[Webkit-unassigned] [Bug 229826] [JSC] Implement Temporal.Instant

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 6 02:29:20 PDT 2021


--- Comment #18 from Yusuke Suzuki <ysuzuki at apple.com> ---
 (In reply to Philip Chimento from comment #16)
> (In reply to Yusuke Suzuki from comment #14)
> > > Source/JavaScriptCore/runtime/ISO8601.h:88
> > > +    constexpr ExactTime(const ExactTime& other) : m_epochNanoseconds(other.m_epochNanoseconds) { }
> > 
> > This is not necessary.
> I remembered why I put this in; it seems that Clang doesn't correctly
> generate the copy constructor when we have a __int128 member. I've added a
> comment explaining why this "useless" copy constructor is here, and will try
> to isolate a minimum reproducible example and hopefully report a Clang bug.
> (Or find out what my mistake was :-)

I think probably I found what is happening. This statement itself is not related. So let's remove that. The problem is that, `alignof(__int128_t)` is 16!, which is probably only the data type usually we see.
JSC GC-managed object is allocated with 8byte alignment (for MarkBlock allocations, it is 16-byte aligned. But for PreciseAllocation, it is 8-byte aligned. And first several objects of the same type can be allocated from PreciseAllocation). This means that, 16 byte alignment requirement can be broken.

I reproduced JSC EWS crash locally. And the crash is

    0x102ecb2f4 <+164>: jne    0x102ecb325               ; <+213> at TemporalInstant.cpp:351:20
    0x102ecb2f6 <+166>: xorl   %eax, %eax
    0x102ecb2f8 <+168>: movq   %rax, -0x80(%rbp)
    0x102ecb2fc <+172>: jmp    0x102ecb344               ; <+244> at TemporalInstant.cpp:355:26
->  0x102ecb2fe <+174>: movaps 0x10(%r12), %xmm0
    0x102ecb304 <+180>: movaps %xmm0, -0x70(%rbp)
    0x102ecb308 <+184>: leaq   -0x70(%rbp), %rsi
    0x102ecb30c <+188>: movabsq $0x100000009, %r8         ; imm = 0x100000009
    0x102ecb316 <+198>: movl   $0x2, %ecx

And r12 is 0x00000001005958d8. So 0x10(%r12) is not 16-byte aligned while the compiler is using movaps since it assumes that TemporalInstant is allocated with 16byte aligned, but it is not.

For now, you can just try simple way like this. https://gist.github.com/Constellation/71dd37e75b013e3130104e64a85e254b

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211006/9fa3d991/attachment.htm>

More information about the webkit-unassigned mailing list