[Webkit-unassigned] [Bug 123277] New: REGRESSION(r157164): v8-v6/v8-raytrace.js crashes on arm and sh4
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 24 10:08:51 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=123277
Summary: REGRESSION(r157164): v8-v6/v8-raytrace.js crashes on
arm and sh4
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jbriance at cisco.com
Since r157164 (http://trac.webkit.org/changeset/157164), the v8-v6/v8-raytrace.js test crashes in JIT code on CPU(ARM_TRADITIONAL) and CPU(SH4) architectures.
The crashes occurs in code generated by virtualThunkGenerator function in jit/ThunkGenerators.cpp:
CCallHelpers::TrustedImm32(JSValue::CellTag)));
#endif
jit.loadPtr(CCallHelpers::Address(GPRInfo::nonArgGPR0, JSCell::structureOffset()), GPRInfo::nonArgGPR2);
slowCase.append(
jit.branchPtr(
CCallHelpers::NotEqual,
CCallHelpers::Address(GPRInfo::nonArgGPR2, Structure::classInfoOffset()),
CCallHelpers::TrustedImmPtr(JSFunction::info())));
The jit.loadPtr(CCallHelpers::Address(GPRInfo::nonArgGPR0, JSCell::structureOffset()), GPRInfo::nonArgGPR2) is fine, but loaded value in GPRInfo::nonArgGPR2 is null.
So the next instruction "CCallHelpers::Address(GPRInfo::nonArgGPR2, Structure::classInfoOffset())" dereferences this null pointer, causing the crash.
ARM generated code:
Program received signal SIGSEGV, Segmentation fault.
0x3444c6cc in ?? ()
(gdb) disassemble $pc-16, $pc+16
Dump of assembler code from 0x3444c6bc to 0x3444c6dc:
0x3444c6bc: andeq r0, r0, r0
0x3444c6c0: cmn r8, #5
0x3444c6c4: bne 0x3444c708
0x3444c6c8: ldr r9, [r4] // this line is jit.loadPtr(CCallHelpers::Address(GPRInfo::nonArgGPR0, JSCell::structureOffset()), GPRInfo::nonArgGPR2)
=> 0x3444c6cc: ldr r12, [r9, #32]
0x3444c6d0: movw r3, #53092 ; 0xcf64
0x3444c6d4: movt r3, #69 ; 0x45
0x3444c6d8: cmp r12, r3
End of assembler dump.
(gdb) info registers
r0 0x344fef98 877653912
r1 0xfffffffb 4294967291
r2 0x0 0
r3 0x349e3ac0 882784960
r4 0x349e3ab8 882784952
r5 0x349e3ab8 882784952
r6 0x200 512
r7 0x3526296c 891693420
r8 0xfffffffb 4294967291
r9 0x0 0
r10 0x352ff1d4 892334548
r11 0x3524e100 891609344
r12 0x3444c6c0 876922560
sp 0x3efff3d8 0x3efff3d8
lr 0x3444cd24 0x3444cd24
pc 0x3444c6cc 0x3444c6cc
cpsr 0x60000010 1610612752
SH4:
(gdb) disassemble $pc-8, $pc+8
Dump of assembler code from 0x2c20d7c6 to 0x2c20d7d6:
0x2c20d7c6: mov.l 0x2c20d818,r13 ! 0x2e
0x2c20d7c8: braf r13
0x2c20d7ca: nop
0x2c20d7cc: mov.l @r10,r9 // this line is jit.loadPtr(CCallHelpers::Address(GPRInfo::nonArgGPR0, JSCell::structureOffset()), GPRInfo::nonArgGPR2)
=> 0x2c20d7ce: mov.l @(32,r9),r3
0x2c20d7d0: mov.l 0x2c20d81c,r11 ! 0x839594 <_ZN3JSC10JSFunction6s_infoE>
0x2c20d7d2: cmp/eq r11,r3
0x2c20d7d4: bt 0x2c20d7dc
End of assembler dump.
(gdb) regs
PC 2c20d7ce SR 00008001 PR 2c20de3c MACH 00000000
GBR 2aafc4a0 VBR 00000000 DBR 00000000 MACL 00000000
SSR 00000000 SPC 00000000 SGR 00000000
FPUL 00000000 FPSCR 00080004
R0-R7 2c15e918 fffffffb 00000000 00000000 2b31500c 2b3aae00 2c15e918 00000007
R8-R15 fffffffb e6e03aee 2c072b90 2c08f6f0 00840b28 000002da 2c072b90 7bc5bf88
R0b-R7b 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
DR0-DR6 0000000000000000 c0329ffcf21e3574 c0329ffcf21e3574 4035000000000000
DR8-DR14 ebfb6332890233b0 0d23dd77e34c0009 41f0000000000000 0000000000000000
XD0-XD6 0000000000000000 0000000000000000 0000000000000000 0000000000000000
XD8-XD14 0000000000000000 0000000000000000 0000000000000000 0000000000000000
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list