[Webkit-unassigned] [Bug 147123] New: JavaScriptCore LLInt crash with VS2015RC

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 20 14:03:33 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=147123

            Bug ID: 147123
           Summary: JavaScriptCore LLInt crash with VS2015RC
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: PC
                OS: Windows 7
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: chris.vno at outlook.com

I have recently been attempting to move to VS2015 which I was discussing in the webkit-dev mail list:
https://lists.webkit.org/pipermail/webkit-dev/2015-July/027536.html

When compiling with VS2015RC when I run with my test application I’m finding that most websites, facebook.com for example, are crashing in LowLevelInterpreterWin.asm code identified by LowLevelInterpreter.asm:476:
  _offlineasm_doCall__177_loadConstantOrVariable__done:
    cmp rbx, rcx                                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1798
    jne _offlineasm_doCall__opCallSlow
    movsxd rbx, dword ptr [32 + r8 + rsi * 8]                ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:114
   sal ebx, 3                                               ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1800
    neg rbx                                                  ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1801
    add rbx, rbp                                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1802
    mov qword ptr [24 + rbx], rcx                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1803
    movsxd rcx, dword ptr [24 + r8 + rsi * 8]                ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:114
    mov dword ptr [36 + rbp], esi                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1805
    mov dword ptr [32 + rbx], ecx                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1806
    add rbx, 16                                              ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1807
    mov rsp, rbx                                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:472
    call qword ptr [32 + rdx]                                ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:476
    mov rcx, qword ptr [16 + rbp]                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:461
    mov edi, dword ptr [56 + rcx]                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:449
    sal rdi, 3                                               ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:450
    add rdi, 64                                              ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:451
    mov rsp, rbp                                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:456
    sub rsp, rdi
    mov esi, dword ptr [36 + rbp]                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:45
    mov r8, qword ptr [16 + rbp]                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:46
    mov r8, qword ptr [104 + r8]                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:47
    movsxd rdx, dword ptr [8 + r8 + rsi * 8]                 ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:114
    mov qword ptr [0 + rbp + rdx * 8], rax                   ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:49
    mov rcx, qword ptr [64 + r8 + rsi * 8]                   ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:118
    mov qword ptr [16 + rcx], rax                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:491
    add rsi, 9                                               ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:31
    jmp qword ptr [0 + r8 + rsi * 8]                         ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:27

I tried regenerating the asm files but still have the issue.  I expect that some updates need to be done to the asm generator for vs2015 unfortunatly, I don't have the expertise to validate/update the asm generator.  Have you found this issue too?  Any suggestion on how to correct the crash?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150720/b3d73fbb/attachment-0001.html>

More information about the webkit-unassigned mailing list