146629 2015-07-06 02:26:35 -0700 [MIPS] webkitgtk crashed if JIT is enabled 2016-09-08 01:31:10 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Other Linux NEW P2 Normal --- 1 Jeffrey.li webkit-unassigned annulen cgarcia fpizlo guijemont jbriance mcatanzaro ossy zan oldest_to_newest 1107060 0 Jeffrey.li 2015-07-06 02:26:35 -0700 Webkitgtk crashed when I run the javascript test. The backtrace and some gdb information list below. warning: Could not load shared library symbols for 82 libraries, e.g. /usr/lib/libwebkitgtk-1.0.so.0. Use the "info sharedlibrary" command to see the complete listing. Do you need "set solib-search-path" or "set sysroot"? Core was generated by `/usr/local/bin/otvwebkit http://10.12.2.99/testcase/regression/testcase.html'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x759f4e08 in ?? () (gdb) bt #0 0x759f4e08 in llint_op_push_name_scope () from /home/otv5/otv5/jeli_pc2/DEVELOP/OTV_WebKit/otvwebkit2.0/otvtarg/tc7356_uclibc_bc/sdk_all/target/usr/lib/libjavascriptcoregtk-1.0.so.0 #1 0x759f4e00 in llint_op_pop_scope () from /home/otv5/otv5/jeli_pc2/DEVELOP/OTV_WebKit/otvwebkit2.0/otvtarg/tc7356_uclibc_bc/sdk_all/target/usr/lib/libjavascriptcoregtk-1.0.so.0 Backtrace stopped: frame did not save the PC (gdb) i reg zero at v0 v1 a0 a1 a2 a3 R0 00000000 00000001 6bfbfd40 fffffffb 6c3e2fa8 7262de0c 759f2bac 72642978 t0 t1 t2 t3 t4 t5 t6 t7 R8 fffffffa fffffffb fffffffe fffffffb 726112f4 00000004 ecb5a59f 6c3e2f98 s0 s1 s2 s3 s4 s5 s6 s7 R16 7f8e1258 7260b000 7262de0c 7260b000 6c1b91a8 6bf5fa68 72642960 7260b000 t8 t9 k0 k1 gp sp s8 ra R24 6c3e2f98 759f2bac 00000000 00000000 6c1b91a8 7f8e0d00 6c3e2fa8 759f4e00 sr lo hi bad cause pc 00008713 00000004 00000000 6c1b18c0 00800008 759f4e08 fsr fir 88800004 00000000 (gdb) x/16i llint_op_push_name_scope 0x759f4e00 <llint_op_push_name_scope>: move a0,s8 0x759f4e04 <llint_op_push_name_scope+4>: move a1,s2 => 0x759f4e08 <llint_op_push_name_scope+8>: lw t9,-30952(gp) 0x759f4e0c <llint_op_push_name_scope+12>: bal 0x759eac98 <llint_slow_path_push_name_scope> 0x759f4e10 <llint_op_push_name_scope+16>: nop 0x759f4e14 <llint_op_push_name_scope+20>: move gp,s4 0x759f4e18 <llint_op_push_name_scope+24>: move s2,v0 0x759f4e1c <llint_op_push_name_scope+28>: move s8,v1 0x759f4e20 <llint_op_push_name_scope+32>: addiu s2,s2,16 0x759f4e24 <llint_op_push_name_scope+36>: lw ra,0(s2) 0x759f4e28 <llint_op_push_name_scope+40>: jr ra 0x759f4e2c <llint_op_push_name_scope+44>: nop 0x759f4e30 <llint_op_throw>: move a0,s8 0x759f4e34 <llint_op_throw+4>: move a1,s2 0x759f4e38 <llint_op_throw+8>: lw t9,-30948(gp) 0x759f4e3c <llint_op_throw+12>: bal 0x759e9864 <llint_slow_path_throw> 0x759f4e40 <llint_op_throw+16>: nop (gdb) 1107061 1 256203 Jeffrey.li 2015-07-06 02:29:24 -0700 Created attachment 256203 test case for this issue. 