<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [ARM] ASSERTION FAILED: (*insn & BlxInstructionMask) == BlxInstruction after r202214"
href="https://bugs.webkit.org/show_bug.cgi?id=159758">159758</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[ARM] ASSERTION FAILED: (*insn & BlxInstructionMask) == BlxInstruction after r202214
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>Other
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>ossy@webkit.org
</td>
</tr>
<tr>
<th>Blocks</th>
<td>159408
</td>
</tr></table>
<p>
<div>
<pre>ASSERTION FAILED: (*insn & BlxInstructionMask) == BlxInstruction
../../Source/JavaScriptCore/assembler/ARMAssembler.h(866) : static JSC::ARMWord* JSC::ARMAssembler::getLdrImmAddress(JSC::ARMWord*)
#0 0xb648805c in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323
#1 0xb5851e28 in JSC::ARMAssembler::getLdrImmAddress (insn=0xb27ca808) at ../../Source/JavaScriptCore/assembler/ARMAssembler.h:866
#2 0xb590a10c in JSC::ARMAssembler::patchPointerInternal (from=-1300453368, to=0xb27cab20) at ../../Source/JavaScriptCore/assembler/ARMAssembler.h:892
#3 0xb590a23c in JSC::ARMAssembler::linkJump (code=0xb27ca808, from=..., to=0xb27cab20) at ../../Source/JavaScriptCore/assembler/ARMAssembler.h:956
#4 0xb590bc88 in JSC::AbstractMacroAssembler<JSC::ARMAssembler, JSC::MacroAssemblerARM>::linkJump (code=0xb27ca808, jump=..., target=...)
at ../../Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:970
#5 0xb590b33c in JSC::LinkBuffer::link (this=0xbeffe4fc, jump=..., label=...) at ../../Source/JavaScriptCore/assembler/LinkBuffer.h:143
#6 0xb5909208 in JSC::InlineAccess::rewireStubAsJump (vm=..., stubInfo=..., target=...) at ../../Source/JavaScriptCore/bytecode/InlineAccess.cpp:291
#7 0xb5fc0824 in JSC::tryCachePutByID (exec=0xbeffe888, baseValue=..., structure=0xb21a7220, ident=..., slot=..., stubInfo=..., putKind=JSC::NotDirect)
at ../../Source/JavaScriptCore/jit/Repatch.cpp:452
#8 0xb5fc0a28 in JSC::repatchPutByID (exec=0xbeffe888, baseValue=..., structure=0xb21a7220, propertyName=..., slot=..., stubInfo=...,
putKind=JSC::NotDirect) at ../../Source/JavaScriptCore/jit/Repatch.cpp:463
#9 0xb5f88c50 in JSC::operationPutByIdNonStrictOptimize (exec=0xbeffe888, stubInfo=0xb2590d80, encodedValue=-18486637472, encodedBase=-18486456960,
uid=0xb259ac78) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:421
#10 0xb27ca8f0 in ?? ()
(gdb) disas 0xb27ca808,+20
Dump of assembler code from 0xb27ca808 to 0xb27ca81c:
0xb27ca808: b 0xb27ca8b0
0xb27ca80c: nop ; (mov r0, r0)
0xb27ca810: nop ; (mov r0, r0)
0xb27ca814: nop ; (mov r0, r0)
0xb27ca818: nop ; (mov r0, r0)
Generated Baseline JIT code for CallSign#A1TBrX:[0xb21aa4b0->0xb21d92c0, BaselineFunctionConstruct, 25], instruction count = 25
Source: function CallSign(value) { this._value = value; }
Code at [0xb27ca5c0, 0xb27cab1c):
disassembly not available for range 0xb27ca5c0...0xb27ca63c
[ 0] enter
disassembly not available for range 0xb27ca63c...0xb27ca700
[ 1] get_scope loc0
disassembly not available for range 0xb27ca700...0xb27ca714
[ 3] mov loc1, loc0
disassembly not available for range 0xb27ca714...0xb27ca724
[ 6] mov loc2, this
disassembly not available for range 0xb27ca724...0xb27ca734
[ 9] create_this this, this, 1, 2988382240
disassembly not available for range 0xb27ca734...0xb27ca7ac
[ 14] put_by_id this, _value(@id0), arg1, String llint(prev = 0xb21a7220, next = 0xb21a71d0 (offset = 0), chain = 0xb21cbea0: [struct = 0xb21a7900, struct = 0xb21f6d20])
disassembly not available for range 0xb27ca7ac...0xb27ca838
[ 23] ret this
disassembly not available for range 0xb27ca838...0xb27ca860
(End Of Main Path)
(S) [ 9] create_this this, this, 1, 2988382240
disassembly not available for range 0xb27ca860...0xb27ca8b0
(S) [ 14] put_by_id this, _value(@id0), arg1, String llint(prev = 0xb21a7220, next = 0xb21a71d0 (offset = 0), chain = 0xb21cbea0: [struct = 0xb21a7900, struct = 0xb21f6d20])
disassembly not available for range 0xb27ca8b0...0xb27ca918
(End Of Slow Path)
disassembly not available for range 0xb27ca918...0xb27caa1c
It seems this branch comes from [14] put_by_id and can't be patched.
Of course, a branch can't be patched. The question is why a branch
was generated here and not a patchable instruction.
Could you give me some hint where is this instruction generated?</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>