[Webkit-unassigned] [Bug 150580] New: REGRESSION (r191360): Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL:: + 386

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 26 16:28:14 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=150580

            Bug ID: 150580
           Summary: REGRESSION (r191360): Crash:
                    com.apple.WebKit.WebContent at
                    com.apple.JavaScriptCore: JSC::FTL:: + 386
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com

To reproduce:
1. go to maps.google.com
2. type "Paris" in search field, submit
3. type "London" in search field, submit

In the debugger, I can see that we are crashing at:
'WebCore: Worker', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
    frame #0: 0x000000010c97b877 JavaScriptCore`::WTFCrash() + 39 at Assertions.cpp:321
  * frame #1: 0x000000010c32fb6b JavaScriptCore`JSC::FTL::(anonymous namespace)::recoveryFor(value=0x0000000130bcff40, record=0x000000012caf1660, stackmaps=0x000000012f6cad80) + 539 at FTLJSTailCall.cpp:79
    frame #2: 0x000000010c32eeae JavaScriptCore`JSC::FTL::JSTailCall::emit(this=0x000000013407ef00, jitCode=0x000000012f6cac80, jit=0x00007000007b8c08) + 830 at FTLJSTailCall.cpp:261
    frame #3: 0x000000010c2fb313 JavaScriptCore`JSC::FTL::fixFunctionBasedOnStackMaps(state=0x00007000007ba788, codeBlock=0x00000001314c8700, jitCode=0x000000012f6cac80, generatedFunction=0x0000409246d78ee0, recordMap={ size = 0, capacity = 0 })(JSC::ExecState*), WTF::HashMap<unsigned int, WTF::Vector<JSC::FTL::StackMaps::RecordAndIndex, 0ul, WTF::CrashOnOverflow, 16ul>, WTF::IntHash<unsigned int>, WTF::UnsignedWithZeroKeyHashTraits<unsigned int>, WTF::HashTraits<WTF::Vector<JSC::FTL::StackMaps::RecordAndIndex, 0ul, WTF::CrashOnOverflow, 16ul> > >&) + 15171 at FTLCompile.cpp:691
    frame #4: 0x000000010c2f6e63 JavaScriptCore`JSC::FTL::compile(state=0x00007000007ba788, safepointResult=0x00007000007ba8f8) + 4259 at FTLCompile.cpp:920
...

The RELEASE_ASSERT in question is found in:
ValueRecovery recoveryFor(const ExitValue& value, StackMaps::Record& record, StackMaps& stackmaps)
{
    switch (value.kind()) {
...
    case ExitValueArgument: {
        auto location =
            FTL::Location::forStackmaps(&stackmaps, record.locations[value.exitArgument().argument()]);
        auto format = value.exitArgument().format();

        switch (location.kind()) {
        case Location::Register:
            // We handle the addend outside
            return ValueRecovery::inRegister(location.dwarfReg().reg(), format);

        case Location::Indirect:
            // Oh LLVM, you crazy...
            RELEASE_ASSERT(location.dwarfReg().reg() == Reg(MacroAssembler::framePointerRegister));
 ==>        RELEASE_ASSERT(!(location.offset() % sizeof(void*)));
            return ValueRecovery::displacedInJSStack(VirtualRegister { static_cast<int>(location.offset() / sizeof(void*)) }, format);

        case Location::Constant:
            return ValueRecovery::constant(JSValue::decode(location.constant()));

        default:
            RELEASE_ASSERT_NOT_REACHED();
        }
    }
...
}

The location (from elsewhere in the debug output) is (Indirect, %rbp, off:-84, size:4).  Clearly the address is not 8 byte aligned.  It is a 4 byte value that is naturally aligned.  Looks like we need teach the call frame shuffler to handle such cases.  Currently the FTL tail call code allows 32 bit integers and booleans to be saved on the stack as 32 bit values.  The Call Frame shuffler properly boxes these values, but represents their stack location as a VirtualRegister.

In preparing a test case, I ran across another related issue.
ASSERTION FAILED: !isUndecided()
/Volumes/Data/src/webkit/Source/JavaScriptCore/jit/CallFrameShuffler.cpp(309) : void JSC::CallFrameShuffler::extendFrameIfNeeded()
1   0x10909b870 WTFCrash
2   0x10859a044 JSC::CallFrameShuffler::extendFrameIfNeeded()
3   0x108599ede JSC::CallFrameShuffler::spill(JSC::CachedRecovery&)
4   0x10859fa7f void JSC::CallFrameShuffler::ensureRegister<JSC::CallFrameShuffler::ensureGPR()::'lambda'(JSC::CachedRecovery const&)>(JSC::CallFrameShuffler::ensureGPR()::'lambda'(JSC::CachedRecovery const&) const&)
5   0x10859f8fd JSC::CallFrameShuffler::ensureGPR()
6   0x10859d069 JSC::CallFrameShuffler::acquireGPR()
7   0x10859aed4 JSC::CallFrameShuffler::prepareForTailCall()
8   0x108a4f7da JSC::FTL::JSTailCall::emit(JSC::FTL::JITCode&, JSC::CCallHelpers&)
...

I'll address that issue with this bug as well.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151026/11e72c2c/attachment-0001.html>

More information about the webkit-unassigned mailing list