201664 2019-09-10 16:01:41 -0700 [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData 2019-09-10 21:24:47 -0700 1 1 1 Unclassified WebKit New Bugs WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 ysuzuki ysuzuki ews-watchlist keith_miller mark.lam msaboff saam tzagallo webkit-bug-importer oldest_to_newest 1569710 0 ysuzuki 2019-09-10 16:01:41 -0700 [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData 1569715 1 378505 ysuzuki 2019-09-10 16:07:34 -0700 Created attachment 378505 Patch 1569716 2 ysuzuki 2019-09-10 16:07:36 -0700 <rdar://problem/52126927> 1569717 3 378505 ysuzuki 2019-09-10 16:09:18 -0700 Comment on attachment 378505 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=378505&action=review > Source/JavaScriptCore/ChangeLog:25 > + (JSC::CodeBlock::ensureJITDataSlow): This crash exists so long time since previously we are seeing half-baked CodeBlock::m_calleeSaveRegisters instead of JITData. 1569722 4 ysuzuki 2019-09-10 16:18:19 -0700 Committed r249740: <https://trac.webkit.org/changeset/249740> 1569819 5 378505 saam 2019-09-10 20:58:50 -0700 Comment on attachment 378505 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=378505&action=review > Source/JavaScriptCore/bytecode/CodeBlock.cpp:1349 > + // But we should not see garbage pointer in that case. We ensure JITData::m_calleeSaveRegisters is initialized as nullptr before exposing it to BaselineJIT by store-store-fence. do the compiler threads check for nullptr? We're seeing this crash on ARM only? 1569827 6 ysuzuki 2019-09-10 21:24:47 -0700 (In reply to Saam Barati from comment #5) > Comment on attachment 378505 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=378505&action=review > > > Source/JavaScriptCore/bytecode/CodeBlock.cpp:1349 > > + // But we should not see garbage pointer in that case. We ensure JITData::m_calleeSaveRegisters is initialized as nullptr before exposing it to BaselineJIT by store-store-fence. > > do the compiler threads check for nullptr? Yes, compiler thread is checking nullptr. > > We're seeing this crash on ARM only? Yes, this crash is happening only on ARM devices, because x86 offers TSO. Theoretically, we can see x86 crash if clang emits the code storing JITData pointer to CodeBlock before null-ing that field. 