[Webkit-unassigned] [Bug 244952] New: [JSC] Crash on ARMv7 due to DFG OSR exit code

Thu Sep 8 16:37:09 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=244952

            Bug ID: 244952
           Summary: [JSC] Crash on ARMv7 due to DFG OSR exit code
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: asumu at igalia.com

Created attachment 462214

  --> https://bugs.webkit.org/attachment.cgi?id=462214&action=review

Crash reproduction file

It's possible to trigger a segfault while running the attached JS file (minimized from a much larger example contained in the Wasm GC tests, thanks to Mikhail Gadelha) on ARMv7 JSC:

```
# example of how to run the crashing test
$ ~/WebKit/WebKitBuild/Debug/bin/jsc --thresholdForJITAfterWarmUp=45 --thresholdForOptimizeAfterWarmUp=21 -m crash.js
Segmentation fault
```

This bug appears to be triggered by a storeCell instruction used in the DFG OSR exit code for reifying inlined call frames. The store itself is reasonable, but the macroassembler on ARMv7 seems to create a register conflict when the memory address for the store takes a particular form, as it triggers a less used codepath in the macroassembler.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220908/08e13c27/attachment.htm>