[Webkit-unassigned] [Bug 229235] New: REGRESSION(r??????): Crash in JSC::FTL::saveAllRegisters

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 18 06:30:16 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=229235

            Bug ID: 229235
           Summary: REGRESSION(r??????): Crash in
                    JSC::FTL::saveAllRegisters
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org

Unfortunately I've had to downgrade WebKitGTK 2.33.3 (r281074) -> 2.33.2 (r278597) in the GNOME runtime due to a FTL crash. This occurs 100% of the time when loading any article on https://arstechnica.com/. It also occurs 100% when loading chat rooms in https://gnome.element.io/.

(gdb) bt
#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007ff13f048867 in __GI_abort () at abort.c:79
#2  0x00007ff13d6ef668 in std::__replacement_assert(char const*, int, char const*, char const*)
    (__file=<optimized out>, __line=<optimized out>, __function=<optimized out>, __condition=<optimized out>)
    at /usr/include/c++/11.1.0/x86_64-unknown-linux-gnu/bits/c++config.h:504
#3  0x00007ff13df0c63c in std::array<unsigned int, 1ul>::operator[](unsigned long) const (this=0x7fef83ac91d0, __n=0)
    at /usr/include/c++/11.1.0/array:193
#4  std::array<unsigned int, 1ul>::operator[](unsigned long) const (__n=<optimized out>, this=<optimized out>)
    at /usr/include/c++/11.1.0/array:193
#5  WTF::Bitmap<32ul, unsigned int>::get(unsigned long, WTF::Dependency) const
    (dependency=..., n=<optimized out>, this=<optimized out>) at WTF/Headers/wtf/Bitmap.h:164
#6  JSC::RegisterSet::get(JSC::Reg) const (reg=..., this=<optimized out>)
    at ../Source/JavaScriptCore/jit/RegisterSet.h:99
#7  JSC::FTL::(anonymous namespace)::Regs::Regs (this=<optimized out>)
    at ../Source/JavaScriptCore/ftl/FTLSaveRestore.cpp:83
#8  JSC::FTL::saveAllRegisters(JSC::AssemblyHelpers&, char*)
    (jit=..., scratchMemory=scratchMemory at entry=0x7ff1368609c8 "\360\206a\304\360\177")
    at ../Source/JavaScriptCore/ftl/FTLSaveRestore.cpp:111
#9  0x00007ff13df14071 in JSC::FTL::genericGenerationThunkGenerator(JSC::VM&, JSC::FunctionPtr<(WTF::PtrTag)1>, char const*, unsigned int, JSC::FTL::FrameAndStackAdjustmentRequirement, JSC::PtrTag)
    (vm=<optimized out>, generationFunction=..., name=<optimized out>, extraPopsToRestore=<optimized out>, frameAndStackAdjustmentRequirement=(unknown: 0x83ac92c0), resultTag=<optimized out>)
    at ../Source/JavaScriptCore/ftl/FTLThunks.cpp:81
#10 0x00007ff13df14a26 in JSC::FTL::osrExitGenerationThunkGenerator(JSC::VM&) (vm=<optimized out>)
    at WTF/Headers/wtf/PtrTag.h:308
#11 0x00007ff13e0af39e in operator() (__closure=<synthetic pointer>)
    at ../Source/JavaScriptCore/jit/JITThunks.cpp:170
#12 JSC::JITThunks::ctiStubImpl<JSC::JITThunks::ctiStub(JSC::VM&, JSC::ThunkGenerator)::<lambda()> >(JSC::ThunkGenerator, struct {...}) (this=0x7ff136aabf28, key=<optimized out>, generateThunk=...)
    at ../Source/JavaScriptCore/jit/JITThunks.cpp:159
#13 0x00007ff13e0af5c2 in JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&)) (this=<optimized out>, vm=<optimized out>, generator=<optimized out>)
    at ../Source/JavaScriptCore/jit/JITThunks.cpp:169
#14 0x00007ff13e527f52 in JSC::VM::getCTIStub(JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))
    (this=<optimized out>, generator=<optimized out>) at /usr/include/c++/11.1.0/bits/unique_ptr.h:173
#15 0x00007ff13defce84 in operator() (linkBuffer=<optimized out>, __closure=<optimized out>)
    at ../Source/JavaScriptCore/ftl/FTLOSRExitHandle.cpp:52
#16 WTF::SharedTaskFunctor<void(JSC::LinkBuffer&), JSC::FTL::OSRExitHandle::emitExitThunk(JSC::FTL::State&, JSC::CCallHelpers&)::<lambda(JSC::LinkBuffer&)> >::run(JSC::LinkBuffer &) (this=0x7ff0446795a0, arguments#0=...)
    at WTF/Headers/wtf/SharedTask.h:91
#17 0x00007ff13d786900 in JSC::LinkBuffer::performFinalization() (this=this at entry=0x7ff084007fa0)
    at ../Source/JavaScriptCore/assembler/LinkBuffer.cpp:476
#18 0x00007ff13d786979 in JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl() (this=0x7ff084007fa0)
    at ../Source/JavaScriptCore/assembler/LinkBuffer.cpp:71
#19 0x00007ff13df033f8 in JSC::LinkBuffer::finalizeCodeWithoutDisassembly<(WTF::PtrTag)357>() (this=<optimized out>)
    at ../Source/JavaScriptCore/assembler/LinkBuffer.h:310
#20 JSC::FTL::link(JSC::FTL::State&) (state=...) at ../Source/JavaScriptCore/ftl/FTLLink.cpp:165
#21 0x00007ff13dc47903 in JSC::DFG::Plan::compileInThreadImpl() (this=0x7ff084043c40)
    at ../Source/JavaScriptCore/dfg/DFGPlan.cpp:476
#22 0x00007ff13e08be76 in JSC::JITPlan::compileInThread(JSC::JITWorklistThread*)
    (this=0x7ff084043c40, thread=thread at entry=0x7ff084418cf0) at ../Source/JavaScriptCore/jit/JITPlan.cpp:165
#23 0x00007ff13e0dad8a in JSC::JITWorklistThread::work() (this=0x7ff084418cf0)
    at ../Source/JavaScriptCore/jit/JITWorklistThread.cpp:123
#24 0x00007ff13e767a39 in operator() (__closure=<optimized out>) at ../Source/WTF/wtf/AutomaticThread.cpp:229
#25 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(const WTF::AbstractLocker&)::<lambda()>, void>::call(void--Type <RET> for more, q to quit, c to continue without paging--
) (this=0x7ff084091a50) at ../Source/WTF/wtf/Function.h:53
#26 0x00007ff13e78ad5e in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>)
    at ../Source/WTF/wtf/Function.h:79
#27 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (newThreadContext=0x7ff0840923f0)
    at ../Source/WTF/wtf/Threading.cpp:187
#28 0x00007ff13e7e76dd in WTF::wtfThreadEntryPoint(void*) (context=<optimized out>)
    at ../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241
#29 0x00007ff13cff53ba in start_thread (arg=0x7fef83acb640) at pthread_create.c:481
#30 0x00007ff13f127ad3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

I'll attach a full backtrace as well.

Unfortunately I am *not* able to reproduce this crash with my local build of WebKit trunk outside flatpak. I'll try building r281074 to see if I can reproduce there. I can only bisect it if I can reproduce it in my own local build.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210818/1598c0b4/attachment-0001.htm>

More information about the webkit-unassigned mailing list