<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Tail call optimizations lead to crashes on ARM Thumb + Linux"
href="https://bugs.webkit.org/show_bug.cgi?id=150083">150083</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Tail call optimizations lead to crashes on ARM Thumb + Linux
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>zan@falconsigh.net
</td>
</tr>
<tr>
<th>CC</th>
<td>basile_clement@apple.com, msaboff@apple.com, sbarati@apple.com
</td>
</tr></table>
<p>
<div>
<pre>With tail calls enabled in JSC, a SIGILL is hit on some sites when running on ARM Thumb and (if at all relevant due to possibly different call procedures) a Linux OS.
Here's a short gdb inspection of the situation on a release build, loading google.com:
Program received signal SIGILL, Illegal instruction.
0x719c90e4 in ?? ()
(gdb) info registers
r0 0x7eeb2ee0 2129342176
r1 0x0 0
r2 0x73427f60 1933737824
r3 0x10 16
r4 0x73427f60 1933737824
r5 0x6ee8c53f 1860748607
r6 0x0 0
r7 0x7eeb2f78 2129342328
r8 0xfffffffb 4294967291
r9 0x6a8d53c0 1787646912
r10 0xfffffffb 4294967291
r11 0x7eeb33f8 2129343480
r12 0x719c90e2 1906086114
sp 0x7eeb2ee0 0x7eeb2ee0
lr 0x719a7c9d 1905949853
pc 0x719c90e4 0x719c90e4
cpsr 0x600b0010 1611333648
(gdb) x /20i $pc
=> 0x719c90e4: ; <UNDEFINED> instruction: 0xf04f466f
0x719c90e8: ; <UNDEFINED> instruction: 0xf8c70c00
0x719c90ec: ; <UNDEFINED> instruction: 0xf645c008
0x719c90f0: vsubhn.i16 d22, <illegal reg q11.5>, q4
0x719c90f4: eorsvs r3, r7, r0, asr #12
0x719c90f8: ldmdbvs r9!, {r3, r4, r5, r9, r10, lr}
0x719c90fc: vmla.i8 q11, q6, q5
0x719c9100: vmull.s8 <illegal reg q9.5>, d23, d1
0x719c9104: ; <UNDEFINED> instruction: 0x47e06c10
0x719c9108: ; <UNDEFINED> instruction: 0xf646469e
0x719c910c: ; <UNDEFINED> instruction: 0xf2c766d4
0x719c9110: ldmdavs r6!, {r6, r9, r10, r12, sp}
0x719c9114: tstle r3, r0, lsl #28
0x719c9118: pop {r0, r2, r3, r4, r5, r7, r9, r10, lr}
0x719c911c: ldrbmi r4, [r0, -r0, lsl #1]!
0x719c9120: strvs pc, [r8], r5, asr #12
0x719c9124: strbcc pc, [r0], -r7, asr #5 ; <UNPREDICTABLE>
0x719c9128: ldmdavs r8!, {r0, r1, r2, r4, r5, sp, lr}
0x719c912c: cmnpl sp, #78643200 ; 0x4b00000
0x719c9130: movwvs pc, #8903 ; 0x22c7 ; <UNPREDICTABLE>
(gdb) x /20i $pc-0x3
0x719c90e1: stmdb sp!, {r7, lr}
0x719c90e5: mov r7, sp
0x719c90e7: mov.w r12, #0
0x719c90eb: str.w r12, [r7, #8]
0x719c90ef: movw r6, #24200 ; 0x5e88
0x719c90f3: movt r6, #29504 ; 0x7340
0x719c90f7: str r7, [r6, #0]
0x719c90f9: mov r0, r7
0x719c90fb: ldr r1, [r7, #16]
0x719c90fd: ldr r2, [r1, #20]
0x719c90ff: movw r12, #50049 ; 0xc381
0x719c9103: movt r12, #30224 ; 0x7610
0x719c9107: blx r12
0x719c9109: mov lr, r3
0x719c910b: movw r6, #28372 ; 0x6ed4
0x719c910f: movt r6, #29504 ; 0x7340
0x719c9113: ldr r6, [r6, #0]
0x719c9115: cmp r6, #0
0x719c9117: bne.n 0x719c9120
0x719c9119: mov sp, r7
(gdb) bt
#0 0x719c90e4 in ?? ()
#1 0x719a7c9c in ?? ()
#2 0x719a7c9c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>