160157 2016-07-25 02:13:57 -0700 REGRESSION(r203537): It made many tests crash on ARMv7 with ARM instruction set 2016-07-29 11:10:07 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified Unspecified RESOLVED DUPLICATE 159720 https://bugs.webkit.org/show_bug.cgi?id=159720 P1 Critical --- 108645 159649 1 ossy webkit-unassigned benjamin ossy saam oldest_to_newest 1214128 0 ossy 2016-07-25 02:13:57 -0700 JSCOnly Linux ARMv7 Traditional Release: - before: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1613 - after: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1623 ( https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1637 ) crash log on ARMv7 with ARM instruction set: Running stress/exit-after-int52-to-double.js.default stress/exit-after-int52-to-double.js.default: ASSERTION FAILED: linkBuffer.isValid() stress/exit-after-int52-to-double.js.default: ../../Source/JavaScriptCore/jit/JITMathIC.h(130) : void JSC::JITMathIC<Generator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr) [with GeneratorType = JSC::JITAddGenerator] stress/exit-after-int52-to-double.js.default: 1 0xb6394fb0 WTFCrash stress/exit-after-int52-to-double.js.default: 2 0xb5ea3104 JSC::JITMathIC<JSC::JITAddGenerator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr) stress/exit-after-int52-to-double.js.default: 3 0xb5e9a0b8 stress/exit-after-int52-to-double.js.default: Segmentation fault stress/exit-after-int52-to-double.js.default: ERROR: Unexpected exit code: 139 FAIL: stress/exit-after-int52-to-double.js.default It seems it is a similar to bug159720 . Can't we disable this new feature somehow similar to https://trac.webkit.org/changeset/203272 ? 1214148 1 ossy 2016-07-25 05:15:48 -0700 I can confirm that this bug and bug159720 have the same root. The problem is that "auto jump = jit.jump();" allocates a constant on the constant pool which makes linkBuffer ctor not to allocate. But the question is still open, can we disable IC generating on ARM traditional until we can find the proper fix? Because now it is completely broken and there are 2700 crashing stress tests. *** This bug has been marked as a duplicate of bug 159720 *** 1215215 2 ossy 2016-07-28 05:16:26 -0700 (In reply to comment #0) > Can't we disable this new feature somehow similar to > https://trac.webkit.org/changeset/203272 ? ARM assembler is completely broken more than a month ago because of this IC refactoring work. It would be great to get an answer if we can workaround it or not. 1215233 3 saam 2016-07-28 08:50:20 -0700 You can make MathIC generateInline always return false before generating any code. This will make the resulting code quite slow though. It will lead to a C call for every JS add. 1215611 4 ossy 2016-07-29 11:10:07 -0700 (In reply to comment #3) > You can make MathIC generateInline always return false before > generating any code. This will make the resulting code quite > slow though. It will lead to a C call for every JS add. Uploaded a patch to bug159759 to disable it.