378505 2019-09-10 16:07:34 -0700 2019-09-10 16:11:24 -0700 Patch bug-201664-20190910160733.patch text/plain 3379 ysuzuki U3VidmVyc2lvbiBSZXZpc2lvbjogMjQ5NzM4CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCBl M2VjNTI0NTJlODBiODhlZTA2OGMyYjMzM2MxMjg5MDRjYzU2ZTE4Li4xYzA1MTNlNDQ3Yzc5ZmQ4 NzE0NWM5Yjc4OThhNTU2MTE2NmFiZTA5IDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwyOSBAQAorMjAxOS0wOS0xMCAgWXVzdWtlIFN1enVraSAgPHlzdXp1a2lAYXBwbGUuY29t PgorCisgICAgICAgIFtKU0NdIENvZGVCbG9jazo6Y2FsbGVlU2F2ZVJlZ2lzdGVycyBzaG91bGQg bm90IHNlZSBoYWxmLWJha2VkIEpJVERhdGEKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTIwMTY2NAorICAgICAgICA8cmRhcjovL3Byb2JsZW0vNTIxMjY5 Mjc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgV2Ug YXJlIGhpdHRpbmcgdGhlIGNyYXNoIGFjY2Vzc2luZyBpbnZhbGlkLXBvaW50ZXIgYXMgQ29kZUJs b2NrOjpjYWxsZWVTYXZlUmVnaXN0ZXJzIHJlc3VsdC4KKyAgICAgICAgVGhpcyBpcyBiZWNhdXNl IGNvbmN1cnJlbnQgQmFzZWxpbmUgSklUIGNvbXBpbGVyIGNhbiBhY2Nlc3MgbV9qaXREYXRhIHdp dGhvdXQgdGFraW5nIGEgbG9jayB0aHJvdWdoIENvZGVCbG9jazo6Y2FsbGVlU2F2ZVJlZ2lzdGVy cy4KKyAgICAgICAgU2luY2UgbV9qaXREYXRhIGNhbiBiZSBpbml0aWFsaXplZCBpbiB0aGUgbWFp biB0aHJlYWQgd2hpbGUgY2FsbGluZyBDb2RlQmxvY2s6OmNhbGxlZVNhdmVSZWdpc3RlcnMgZnJv bSBjb25jdXJyZW50IEJhc2VsaW5lIEpJVCBjb21waWxlciB0aHJlYWQsCisgICAgICAgIHdlIGNh biBzZWUgaGFsZi1iYWtlZCBKSVREYXRhIHN0cnVjdHVyZSB3aGljaCBob2xkcyBnYXJiYWdlIHBv aW50ZXJzLgorCisgICAgICAgIEJ1dCB3ZSBkbyBub3Qgd2FudCB0byBtYWtlIENvZGVCbG9jazo6 Y2FsbGVlU2F2ZVJlZ2lzdGVycygpIGNhbGwgd2l0aCBDb2RlQmxvY2s6Om1fbG9jayBkdWUgdG8g c2V2ZXJhbCByZWFzb25zLgorCisgICAgICAgIDEuIFRoaXMgZnVuY3Rpb24gaXMgdmVyeSBwcmlt aXRpdmUgb25lIGFuZCBpdCBpcyBjYWxsZWQgZnJvbSB2YXJpb3VzIEFzc2VtYmx5SGVscGVycyBm dW5jdGlvbnMgYW5kIG90aGVyIGNvZGUtZ2VuZXJhdGlvbiBmdW5jdGlvbnMuIFNvbWUgb2YgdGhl c2UgZnVuY3Rpb25zIGFyZQorICAgICAgICAgICBjYWxsZWQgd2hpbGUgdGFraW5nIHRoaXMgZXhh Y3Qgc2FtZSBsb2NrLCBzbyBkZWFkLWxvY2sgY2FuIGhhcHBlbi4KKyAgICAgICAgMi4gSklURGF0 YTo6bV9jYWxsZWVTYXZlUmVnaXN0ZXJzIGlzIGZpbGxlZCBvbmx5IGZvciBERkcgYW5kIEZUTCBD b2RlQmxvY2suIEFuZCBERkcgYW5kIEZUTCBjb2RlIGFjY2Vzc2VzIHRoZXNlIGZpZWxkIGFmdGVy IGluaXRpYWxpemluZyBwcm9wZXJseS4gRm9yIEJhc2VsaW5lIEpJVAorICAgICAgICAgICBjb21w aWxlciBjYXNlLCBvbmx5IHRoaW5nIHdlIHNob3VsZCBkbyBpcyB0aGF0IEpJVERhdGEgc2hvdWxk IHNheSBtX2NhbGxlZVNhdmVSZWdpc3RlcnMgaXMgbnVsbHB0ciBhbmQgaXQgd29uJ3QgYmUgZmls