[Webkit-unassigned] [Bug 160291] New: [ARM] REGRESSION(r203786): jit.m_assembler.buffer().codeSize() <= static_cast<size_t>(m_inlineSize)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 28 04:57:35 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=160291

            Bug ID: 160291
           Summary: [ARM] REGRESSION(r203786):
                    jit.m_assembler.buffer().codeSize() <=
                    static_cast<size_t>(m_inlineSize)
    Classification: Unclassified
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Critical
          Priority: P1
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ossy at webkit.org
                CC: mark.lam at apple.com, sbarati at apple.com
            Blocks: 108645, 160110

https://trac.webkit.org/changeset/203786 changed the IC code and made zillion tests assert/crash again. :(
Before r203786, almost all tests passed with the patch in https://bugs.webkit.org/show_bug.cgi?id=159720 .
But after r203786 I got the following assert:

ASSERTION FAILED: jit.m_assembler.buffer().codeSize() <= static_cast<size_t>(m_inlineSize)
../../Source/JavaScriptCore/jit/JITMathIC.h(135) : JSC::JITMathIC<Generator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr)::<lambda()> [with GeneratorType = JSC::JITAddGenerator]
1   0xb64318e0 WTFCrash
2   0xb5f3efb8 JSC::JITMathIC<JSC::JITAddGenerator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr)::{lambda()#1}::operator()() const
3   0xb5f3f438 JSC::JITMathIC<JSC::JITAddGenerator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr)
4   0xb5f35d1c
Segmentation fault

---
jit.m_assembler.buffer().codeSize() = 12
static_cast<size_t>(m_inlineSize) = 4

Could you give me some hint what changed here? 
Why isn't there enough space to use ldr + b + immediate (12 bytes) for jump?

Could you share me how long will you work refactoring this IC thing?
I won't have time to fix new and new regressions every day. Maybe I 
simply let ARMAssembler completely broken until you finish this 
development, and then try to debug all regression. Maybe let it
broken forever, who knows.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160728/4a9e1739/attachment.html>

More information about the webkit-unassigned mailing list