMWord*)
> 1 0x8f134 /home/bgabor/jsc/test-crash/jsc() [0x8f134]
> 2 0x93b08 /home/bgabor/jsc/test-crash/jsc() [0x93b08]
> 3 0x20c6bc /home/bgabor/jsc/test-crash/jsc() [0x20c6bc]
> 4 0x20ce7c /home/bgabor/jsc/test-crash/jsc() [0x20ce7c]
> 5 0x20cd84 /home/bgabor/jsc/test-crash/jsc() [0x20cd84]
> 6 0x2d0028 /home/bgabor/jsc/test-crash/jsc() [0x2d0028]
> 7 0x2edb88 /home/bgabor/jsc/test-crash/jsc() [0x2edb88]
> 8 0x2e3da0 /home/bgabor/jsc/test-crash/jsc() [0x2e3da0]
> 9 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 10 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 11 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 12 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 13 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 14 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 15 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 16 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 17 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 18 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 19 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 20 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 21 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 22 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 23 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 24 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 25 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 26 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 27 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 28 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 29 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 30 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
> 31 0x2e3b48 /home/bgabor/jsc/test-crash/jsc() [0x2e3b48]
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0008f144 in JSC::ARMAssembler::getLdrImmAddress (insn=0x40022c0c) at /home/bgabor/WebKit/Source/JavaScriptCore/assembler/ARMAssembler.h:785
> 785 ASSERT((*insn & BlxInstructionMask) == BlxInstruction);
> (gdb)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list