[Webkit-unassigned] [Bug 159720] [ARM] ASSERTION FAILED: linkBuffer.isValid() in InlineAccess.cpp:291

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 14 04:12:00 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=159720

Csaba Osztrogonác <ossy at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ossy at webkit.org

--- Comment #1 from Csaba Osztrogonác <ossy at webkit.org> ---
InlineAccess.cpp
=================
template <typename Function>
ALWAYS_INLINE static bool linkCodeInline(const char* name, CCallHelpers& jit, StructureStubInfo& stubInfo, const Function& function)
{
    if (jit.m_assembler.buffer().codeSize() <= stubInfo.patch.inlineSize) {
        bool needsBranchCompaction = false;
        LinkBuffer linkBuffer(jit, stubInfo.patch.start.dataLocation(), stubInfo.patch.inlineSize, JITCompilationMustSucceed, needsBranc
hCompaction);
        ASSERT(linkBuffer.isValid()); <=================== BANG!
        function(linkBuffer);
        FINALIZE_CODE(linkBuffer, ("InlineAccessType: '%s'", name));
        return true;
    }
...

LinkBuffer.h
=============
bool didFailToAllocate() const
{
    return !m_didAllocate;
}

bool isValid() const
{
    return !didFailToAllocate();
}

====
linkBuffer.isValid() is to ensure that LinkBuffer() constructor 
call sets its m_didAllocate member to true, but it isn't set.

- LinkBuffer::LinkBuffer(...) calls LinkBuffer::linkCode(...)
- LinkBuffer::linkCode(...) calls LinkBuffer::allocate(...)
- LinkBuffer::allocate(...):  initialSize = 12 > m_size = 4
and that's why allocate returns at the beginning without
allocation and setting m_didAllocate to true.

m_code = 0xb27ca808

Dump of assembler code from 0xb27ca808 to 0xb27ca860:
   0xb27ca808:  b       0xb27ca8b0
   0xb27ca80c:  nop                     ; (mov r0, r0)
   0xb27ca810:  nop                     ; (mov r0, r0)
   0xb27ca814:  nop                     ; (mov r0, r0)
   0xb27ca818:  nop                     ; (mov r0, r0)
   0xb27ca81c:  nop                     ; (mov r0, r0)
   0xb27ca820:  nop                     ; (mov r0, r0)
   0xb27ca824:  nop                     ; (mov r0, r0)
   0xb27ca828:  nop                     ; (mov r0, r0)
   0xb27ca82c:  nop                     ; (mov r0, r0)
   0xb27ca830:  nop                     ; (mov r0, r0)
   0xb27ca834:  nop                     ; (mov r0, r0)
   0xb27ca838:  ldr     r0, [r11, #32]
   0xb27ca83c:  ldr     r1, [r11, #36]  ; 0x24
   0xb27ca840:  tst     sp, #15
   0xb27ca844:  beq     0xb27ca850
   0xb27ca848:  mov     r6, #100        ; 0x64
   0xb27ca84c:  bkpt    0x0000
   0xb27ca850:  mov     sp, r11
   0xb27ca854:  pop     {r11}           ; (ldr r11, [sp], #4)
   0xb27ca858:  pop     {lr}            ; (ldr lr, [sp], #4)
   0xb27ca85c:  bx      lr


I think the assertion is simply incorrect in this case and should be removed.
But I don't understand exactly the original change, please let me know
if I misunderstood this bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160714/dc115702/attachment.html>

More information about the webkit-unassigned mailing list