bGVkIGZvciB0aGlzIENvZGVCbG9jay4KKworICAgICAgICBJbnN0ZWFkIG9mIGd1YXJkaW5nIENv ZGVCbG9jazo6Y2FsbGVlU2F2ZVJlZ2lzdGVycygpIGZ1bmN0aW9uIHdpdGggQ29kZUJsb2NrOjpt X2xvY2ssIHRoaXMgcGF0Y2ggaW5zZXJ0cyBXVEY6OnN0b3JlU3RvcmVGZW5jZSB3aGVuIGZpbGxp bmcgbV9qaXREYXRhLiBUaGlzIGVuc3VyZXMgdGhhdAorICAgICAgICBKSVREYXRhOjptX2NhbGxl ZVNhdmVSZWdpc3RlcnMgaXMgaW5pdGlhbGl6ZWQgd2l0aCBudWxscHRyIHdoZW4gdGhpcyBKSVRE YXRhIHBvaW50ZXIgaXMgZXhwb3NlZCB0byBjb25jdXJyZW50IEJhc2VsaW5lIEpJVCBjb21waWxl ciB0aHJlYWQuCisKKyAgICAgICAgKiBieXRlY29kZS9Db2RlQmxvY2suY3BwOgorICAgICAgICAo SlNDOjpDb2RlQmxvY2s6OmVuc3VyZUpJVERhdGFTbG93KToKKwogMjAxOS0wOS0xMCAgWXVzdWtl IFN1enVraSAgPHlzdXp1a2lAYXBwbGUuY29tPgogCiAgICAgICAgIFtKU0NdIFJlc3VsdFR5cGUg aW1wbGVtZW50YXRpb24gaXMgd3JvbmcgZm9yIGJpdCBvcHMsIGFuZCBlbmRzIHVwIG1ha2luZyBB cml0aERpdiB0YWtlIHRoZSBERkcgSW50MzIgZmFzdCBwYXRoIGV2ZW4gaWYgQmFzZWxpbmUgY29u c3RhbnRseSBwcm9kdWNlcyBEb3VibGUgcmVzdWx0CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNj cmlwdENvcmUvYnl0ZWNvZGUvQ29kZUJsb2NrLmNwcCBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9i eXRlY29kZS9Db2RlQmxvY2suY3BwCmluZGV4IGYxODIyNmJkZTY4OGJiZjZlYTYyN2VjNmVkNGNm YmIxMTZlZTM4YmEuLjEzODJmNjljYjU4NmU3MGQ0NzE5NjkwZmRjM2M5NTcyYWU5MTQ4ZTIgMTAw NjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRlY29kZS9Db2RlQmxvY2suY3BwCisr KyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRlY29kZS9Db2RlQmxvY2suY3BwCkBAIC0xMzQ0 LDcgKzEzNDQsMTEgQEAgdm9pZCBDb2RlQmxvY2s6OmZpbmFsaXplTExJbnRJbmxpbmVDYWNoZXMo KQogQ29kZUJsb2NrOjpKSVREYXRhJiBDb2RlQmxvY2s6OmVuc3VyZUpJVERhdGFTbG93KGNvbnN0 IENvbmN1cnJlbnRKU0xvY2tlciYpCiB7CiAgICAgQVNTRVJUKCFtX2ppdERhdGEpOwotICAgIG1f aml0RGF0YSA9IG1ha2VVbmlxdWU8SklURGF0YT4oKTsKKyAgICBhdXRvIGppdERhdGEgPSBtYWtl VW5pcXVlPEpJVERhdGE+KCk7CisgICAgLy8gY2FsbGVlU2F2ZVJlZ2lzdGVycygpIGNhbiBhY2Nl c3MgbV9qaXREYXRhIHdpdGhvdXQgdGFraW5nIGEgbG9jayBmcm9tIEJhc2VsaW5lIEpJVC4gVGhp cyBpcyBPSyBzaW5jZSBKSVREYXRhOjptX2NhbGxlZVNhdmVSZWdpc3RlcnMgaXMgZmlsbGVkIGlu IERGRyBhbmQgRlRMIENvZGVCbG9ja3MuCisgICAgLy8gQnV0IHdlIHNob3VsZCBub3Qgc2VlIGdh cmJhZ2UgcG9pbnRlciBpbiB0aGF0IGNhc2UuIFdlIGVuc3VyZSBKSVREYXRhOjptX2NhbGxlZVNh dmVSZWdpc3RlcnMgaXMgaW5pdGlhbGl6ZWQgYXMgbnVsbHB0ciBiZWZvcmUgZXhwb3NpbmcgaXQg dG8gQmFzZWxpbmVKSVQgYnkgc3RvcmUtc3RvcmUtZmVuY2UuCisgICAgV1RGOjpzdG9yZVN0b3Jl RmVuY2UoKTsKKyAgICBtX2ppdERhdGEgPSBXVEZNb3ZlKGppdERhdGEpOwogICAgIHJldHVybiAq bV9qaXREYXRhOwogfQogCg==