[Webkit-unassigned] [Bug 157340] REGRESSION(r200383): It made all JSC stress tests crash on ARMv7 Thumb2

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 4 03:14:21 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=157340

Csaba Osztrogonác <ossy at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ossy at webkit.org

--- Comment #1 from Csaba Osztrogonác <ossy at webkit.org> ---
Here is a relase backtrace:

$ ./jsc
Illegal instruction (core dumped)
linaro at linaro-alip:/ramdisk/thumb2/jsc-stress-results/.vm/JavaScriptCore.framework/Resources$ gdb ./jsc core
GNU gdb (Ubuntu 7.7-0ubuntu3) 7.7
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-linux-gnueabihf".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./jsc...(no debugging symbols found)...done.
[New LWP 23648]
[New LWP 23655]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
Core was generated by `./jsc'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0xb6cd1b7c in JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&) ()
   from /home/webkitbuildbot/slaves/jsconly-thumb2/buildslave/jsconly-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libJavaScriptCore.so.1
(gdb) bt
#0  0xb6cd1b7c in JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&) ()
   from /home/webkitbuildbot/slaves/jsconly-thumb2/buildslave/jsconly-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libJavaScriptCore.so.1
#1  0xb6c5080e in JSC::ArrayPrototype::finishCreation(JSC::VM&, JSC::JSGlobalObject*) ()
   from /home/webkitbuildbot/slaves/jsconly-thumb2/buildslave/jsconly-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libJavaScriptCore.so.1
#2  0x7e78c0b6 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)


disassembly:

...

   0xb6cd1b70 <JSC::getTemplateObject(JSC::ExecState*)+28>: mvnne.w r1, #4
   0xb6cd1b74 <JSC::getTemplateObject(JSC::ExecState*)+32>: mvneq.w r1, #5
   0xb6cd1b78 <JSC::getTemplateObject(JSC::ExecState*)+36>: pop     {r3, pc}
   0xb6cd1b7a:  nop
=> 0xb6cd1b7c <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+0>:  str.w   r4, [sp, #-20]!
   0xb6cd1b80 <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+4>:  strd    r5, r6, [sp, #4]
   0xb6cd1b84 <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+8>:  ldr     r5, [pc, #132]        ; (0xb6cd1c0c <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+144>)

...

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160504/5cceedbc/attachment-0001.html>

More information about the webkit-unassigned mailing list