[Webkit-unassigned] [Bug 117281] New: Crash in V8 benchmarks set in ARM, softfp, EABI

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 5 21:43:26 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=117281

           Summary: Crash in V8 benchmarks set in ARM,softfp,EABI
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Major
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: youngho33.yoo at lge.com
                CC: mark.lam at apple.com


Overview :

In Qt, ARM platform, -mfloat-abi=softfp and EABI compile option,
There is crash in V8 benchmark, splay.js 

Steps to Reproduce:

1. http://v8.googlecode.com/svn/data/benchmarks/v7/run.html
2. Automately run V8 Benchmark suite - version 7

Actual Results:

When running Splay benchmarks it crashed and rerun the web page.

Expected Results:

Successfully running benchmarks, and then < Score : xxxx > showed up.

Build Date & Platform:

Linux, Qt, WebKit2, ARM_THUMB2 with LLInt + JIT + DFG_JIT (rev 149600)
with -mfloat-abi=softfp and EABI compile option.

Additional Builds and Platforms:

Doesn't Occur on Linux, Qt, WebKit2, ARM_THUMB2 with LLInt + JIT (rev 149600)

Additional Information:

i) w/o DFG_JIT It doesn't occur.

ii) in splay.js, there is the push function

-----
/**
 * @return {Array<*>} An array containing all the keys of tree's nodes.
 */
SplayTree.prototype.exportKeys = function() {
  var result = [];
  if (!this.isEmpty()) {
    this.root_.traverse_(function(node) { result.push(node.key); });
  }
  return result;
};
-----

That is the crash site in JSC with running DFG-JIT.

iii) and http://www.smashcat.org/av/canvas_test is crash too.


Solution :

With -mfloat-abi=softfp and EABI compile option,
ii) and iii), call 
ALWAYS_INLINE void setupArgumentsWithExecState(FPRReg arg1, GPRReg arg2)<line 564, revision 151251>
and 
ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, GPRReg arg2, FPRReg arg3)<line 571, revision 151251>
in dfg/DFGCCallHelpers.h

if it uses no hardfp, which means that it uses softfp,
And when being compiled in ARM EABI, it must be aligned even-numbered register (r0, r2 or [sp]).
 To avoid assemblies from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.

In JSC, it uses EABI_32BIT_DUMMY_ARG for that, but in softfp option, it misses using EABI_32BIT_DUMMY_ARG for FPRReg, 
even if it uses like this below(don't aligned even-numbered register)
assembler().vmov(GPRInfo::argumentGPR1, GPRInfo::argumentGPR2, arg1);

So change the code with EABI_32BIT_DUMMY_ARG will fix it.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list