<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - WebAssembly: doesn't with with --useJIT=0"
href="https://bugs.webkit.org/show_bug.cgi?id=168694">168694</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>WebAssembly: doesn't with with --useJIT=0
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>jfbastien@apple.com
</td>
</tr>
<tr>
<th>CC</th>
<td>fpizlo@apple.com, jfbastien@apple.com, keith_miller@apple.com, mark.lam@apple.com, msaboff@apple.com, sbarati@apple.com
</td>
</tr>
<tr>
<th>Blocks</th>
<td>159775
</td>
</tr></table>
<p>
<div>
<pre>We get an assertion in repatchNearCall because there's an immediate that doesn't fit. The problem is that without JIT the wasm code can't be linked to trampolines because they don't exist.
Simple repro:
(cd ./JSTests/wasm/ && lldb ../../current-debug/bin/jsc -- -m --useWebAssembly=1 ./js-api/wasm-to-wasm.js --useConcurrentJIT=0 --useJIT=0)
We probably want to JIT just those stubs when WebAssembly is used, even if the JIT is disabled.
Backtrace:
1 0x1013d3e9d WTFCrash
2 0x100300839 JSC::X86Assembler::setRel32(void*, void*)
3 0x1009cf43d JSC::X86Assembler::relinkCall(void*, void*)
4 0x100e37731 JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::repatchNearCall(JSC::CodeLocationNearCall, JSC::CodeLocationLabel)
5 0x100e3753f JSC::linkFor(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CodeBlock*, JSC::JSFunction*, JSC::MacroAssemblerCodePtr)
6 0x100e02ff6 operationLinkCall
...
frame #1: 0x0000000100300839 JavaScriptCore`JSC::X86Assembler::setRel32(from=0x000039c74ec011be, to=0x0000000100e58c6e) + 89 at X86Assembler.h:3123
3120 static void setRel32(void* from, void* to)
3121 {
3122 intptr_t offset = reinterpret_cast<intptr_t>(to) - reinterpret_cast<intptr_t>(from);
-> 3123 ASSERT(offset == static_cast<int32_t>(offset));
3124
3125 setInt32(from, offset);
3126 }
(lldb) p/x from
(void *) $0 = 0x000039c74ec011be
(lldb) p/x to
(void *) $1 = 0x0000000100e58c6e
(lldb) p/x offset
(intptr_t) $2 = 0xffffc639b2257ab0</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>