157340 2016-05-04 02:58:23 -0700 REGRESSION(r200383): It made all JSC stress tests crash on ARMv7 Thumb2 2016-05-04 13:04:10 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified Unspecified RESOLVED DUPLICATE 157045 https://bugs.webkit.org/show_bug.cgi?id=157338 P1 Blocker --- 108645 157045 1 ossy ossy cgarcia clopez commit-queue fpizlo gustavo keith_miller mark.lam msaboff ossy saam zan oldest_to_newest 1190016 0 ossy 2016-05-04 02:58:23 -0700 JSCOnly: --------- - before: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Thumb2%20Release/builds/468 - after: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Thumb2%20Release/builds/469 GTK: ----- - before: https://build.webkit.org/builders/GTK%20Linux%20ARM%20Release/builds/11044 - after: https://build.webkit.org/builders/GTK%20Linux%20ARM%20Release/builds/11045 no problem on AArch64, ARMv7 ARM instructions set, x86 32 bit 1190020 1 ossy 2016-05-04 03:14:21 -0700 Here is a relase backtrace: $ ./jsc Illegal instruction (core dumped) linaro@linaro-alip:/ramdisk/thumb2/jsc-stress-results/.vm/JavaScriptCore.framework/Resources$ gdb ./jsc core GNU gdb (Ubuntu 7.7-0ubuntu3) 7.7 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "arm-linux-gnueabihf". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./jsc...(no debugging symbols found)...done. [New LWP 23648] [New LWP 23655] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1". Core was generated by `./jsc'. Program terminated with signal SIGILL, Illegal instruction. #0 0xb6cd1b7c in JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&) () from /home/webkitbuildbot/slaves/jsconly-thumb2/buildslave/jsconly-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libJavaScriptCore.so.1 (gdb) bt #0 0xb6cd1b7c in JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&) () from /home/webkitbuildbot/slaves/jsconly-thumb2/buildslave/jsconly-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #1 0xb6c5080e in JSC::ArrayPrototype::finishCreation(JSC::VM&, JSC::JSGlobalObject*) () from /home/webkitbuildbot/slaves/jsconly-thumb2/buildslave/jsconly-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #2 0x7e78c0b6 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) disassembly: ... 0xb6cd1b70 <JSC::getTemplateObject(JSC::ExecState*)+28>: mvnne.w r1, #4 0xb6cd1b74 <JSC::getTemplateObject(JSC::ExecState*)+32>: mvneq.w r1, #5 0xb6cd1b78 <JSC::getTemplateObject(JSC::ExecState*)+36>: pop {r3, pc} 0xb6cd1b7a: nop => 0xb6cd1b7c <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+0>: str.w r4, [sp, #-20]! 0xb6cd1b80 <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+4>: strd r5, r6, [sp, #4] 0xb6cd1b84 <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+8>: ldr r5, [pc, #132] ; (0xb6cd1c0c <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+144>) ... 