126585 2014-01-07 11:15:59 -0800 CStack Branch: ARM64 Crash running ecma/FunctionObjects/15.3.1.1-3.js 2014-01-07 11:26:43 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 msaboff msaboff oldest_to_newest 965085 0 msaboff 2014-01-07 11:15:59 -0800 Running ecma/FunctionObjects/15.3.1.1-3.js on ARM64 crashes due to an ASSERT failure emitting an add instruction with the stack pointer as the destination register. (lldb) bt * thread #1: tid = 0x4e360b, 0x000000010072d010 JavaScriptCore`WTFCrash + 68 at Assertions.cpp:341, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x000000010072d010 JavaScriptCore`WTFCrash + 68 at Assertions.cpp:341 frame #1: 0x000000010011b524 JavaScriptCore`JSC::ARM64Assembler::xOrZr(reg=sp) + 72 at ARM64Assembler.h:3230 frame #2: 0x000000010011cc2c JavaScriptCore`JSC::ARM64Assembler::addSubtractShiftedRegister(sf=Datasize_64, op=AddOp_ADD, S=DontSetFlags, shift=LSL, rm=x16, imm6=0, rn=x29, rd=sp) + 328 at ARM64Assembler.h:3258 frame #3: 0x00000001002e03c0 JavaScriptCore`void JSC::ARM64Assembler::add<64, (this=0x000000016fd7c3a0, rd=sp, rn=x29, rm=x16, shift=LSL, amount=0)0>(JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID, JSC::ARM64Assembler::ShiftType, int) + 232 at ARM64Assembler.h:937 frame #4: 0x00000001002e02cc JavaScriptCore`void JSC::ARM64Assembler::add<64, (this=0x000000016fd7c3a0, rd=sp, rn=x29, rm=x16)0>(JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID) + 52 at ARM64Assembler.h:918 frame #5: 0x00000001002e0100 JavaScriptCore`JSC::MacroAssemblerARM64::add64(this=0x000000016fd7c3a0, imm=TrustedImm32 at 0x000000016fd7ba90, src=x29, dest=sp) + 304 at MacroAssemblerARM64.h:254 * frame #6: 0x00000001002d7ec8 JavaScriptCore`JSC::MacroAssembler::addPtr(this=0x000000016fd7c3a0, imm=TrustedImm32 at 0x000000016fd7bac0, src=x29, dest=sp) + 56 at MacroAssembler.h:704 frame #7: 0x000000010041c9c8 JavaScriptCore`JSC::JIT::privateCompile(this=0x000000016fd7c3a0, effort=JITCompilationCanFail) + 1696 at JIT.cpp:553 frame #8: 0x00000001003337b4 JavaScriptCore`JSC::JIT::compile(vm=0x0000000101574000, codeBlock=0x000000013d643ec0, effort=JITCompilationCanFail) + 76 at JIT.h:200 frame #9: 0x000000010054f87c JavaScriptCore`JSC::LLInt::jitCompileAndSetHeuristics(codeBlock=0x000000013d643ec0, exec=0x000000016fd80740) + 276 at LLIntSlowPaths.cpp:311 frame #10: 0x0000000100546f0c JavaScriptCore`llint_loop_osr(exec=0x000000016fd80740, pc=0x0000000101c2fbd0) + 168 at LLIntSlowPaths.cpp:399 frame #11: 0x00000001005564a0 JavaScriptCore`llint_op_loop_hint + 68 frame #12: 0x0000000100556664 JavaScriptCore`llint_op_call + 284 frame #13: 0x000000010055129c JavaScriptCore`callToJavaScript + 420 965089 1 220536 msaboff 2014-01-07 11:23:32 -0800 Created attachment 220536 Patch 965090 2 220536 ggaren 2014-01-07 11:25:04 -0800 Comment on attachment 220536 Patch r=me 965091 3 msaboff 2014-01-07 11:26:43 -0800 Committed r161439: <http://trac.webkit.org/changeset/161439> 220536 2014-01-07 