130203 2014-03-13 12:20:03 -0700 JS benchmarks crash with a bus error on 32-bit x86 2014-03-13 12:48:25 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mark.lam mark.lam fpizlo ggaren mhahnenberg mmirman msaboff oliver oldest_to_newest 990110 0 mark.lam 2014-03-13 12:20:03 -0700 The following tests crashes when running with a 32-bit x86 debug build of jsc: JSRegress/get-by-id-self-or-proto JSRegress/polymorphic-put-by-id Kraken/audio-beat-detection Octane/gbemu Octane/pdfjs Octane/typescript V8Spider/raytrace V8v7/encrypt V8v7/splay ... 990112 1 mark.lam 2014-03-13 12:20:34 -0700 <rdar://problem/16306428> 990119 2 mark.lam 2014-03-13 12:30:34 -0700 The issue is that generateGetByIdStub() can potentially use the same register for the JSValue base register and the target tag register. After loading the tag value into the target tag register, the JSValue base address is lost. The code then proceeds to load the payload value using the base register, and this results in a crash. The fix is to check if the base register is the same as the target tag register. If so, we should make a copy the base register first before loading the tag value, and use the copy to load the payload value instead. 990121 3 226612 mark.lam 2014-03-13 12:32:43 -0700 Created attachment 226612 the patch 990127 4 226612 ggaren 2014-03-13 12:42:30 -0700 Comment on attachment 226612 the patch r=me 990131 5 mark.lam 2014-03-13 12:48:25 -0700 Thanks for the review. Landed in r165559: <http://trac.webkit.org/r165559>. 226612 2014-03-13 12:32:43 -0700 2014-03-13 12:42:29 -0700 the patch bug-130203.patch text/plain 2226 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTY1NTU0KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIzIEBA CisyMDE0LTAzLTEzICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBK UyBiZW5jaG1hcmtzIGNyYXNoIHdpdGggYSBidXMgZXJyb3Igb24gMzItYml0IHg4Ni4KKyAgICAg ICAgPGh0dHBzOi8vd2Via2l0Lm9yZy9iLzEzMDIwMz4KKworICAgICAgICBSZXZpZXdlZCBieSBO T0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUaGUgaXNzdWUgaXMgdGhhdCBnZW5lcmF0ZUdldEJ5 SWRTdHViKCkgY2FuIHBvdGVudGlhbGx5IHVzZSB0aGUgc2FtZSByZWdpc3RlcgorICAgICAgICBm b3IgdGhlIEpTVmFsdWUgYmFzZSByZWdpc3RlciBhbmQgdGhlIHRhcmdldCB0YWcgcmVnaXN0ZXIu ICBBZnRlciBsb2FkaW5nIHRoZQorICAgICAgICB0YWcgdmFsdWUgaW50byB0aGUgdGFyZ2V0IHRh ZyByZWdpc3RlciwgdGhlIEpTVmFsdWUgYmFzZSBhZGRyZXNzIGlzIGxvc3QuCisgICAgICAgIFRo ZSBjb2RlIHRoZW4gcHJvY2VlZHMgdG8gbG9hZCB0aGUgcGF5bG9hZCB2YWx1ZSB1c2luZyB0aGUg YmFzZSByZWdpc3RlciwgYW5kCisgICAgICAgIHRoaXMgcmVzdWx0cyBpbiBhIGNyYXNoLgorCisg ICAgICAgIFRoZSBmaXggaXMgdG8gY2hlY2sgaWYgdGhlIGJhc2UgcmVnaXN0ZXIgaXMgdGhlIHNh bWUgYXMgdGhlIHRhcmdldCB0YWcgcmVnaXN0ZXIuCisgICAgICAgIElmIHNvLCB3ZSBzaG91bGQg bWFrZSBhIGNvcHkgdGhlIGJhc2UgcmVnaXN0ZXIgZmlyc3QgYmVmb3JlIGxvYWRpbmcgdGhlIHRh ZworICAgICAgICB2YWx1ZSwgYW5kIHVzZSB0aGUgY29weSB0byBsb2FkIHRoZSBwYXlsb2FkIHZh bHVlIGluc3RlYWQuCisKKyAgICAgICAgKiBqaXQvUmVwYXRjaC5jcHA6CisgICAgICAgIChKU0M6 OmdlbmVyYXRlR2V0QnlJZFN0dWIpOgorCiAyMDE0LTAzLTEyICBGaWxpcCBQaXpsbyAgPGZwaXps b0BhcHBsZS5jb20+CiAKICAgICAgICAgV2ViS2l0IHNob3VsZG4ndCBjcmFzaCBvbiB1bmlwcm9j ZXNzb3IgbWFjaGluZXMKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9qaXQvUmVwYXRjaC5j cHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2ppdC9SZXBhdGNoLmNwcAko cmV2aXNpb24gMTY1NDk2KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2ppdC9SZXBhdGNoLmNw cAkod29ya2luZyBjb3B5KQpAQCAtMzAxLDggKzMwMSwxMyBAQCBzdGF0aWMgdm9pZCBnZW5lcmF0 ZUdldEJ5SWRTdHViKAogI2lmIFVTRShKU1ZBTFVFNjQpCiAgICAgICAgIHN0dWJKaXQubG9hZDY0 KE1hY3JvQXNzZW1ibGVyOjpBZGRyZXNzKHN0b3JhZ2VHUFIsIG9mZnNldFJlbGF0aXZlVG9CYXNl KG9mZnNldCkpLCBsb2FkZWRWYWx1ZUdQUik7CiAjZWxzZQorICAgICAgICBHUFJSZWcgY29weU9m U3RvcmFnZUdQUiA9IHN0b3JhZ2VHUFI7CisgICAgICAgIGlmIChzdG9yYWdlR1BSID09IHJlc3Vs dFRhZ0dQUikgeworICAgICAgICAgICAgY29weU9mU3RvcmFnZUdQUiA9IGxvYWRlZFZhbHVlR1BS OworICAgICAgICAgICAgc3R1YkppdC5tb3ZlKHN0b3JhZ2VHUFIsIGNvcHlPZlN0b3JhZ2VHUFIp OworICAgICAgICB9CiAgICAgICAgIHN0dWJKaXQubG9hZDMyKE1hY3JvQXNzZW1ibGVyOjpBZGRy ZXNzKHN0b3JhZ2VHUFIsIG9mZnNldFJlbGF0aXZlVG9CYXNlKG9mZnNldCkgKyBUYWdPZmZzZXQp LCByZXN1bHRUYWdHUFIpOwotICAgICAgICBzdHViSml0LmxvYWQzMihNYWNyb0Fzc2VtYmxlcjo6 QWRkcmVzcyhzdG9yYWdlR1BSLCBvZmZzZXRSZWxhdGl2ZVRvQmFzZShvZmZzZXQpICsgUGF5bG9h ZE9mZnNldCksIGxvYWRlZFZhbHVlR1BSKTsKKyAgICAgICAgc3R1YkppdC5sb2FkMzIoTWFjcm9B c3NlbWJsZXI6OkFkZHJlc3MoY29weU9mU3RvcmFnZUdQUiwgb2Zmc2V0UmVsYXRpdmVUb0Jhc2Uo b2Zmc2V0KSArIFBheWxvYWRPZmZzZXQpLCBsb2FkZWRWYWx1ZUdQUik7CiAjZW5kaWYKICAgICB9 CiAK