1107318 2 256268 Jeffrey.li 2015-07-06 18:04:57 -0700 Created attachment 256268 proposed patch On MIPS platform, function llint_op_catch() use RA register to compute gp pointor. JSC::CCallHelpers::jumpToExceptionHandler() use T9 register. It will cause a invalid gp pointer when jump to llint_op_catch(). My patch load the function address to RA first. Then copy it to T9 and jump. 1151639 3 mcatanzaro 2015-12-30 15:26:10 -0800 Guillaume, this look OK? You didn't run into this issue...? (In reply to comment #1) > Created attachment 256203 [details] > test case for this issue. Great. This should probably be added as a testcase under LayoutTests/js. 1156499 4 guijemont 2016-01-18 18:21:32 -0800 (In reply to comment #3) > Guillaume, this look OK? You didn't run into this issue...? I did not run into this issue (yet?), maybe because I've mainly worked with jsc only (only compiling WTF/ and JavaScriptCore/). I am a little confused by the patch though. I understand that $gp is computed by the code of .cpload (emitted by offlineasm for each label), which uses $t9. I don't understand how this is different for llint_op_catch(), though I didn't study the exception code/protocol, and I have a feeling that this is not your regular function, and there might be something done with $ra that I did not understand. > (In reply to comment #1) > > Created attachment 256203 [details] > > test case for this issue. > > Great. This should probably be added as a testcase under LayoutTests/js. 1210955 5 256268 mcatanzaro 2016-07-14 05:35:09 -0700 Comment on attachment 256268 proposed patch Jeffrey, could you respond to Guillaume's questions here? Resetting the request flags in the meantime. 1227567 6 Jeffrey.li 2016-09-08 01:31:10 -0700 (In reply to comment #4) > (In reply to comment #3) > > Guillaume, this look OK? You didn't run into this issue...? > > I did not run into this issue (yet?), maybe because I've mainly worked with > jsc only (only compiling WTF/ and JavaScriptCore/). > I am a little confused by the patch though. I understand that $gp is > computed by the code of .cpload (emitted by offlineasm for each label), > which uses $t9. I don't understand how this is different for > llint_op_catch(), though I didn't study the exception code/protocol, and I > have a feeling that this is not your regular function, and there might be > something done with $ra that I did not understand. > > > (In reply to comment #1) > > > Created attachment 256203 [details] > > > test case for this issue. > > > > Great. This should probably be added as a testcase under LayoutTests/js. The .cpload uses $ra register to compute the $gp value. The jumpToExceptionHandler() uses $t9 as jump register now. Then in llint_op_catch() function, $ra will get a incorrect value. This will cause the $gp value is incorrect too. 256203 2015-07-06 02:29:24 -0700 2015-07-06 02:29:24 -0700 test case for this issue. testcase_for_146629.html text/html 588 Jeffrey.li PGh0bWw+Cjxib2R5ID4KPGNlbnRlcj4KPGgxPnRlc3QgcmVzdWx0PC9oMT4KPHNjcmlwdCB0eXBl PSJ0ZXh0L2phdmFzY3JpcHQiPgoKInVzZSBzdHJpY3QiOwp2YXIgcG9pc29uID0gT2JqZWN0Lmdl dE93blByb3BlcnR5RGVzY3JpcHRvcihmdW5jdGlvbigpIHt9LCAnY2FsbGVyJykuZ2V0OwppZiAo dHlwZW9mIHBvaXNvbiAhPT0gJ2Z1bmN0aW9uJykgewogIGRvY3VtZW50LndyaXRlKCJGQUlMRUQ6 QSBzdHJpY3QgZnVuY3Rpb24ncyAuY2FsbGVyIHNob3VsZCBiZSBwb2lzb25lZCB3aXRoIGEgZnVu Y3Rpb24iICsiPGJyIC8+Iik7Cn0KdmFyIHRocmV3ID0gbnVsbDsKdHJ5IHsKICBwb2lzb24oKTsK fSBjYXRjaCAoZXJyKSB7CiAgdGhyZXcgPSBlcnI7Cn0KCmlmICghdGhyZXcgfHwgISh0aHJldyBp bnN0YW5jZW9mIFR5cGVFcnJvcikpIHsKICBkb2N1bWVudC53cml0ZSgiRkFJTEVEOlBvaXNvbmVk IHByb3BlcnR5IHNob3VsZCB0aHJvdyBUeXBlRXJyb3IiICsiPGJyIC8+Iik7Cn0gZWxzZSB7CiAg ZG9jdW1lbnQud3JpdGUoIlBBU1MiICsiPGJyIC8+Iik7Cn0KCgo8L3NjcmlwdD4KPC9jZW50ZXI+ CjwvYm9keT4KPC9odG1sPgoK 256268 2015-07-06 18:04:57 -0700 2016-07-14 05:35:09 -0700 proposed patch BugID_146629.patch text/plain 1425 Jeffrey.li SW5kZXg6IENoYW5nZUxvZw0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KLS0tIENoYW5nZUxvZwkocmV2aXNpb24gMTg2 MzA3KQ0KKysrIENoYW5nZUxvZwkod29ya2luZyBjb3B5KQ0KQEAgLTEsMyArMSwxNSBAQA0KKzIw MTUtMDctMDYgIEplZmZyZXkgTGkgPGplZmZyZXkubGlAbmFncmEuY29tPgorCisgICAgICAgIFtN SVBTXSB3ZWJraXRndGsgY3Jhc2hlZCBpZiBKSVQgaXMgZW5hYmxlZAorICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTQ2NjI5CisKKyAgICAgICAgUmV2aWV3 ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVXNlIFJBIHJlZ2lzdGVyIHdoZW4ganVt cCB0byBleGNlcHRpb24gaGFuZGxlciBvbiBNSVBTIHBsYXRmb3JtLgorCisgICAgICAgICogaml0 L0NDYWxsSGVscGVycy5oOgorICAgICAgICAoSlNDOjpDQ2FsbEhlbHBlcnM6Omp1bXBUb0V4Y2Vw dGlvbkhhbmRsZXIpOgorCiAyMDE1LTA3LTA1ICBZdXN1a2UgU3V6dWtpICA8dXRhdGFuZS50ZWFA Z21haWwuY29tPgogCiAgICAgICAgIFtFUzZdIEltcGxlbWVudCB0aGUgbGF0ZXN0IFByb21pc2Ug c3BlYyBpbiBKUwpJbmRleDogaml0L0NDYWxsSGVscGVycy5oDQo9PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQotLS0gaml0 L0NDYWxsSGVscGVycy5oCShyZXZpc2lvbiAxODYzMDcpDQorKysgaml0L0NDYWxsSGVscGVycy5o CSh3b3JraW5nIGNvcHkpDQpAQCAtMjAxNyw4ICsyMDE3LDE0IEBADQogICAgICAgICAvLyBnZW5l cmljVW53aW5kKCkgbGVhdmVzIHRoZSBoYW5kbGVyIENhbGxGcmFtZSogaW4gdm0tPmNhbGxGcmFt ZUZvclRocm93LAogICAgICAgICAvLyB0aGUgdG9wVk1FbnRyeUZyYW1lIGZvciB0aGUgaGFuZGxl ciBpbiB2bS0+dm1FbnRyeUZyYW1lRm9yVGhyb3csCiAgICAgICAgIC8vIGFuZCB0aGUgYWRkcmVz cyBvZiB0aGUgaGFuZGxlciBpbiB2bS0+dGFyZ2V0TWFjaGluZVBDRm9yVGhyb3cuCisjaWYgQ1BV KE1JUFMpCisgICAgICAgIC8vT24gTUlQUyBwbGF0Zm9ybSwgbGxpbnRfb3BfY2F0Y2ggdXMgcmEg cmVnaXN0ZXIgdG8gY29tcHV0ZSB0aGUgZ3AgcG9pbnRvci4KKyAgICAgICAgbG9hZFB0cigmdm0o KS0+dGFyZ2V0TWFjaGluZVBDRm9yVGhyb3csIHJldHVybkFkZHJlc3NSZWdpc3Rlcik7CisgICAg ICAgIGp1bXAocmV0dXJuQWRkcmVzc1JlZ2lzdGVyKTsKKyNlbHNlCiAgICAgICAgIGxvYWRQdHIo JnZtKCktPnRhcmdldE1hY2hpbmVQQ0ZvclRocm93LCBHUFJJbmZvOjpyZWdUMSk7CiAgICAgICAg IGp1bXAoR1BSSW5mbzo6cmVnVDEpOworI2VuZGlmIC8vIENQVShNSVBTKQogICAgIH0KIH07CiAK