1190021 2 ossy 2016-05-04 03:24:38 -0700 What do you think, is it a bug in r200383 or a GCC bug? 1190022 3 zan 2016-05-04 03:29:10 -0700 Might have also broken 64-bit debug builds. https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Debug%20%28Tests%29/builds/8787 https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Debug%20%28Tests%29/builds/8788 1190024 4 cgarcia 2016-05-04 03:32:54 -0700 (In reply to comment #2) > What do you think, is it a bug in r200383 or a GCC bug? Looks like a GCC bug in the case of GTK+ debug bot. 1190028 5 ossy 2016-05-04 04:05:44 -0700 (In reply to comment #2) > What do you think, is it a bug in r200383 or a GCC bug? It is definitely caused by r200383, not a GCC bug, see https://bugs.webkit.org/show_bug.cgi?id=157045#c61 1190045 6 278081 ossy 2016-05-04 05:24:30 -0700 Created attachment 278081 Patch 1190177 7 278081 fpizlo 2016-05-04 13:03:58 -0700 Comment on attachment 278081 Patch I think this would have almost worked, but I believe that it's too crazy to rely on the alignment of function pointers. I'm going to land a version that doesn't rely on the alignment or bit arrangement of function pointers at all. 1190178 8 fpizlo 2016-05-04 13:04:10 -0700 *** This bug has been marked as a duplicate of bug 157045 *** 278081 2016-05-04 05:24:30 -0700 2016-05-04 13:03:58 -0700 Patch bug-157340-20160504052509.patch text/plain 1560 ossy U3VidmVyc2lvbiBSZXZpc2lvbjogMjAwNDEzCmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCBh OTdmNTUyYzA2NDdhY2JjN2FkMDg0NDQ1NTM2MjBiODZiNDhiZTQzLi40YTgxMmU0MzZlNmEwZTYx YWNmNWU2YmE0OWNhMDUzNzc5ZmE1YjkxIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxMyBAQAorMjAxNi0wNS0wNCAgQ3NhYmEgT3N6dHJvZ29uw6FjICA8b3NzeUB3ZWJraXQu b3JnPgorCisgICAgICAgIFJFR1JFU1NJT04ocjIwMDM4Myk6IEl0IG1hZGUgYWxsIEpTQyBzdHJl c3MgdGVzdHMgY3Jhc2ggb24gQVJNdjcgVGh1bWIyCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNTczNDAKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICAqIHJ1bnRpbWUvTGF6eVByb3BlcnR5Lmg6CisgICAgICAg IChKU0M6OkxhenlQcm9wZXJ0eTo6Z2V0KToKKwogMjAxNi0wNS0wNCAgWXVzdWtlIFN1enVraSAg PHV0YXRhbmUudGVhQGdtYWlsLmNvbT4KIAogICAgICAgICBBc3NlcnRpb24gZmFpbHVyZSBmb3Ig c3VwZXIoKSBjYWxsIGluIGRpcmVjdCBldmFsIGluIG1ldGhvZCBmdW5jdGlvbgpkaWZmIC0tZ2l0 IGEvU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvTGF6eVByb3BlcnR5LmggYi9Tb3VyY2Uv SmF2YVNjcmlwdENvcmUvcnVudGltZS9MYXp5UHJvcGVydHkuaAppbmRleCAxZWNhNGU4NTNkODg1 OWIxNjljZGUwYTBkZmVjNTY1NGUwNmNiYTkyLi44NzhjNjhhNTcwODE2ZjJiNjJkOTk3ZWFhZjdi YWZiZjJjOTdiNDE1IDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9M YXp5UHJvcGVydHkuaAorKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9MYXp5UHJv cGVydHkuaApAQCAtNzcsNyArNzcsMTEgQEAgcHVibGljOgogICAgIHsKICAgICAgICAgQVNTRVJU KCFpc0NvbXBpbGF0aW9uVGhyZWFkKCkpOwogICAgICAgICBpZiAoVU5MSUtFTFkobV9wb2ludGVy ICYgbGF6eVRhZykpIHsKKyNpZiBDUFUoQVJNX1RIVU1CMikKKyAgICAgICAgICAgIGF1dG8gY2Fs bEZ1bmMgPSBiaXR3aXNlX2Nhc3Q8RWxlbWVudFR5cGUqICgqKShjb25zdCBJbml0aWFsaXplciYp PihtX3BvaW50ZXIpOworI2Vsc2UKICAgICAgICAgICAgIGF1dG8gY2FsbEZ1bmMgPSBiaXR3aXNl X2Nhc3Q8RWxlbWVudFR5cGUqICgqKShjb25zdCBJbml0aWFsaXplciYpPihtX3BvaW50ZXIgJiB+ bGF6eVRhZyk7CisjZW5kaWYKICAgICAgICAgICAgIHJldHVybiBjYWxsRnVuYyhJbml0aWFsaXpl cihjb25zdF9jYXN0PE93bmVyVHlwZSo+KG93bmVyKSwgKmNvbnN0X2Nhc3Q8TGF6eVByb3BlcnR5 Kj4odGhpcykpKTsKICAgICAgICAgfQogICAgICAgICByZXR1cm4gYml0d2lzZV9jYXN0PEVsZW1l bnRUeXBlKj4obV9wb2ludGVyKTsK