<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Intermittent failures in wasm-to-wasm.js test"
href="https://bugs.webkit.org/show_bug.cgi?id=166677#c2">Comment # 2</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Intermittent failures in wasm-to-wasm.js test"
href="https://bugs.webkit.org/show_bug.cgi?id=166677">bug 166677</a>
from <span class="vcard"><a class="email" href="mailto:jfbastien@apple.com" title="JF Bastien <jfbastien@apple.com>"> <span class="fn">JF Bastien</span></a>
</span></b>
<pre>Repro command line:
(cd ./JSTests/wasm/ && lldb ../../current-release/bin/jsc -- -m --useWebAssembly=1 ./js-api/wasm-to-wasm.js --useConcurrentJIT=0 --useJIT=0 --dumpDisassembly=1)
Top of stack is:
* thread #1: tid = 0x17d55c1, 0x0000474c007e26ad, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x474c007e26ad)
frame #0: 0x0000474c007e26ad
error: memory read failed for 0x474c007e2600
(lldb) btjs
* thread #1: tid = 0x17d55c1, 0x0000474c007e26ad, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, addre0
frame #0: 0x0000474c007e26ad 0x474c64001363
frame #1: 0x0000474c640011be 0x474c64001363
frame #2: 0x0000474c64001363 0x474c640014e3
frame #3: 0x0000474c640014e3 0x474c64001536
frame #4: 0x0000474c64001536 0x1007e16b8
frame #5: 0x00000001007e16b8 JavaScriptCore`vmEntryToJavaScript + 299
frame #6: 0x0000000100b6b6c3 JavaScriptCore`JSC::callWebAssemblyFunction(JSC::ExecState*) + 2355
Frame #1 is at:
Generated JIT code for WebAssembly->JavaScript import[0] I32 (I32, I32):
Code at [0x474c64001140, 0x474c64001220):
0x474c64001140: push %rbp
0x474c64001141: mov %rsp, %rbp
0x474c64001144: mov $0x0, 0x10(%rbp)
0x474c6400114c: mov $0x1045e40a0, %r11
0x474c64001156: mov %r11, 0x18(%rbp)
0x474c6400115a: sub $0x30, %rsp
0x474c6400115e: mov $0xffff000000000000, %r11
0x474c64001168: or %r11, %rdi
0x474c6400116b: mov %rdi, 0x20(%rsp)
0x474c64001170: mov $0xffff000000000000, %r11
0x474c6400117a: or %r11, %rsi
0x474c6400117d: mov %rsi, 0x28(%rsp)
0x474c64001182: mov 0x1033f5500, %rax
0x474c6400118c: mov 0x48(%rax), %rax
0x474c64001190: mov %rax, 0x8(%rsp)
0x474c64001195: mov $0x3, 0x10(%rsp)
0x474c6400119d: mov $0xa, 0x18(%rsp)
0x474c640011a6: mov $0x0, %r11
0x474c640011b0: cmp %r11, %rax
0x474c640011b3: jnz 0x474c640011c3
0x474c640011b9: call 0x474c640011be # <--- This call
0x474c640011be: jmp 0x474c640011d2 # Goes here Here!
0x474c640011c3: mov $0x1030c2800, %rdx
0x474c640011cd: call 0x474c64001220
0x474c640011d2: mov $0xffff000000000000, %rdx # jmp lands here!
0x474c640011dc: cmp %rdx, %rax
0x474c640011df: jae 0x474c640011fe
0x474c640011e5: movq %rax, %xmm0
0x474c640011ea: cvttsd2si %xmm0, %eax
0x474c640011ee: test %rax, %rdx
0x474c640011f1: jnz 0x474c64001200
0x474c640011f7: mov $0x50, %r11d
0x474c640011fd: int3
0x474c640011fe: mov %eax, %eax
0x474c64001200: mov %rbp, %rsp
0x474c64001203: pop %rbp
0x474c64001204: ret
Registers for frame #0 are:
General Purpose Registers:
rax = 0x00000001045572e0
rbx = 0x0000000000000000
rcx = 0x00000001030a8c08
rdx = 0x00007fff5fbfebd0
rdi = 0xffffbeef00000002
rsi = 0xffff0000c0febeef
rbp = 0x00007fff5fbfea40
rsp = 0x00007fff5fbfea08
r8 = 0x0000000000000000
r9 = 0x00000001030a8c08
r10 = 0x0000474c64001300
r11 = 0x00000001045572e0
r12 = 0x0000000000000000
r13 = 0xdeadfacec0fec0fe
r14 = 0x00000001045a02d0
r15 = 0x00000001033f5500
rip = 0x0000474c007e26ad
rflags = 0x0000000000000246
cs = 0x000000000000002b
fs = 0x0000000000000000
gs = 0x0000000000000000
But I don't understand how it's getting to this address. Sure it's invalid... but the code from frame #1 doesn't point there! That address isn't mentioned anywhere in the disassembly dump.
Odd.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>