<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:ossy@webkit.org" title="Csaba Osztrogonác <ossy@webkit.org>"> <span class="fn">Csaba Osztrogonác</span></a>
</span> changed
<a class="bz_bug_link
bz_status_NEW "
title="NEW - [ARM] ASSERTION FAILED: linkBuffer.isValid() in InlineAccess.cpp:291"
href="https://bugs.webkit.org/show_bug.cgi?id=159720">bug 159720</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>ossy@webkit.org
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - [ARM] ASSERTION FAILED: linkBuffer.isValid() in InlineAccess.cpp:291"
href="https://bugs.webkit.org/show_bug.cgi?id=159720#c1">Comment # 1</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - [ARM] ASSERTION FAILED: linkBuffer.isValid() in InlineAccess.cpp:291"
href="https://bugs.webkit.org/show_bug.cgi?id=159720">bug 159720</a>
from <span class="vcard"><a class="email" href="mailto:ossy@webkit.org" title="Csaba Osztrogonác <ossy@webkit.org>"> <span class="fn">Csaba Osztrogonác</span></a>
</span></b>
<pre>InlineAccess.cpp
=================
template <typename Function>
ALWAYS_INLINE static bool linkCodeInline(const char* name, CCallHelpers& jit, StructureStubInfo& stubInfo, const Function& function)
{
if (jit.m_assembler.buffer().codeSize() <= stubInfo.patch.inlineSize) {
bool needsBranchCompaction = false;
LinkBuffer linkBuffer(jit, stubInfo.patch.start.dataLocation(), stubInfo.patch.inlineSize, JITCompilationMustSucceed, needsBranc
hCompaction);
ASSERT(linkBuffer.isValid()); <=================== BANG!
function(linkBuffer);
FINALIZE_CODE(linkBuffer, ("InlineAccessType: '%s'", name));
return true;
}
...
LinkBuffer.h
=============
bool didFailToAllocate() const
{
return !m_didAllocate;
}
bool isValid() const
{
return !didFailToAllocate();
}
====
linkBuffer.isValid() is to ensure that LinkBuffer() constructor
call sets its m_didAllocate member to true, but it isn't set.
- LinkBuffer::LinkBuffer(...) calls LinkBuffer::linkCode(...)
- LinkBuffer::linkCode(...) calls LinkBuffer::allocate(...)
- LinkBuffer::allocate(...): initialSize = 12 > m_size = 4
and that's why allocate returns at the beginning without
allocation and setting m_didAllocate to true.
m_code = 0xb27ca808
Dump of assembler code from 0xb27ca808 to 0xb27ca860:
0xb27ca808: b 0xb27ca8b0
0xb27ca80c: nop ; (mov r0, r0)
0xb27ca810: nop ; (mov r0, r0)
0xb27ca814: nop ; (mov r0, r0)
0xb27ca818: nop ; (mov r0, r0)
0xb27ca81c: nop ; (mov r0, r0)
0xb27ca820: nop ; (mov r0, r0)
0xb27ca824: nop ; (mov r0, r0)
0xb27ca828: nop ; (mov r0, r0)
0xb27ca82c: nop ; (mov r0, r0)
0xb27ca830: nop ; (mov r0, r0)
0xb27ca834: nop ; (mov r0, r0)
0xb27ca838: ldr r0, [r11, #32]
0xb27ca83c: ldr r1, [r11, #36] ; 0x24
0xb27ca840: tst sp, #15
0xb27ca844: beq 0xb27ca850
0xb27ca848: mov r6, #100 ; 0x64
0xb27ca84c: bkpt 0x0000
0xb27ca850: mov sp, r11
0xb27ca854: pop {r11} ; (ldr r11, [sp], #4)
0xb27ca858: pop {lr} ; (ldr lr, [sp], #4)
0xb27ca85c: bx lr
I think the assertion is simply incorrect in this case and should be removed.
But I don't understand exactly the original change, please let me know
if I misunderstood this bug.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>