159711 2016-07-13 04:01:49 -0700 64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214 2016-07-28 02:29:28 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified Unspecified RESOLVED FIXED P2 Normal --- 159408 1 ossy ossy commit-queue fpizlo keith_miller mark.lam msaboff ossy saam oldest_to_newest 1210402 0 ossy 2016-07-13 04:01:49 -0700 After r202214 this check is incorrect and causes crashes, because the generated IC code isn't necessarily 64-bit sized. 1210403 1 283510 ossy 2016-07-13 04:03:04 -0700 Created attachment 283510 Patch 1210404 2 ossy 2016-07-13 04:03:34 -0700 I'm going to attach debug backtrace soon to show what is the problem here. 1210949 3 ossy 2016-07-14 04:43:21 -0700 Program received signal SIGBUS, Bus error. 0xb27c42e8 in ?? () (gdb) bt #0 0xb27c42e8 in ?? () #1 0xb6157554 in JSC::slow_path_enter (Cannot access memory at address 0xfffffffb exec=0x0, pc=0xfffffffc) at ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:596 #2 0xbeffe8e8 in ?? () (gdb) disas 0xb27c42b8,+100 Dump of assembler code from 0xb27c42b8 to 0xb27c431c: 0xb27c42b8: movw r6, #31776 ; 0x7c20 0xb27c42bc: movt r6, #45594 ; 0xb21a 0xb27c42c0: cmp r12, r6 0xb27c42c4: ldrne r12, [pc, #16] ; 0xb27c42dc <====== load from constant pool 0xb27c42c8: bxne r12 0xb27c42cc: ldr r1, [r0, #20] 0xb27c42d0: ldr r0, [r0, #16] 0xb27c42d4: b 0xb27c42e0 <===== jump after the constant pool 0xb27c42d8: bkpt 0xffff 0xb27c42dc: rsbslt r5, r12, #84, 24 ; 0x5400 0xb27c42e0: nop ; (mov r0, r0) 0xb27c42e4: nop ; (mov r0, r0) => 0xb27c42e8: bkpt 0x0000 <======= CRASH! We don't need this barrier. 0xb27c42ec: str r0, [r6] 0xb27c42f0: ldr r6, [pc, #1660] ; 0xb27c4974 0xb27c42f4: str r1, [r6] 0xb27c42f8: str r0, [r11, #-168] ; 0xa8 0xb27c42fc: str r1, [r11, #-164] ; 0xa4 0xb27c4300: mov r2, #0 0xb27c4304: mvn r3, #0 0xb27c4308: ldr r0, [r11, #-168] ; 0xa8 0xb27c430c: ldr r1, [r11, #-164] ; 0xa4 0xb27c4310: cmn r1, #5 0xb27c4314: bne 0xb27c5cd0 0xb27c4318: cmn r3, #1 End of assembler dump. 1211307 4 283510 saam 2016-07-14 18:52:59 -0700 Comment on attachment 283510 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283510&action=review > Source/JavaScriptCore/assembler/ARMAssembler.cpp:-399 > - if (!m_buffer.isAligned(8)) > - bkpt(0); Will we need this when we're not emitting code over old code? 1211406 5 ossy 2016-07-15 07:07:47 -0700 (In reply to comment #4) > Comment on attachment 283510 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283510&action=review > > > Source/JavaScriptCore/assembler/ARMAssembler.cpp:-399 > > - if (!m_buffer.isAligned(8)) > > - bkpt(0); > > Will we need this when we're not emitting code over old code? Practically we don't need this at all, it is placed to crash in case of implementation bug instead of undefined or bad behaviour. 