11:23:32 -0800 2014-01-07 11:25:04 -0800 Patch 126585.patch text/plain 2303 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTYxNDM4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIwIEBA CisyMDE0LTAxLTA3ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIENTdGFjayBCcmFuY2g6IEFSTTY0IENyYXNoIHJ1bm5pbmcgZWNtYS9GdW5jdGlvbk9iamVj dHMvMTUuMy4xLjEtMy5qcworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1 Zy5jZ2k/aWQ9MTI2NTg1CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisK KyAgICAgICAgV2Ugd2VyZSBpbXByb3Blcmx5IHVzaW5nIGEgc2hpZnRlZCBhZGQvc3VidHJhY3Qg Zm9yIG9wZXJhdGlvbnMgd2l0aCB0aGUgc3RhY2sKKyAgICAgICAgcG9pbnRlciBhcyB0aGUgZGVz dGluYXRpb24uICBCcm9hZGVuZWQgdGhlIGNhc2VzIHdoZXJlIHdlIHVzZSB0aGUgZXh0ZW5kZWQK KyAgICAgICAgcmVnaXN0ZXIgdmVyc2lvbiBvZiBhZGQvc3VidHJhY3QgdG8gaW5jbHVkZSB3aGVu IHRoZSBkZXN0aW5hdGlvbiBpcyB0aGUKKyAgICAgICAgc3RhY2sgcG9pbnRlci4gIEluIHRoZSBB Uk02NCBkb2N1bWVudGF0aW9uLCB0aGUgaW1tZWRpYXRlIGFuZCBleHRlbmRlZCByZWdpc3Rlcgor ICAgICAgICBmb3JtcyBvZiBhZGQgYW5kIHN1YnRyYWN0IGFyZSB0aGUgcmlnaHQgdmFyaWFudHMg dG8gbWFuaXB1bGF0ZSB0aGUgc3RhY2sgcG9pbnRlci4KKworICAgICAgICAqIGFzc2VtYmxlci9B Uk02NEFzc2VtYmxlci5oOgorICAgICAgICAoSlNDOjpBUk02NEFzc2VtYmxlcjo6YWRkKToKKyAg ICAgICAgKEpTQzo6QVJNNjRBc3NlbWJsZXI6OnN1Yik6CisKIDIwMTQtMDEtMDcgIEZpbGlwIFBp emxvICA8ZnBpemxvQGFwcGxlLmNvbT4KIAogICAgICAgICBNZXJnZSB0cnVuayByMTYxNDExLgpJ bmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2Fzc2VtYmxlci9BUk02NEFzc2VtYmxlci5oCj09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9hc3NlbWJsZXIvQVJNNjRBc3NlbWJs ZXIuaAkocmV2aXNpb24gMTYxNDM1KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2Fzc2VtYmxl ci9BUk02NEFzc2VtYmxlci5oCSh3b3JraW5nIGNvcHkpCkBAIC05MjksOCArOTI5LDkgQEAgcHVi bGljOgogICAgIEFMV0FZU19JTkxJTkUgdm9pZCBhZGQoUmVnaXN0ZXJJRCByZCwgUmVnaXN0ZXJJ RCBybiwgUmVnaXN0ZXJJRCBybSwgU2hpZnRUeXBlIHNoaWZ0LCBpbnQgYW1vdW50KQogICAgIHsK ICAgICAgICAgQ0hFQ0tfREFUQVNJWkUoKTsKLSAgICAgICAgaWYgKGlzU3Aocm4pKSB7CisgICAg ICAgIGlmIChpc1NwKHJkKSB8fCBpc1NwKHJuKSkgewogICAgICAgICAgICAgQVNTRVJUKHNoaWZ0 ID09IExTTCk7CisgICAgICAgICAgICBBU1NFUlQoIWlzU3Aocm0pKTsKICAgICAgICAgICAgIGFk ZDxkYXRhc2l6ZSwgc2V0RmxhZ3M+KHJkLCBybiwgcm0sIFVYVFgsIGFtb3VudCk7CiAgICAgICAg IH0gZWxzZQogICAgICAgICAgICAgaW5zbihhZGRTdWJ0cmFjdFNoaWZ0ZWRSZWdpc3RlcihEQVRB U0laRSwgQWRkT3BfQURELCBzZXRGbGFncywgc2hpZnQsIHJtLCBhbW91bnQsIHJuLCByZCkpOwpA QCAtMTk2Miw4ICsxOTYzLDkgQEAgcHVibGljOgogICAgIEFMV0FZU19JTkxJTkUgdm9pZCBzdWIo UmVnaXN0ZXJJRCByZCwgUmVnaXN0ZXJJRCBybiwgUmVnaXN0ZXJJRCBybSwgU2hpZnRUeXBlIHNo aWZ0LCBpbnQgYW1vdW50KQogICAgIHsKICAgICAgICAgQ0hFQ0tfREFUQVNJWkUoKTsKLSAgICAg ICAgaWYgKGlzU3Aocm4pKSB7CisgICAgICAgIGlmIChpc1NwKHJkKSB8fCBpc1NwKHJuKSkgewog ICAgICAgICAgICAgQVNTRVJUKHNoaWZ0ID09IExTTCk7CisgICAgICAgICAgICBBU1NFUlQoIWlz U3Aocm0pKTsKICAgICAgICAgICAgIHN1YjxkYXRhc2l6ZSwgc2V0RmxhZ3M+KHJkLCBybiwgcm0s IFVYVFgsIGFtb3VudCk7CiAgICAgICAgIH0gZWxzZQogICAgICAgICAgICAgaW5zbihhZGRTdWJ0 cmFjdFNoaWZ0ZWRSZWdpc3RlcihEQVRBU0laRSwgQWRkT3BfU1VCLCBzZXRGbGFncywgc2hpZnQs IHJtLCBhbW91bnQsIHJuLCByZCkpOwo=