1214877 6 ossy 2016-07-27 07:00:59 -0700 ping? 1214898 7 283510 mark.lam 2016-07-27 08:10:45 -0700 Comment on attachment 283510 Patch r=me 1215181 8 283510 commit-queue 2016-07-28 02:29:24 -0700 Comment on attachment 283510 Patch Clearing flags on attachment: 283510 Committed r203816: <http://trac.webkit.org/changeset/203816> 1215182 9 commit-queue 2016-07-28 02:29:28 -0700 All reviewed patches have been landed. Closing bug. 283510 2016-07-13 04:03:04 -0700 2016-07-28 02:29:24 -0700 Patch bug-159711-20160713130219.patch text/plain 1477 ossy U3VidmVyc2lvbiBSZXZpc2lvbjogMjAzMTU2CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCA2 NDljOGVmNmUxOTZkNTViOTgxZmExMjNmYWQ3ODYzMTllZjUxZjYyLi5hZDRlNWUwN2QxNDFlZjRi NDMwNTNmZDk2MGZlZDlkMjg0MTA2NjdmIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs NSArMSwxNSBAQAogMjAxNi0wNy0xMyAgQ3NhYmEgT3N6dHJvZ29uw6FjICA8b3NzeUB3ZWJraXQu b3JnPgogCisgICAgICAgIDY0LWJpdCBhbGlnbm1lbnQgY2hlY2sgaXNuJ3QgbmVjZXNzYXJ5IGlu IEFSTUFzc2VtYmxlcjo6cHJlcGFyZUV4ZWN1dGFibGVDb3B5IGFmdGVyIHIyMDIyMTQKKyAgICAg ICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1OTcxMQorCisgICAg ICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogYXNzZW1ibGVyL0FS TUFzc2VtYmxlci5jcHA6CisgICAgICAgIChKU0M6OkFSTUFzc2VtYmxlcjo6cHJlcGFyZUV4ZWN1 dGFibGVDb3B5KToKKworMjAxNi0wNy0xMyAgQ3NhYmEgT3N6dHJvZ29uw6FjICA8b3NzeUB3ZWJr aXQub3JnPgorCiAgICAgICAgIENMb29wIGJ1aWxkZml4IGFmdGVyIHIyMDMxNDIKICAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1OTcwNgogCmRpZmYgLS1n aXQgYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvYXNzZW1ibGVyL0FSTUFzc2VtYmxlci5jcHAgYi9T b3VyY2UvSmF2YVNjcmlwdENvcmUvYXNzZW1ibGVyL0FSTUFzc2VtYmxlci5jcHAKaW5kZXggZjkx MDBkNGM5YmMxMzY0OTVmNTUxMDJhMjRiNTJjYzA0NGYwYjgyNC4uNTUyZjM3ZjY4MDk0NjA3ZDAw ZmQyMmNmMzM2YTQwOWJhYzcwYTJmNSAxMDA2NDQKLS0tIGEvU291cmNlL0phdmFTY3JpcHRDb3Jl L2Fzc2VtYmxlci9BUk1Bc3NlbWJsZXIuY3BwCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9h c3NlbWJsZXIvQVJNQXNzZW1ibGVyLmNwcApAQCAtMzk1LDggKzM5NSw2IEBAIHZvaWQgQVJNQXNz ZW1ibGVyOjpwcmVwYXJlRXhlY3V0YWJsZUNvcHkodm9pZCogdG8pCiB7CiAgICAgLy8gNjQtYml0 IGFsaWdubWVudCBpcyByZXF1aXJlZCBmb3IgbmV4dCBjb25zdGFudCBwb29sIGFuZCBKSVQgY29k ZSBhcyB3ZWxsCiAgICAgbV9idWZmZXIuZmx1c2hXaXRob3V0QmFycmllcih0cnVlKTsKLSAgICBp ZiAoIW1fYnVmZmVyLmlzQWxpZ25lZCg4KSkKLSAgICAgICAgYmtwdCgwKTsKIAogICAgIGNoYXIq IGRhdGEgPSByZWludGVycHJldF9jYXN0PGNoYXIqPihtX2J1ZmZlci5kYXRhKCkpOwogICAgIHB0 cmRpZmZfdCBkZWx0YSA9IHJlaW50ZXJwcmV0X2Nhc3Q8Y2hhcio+KHRvKSAtIGRhdGE7Cg==