86335 2012-05-13 22:41:23 -0700 Calling convetion errors in DFG JIT with thumb2 2012-05-13 22:48:15 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Other Linux RESOLVED DUPLICATE 84449 P2 Critical --- 0 hojong.han webkit-unassigned barraclough fpizlo ggaren oldest_to_newest 622664 0 hojong.han 2012-05-13 22:41:23 -0700 There's a crash occured right after running SunSpider benchmark. Here's logs below. DFG compiling code block 0x4803b7d8(0x48045958), number of instructions = 33. Parsing code block 0x4803b7d8. codeType = FunctionCode, numCapturedVars = 0, needsFullScopeChain = false, needsActivation = false, isStrictMode = false Parsing bytecode with limit 0x4782fba0 bc#33 at inline depth 1. Creating basic block 0x4803bca0, #0 for 0x4782fba0 bc#0 at inline depth 1. Lazy operand [@4, bc#1, r-7] prediction: None Lazy operand [@8, bc#6, r-8] prediction: None Lazy operand [@10, bc#9, r-9] prediction: None Lazy operand [@12, bc#12, r-10] prediction: None Slow case count for PutById @18 bc#22: 222; exit profile: 0 Marking basic block 0x4803bca0 as linked. Argument [0] prediction: Other Argument [1] prediction: Int Argument [2] prediction: Int Argument [3] prediction: Int Preserved vars: ------------------------------- Num callee registers: 5 Graph after optimization: Block #0 (bc#0): vars before: (Top, TOP) (Int, []) (Int, []) (Int, []) : (None, []) (None, []) (None, []) (None, []) (None, []) var links: @0 @1 @2 @3 : - - - - - 0: < 1:-> SetArgument(arg0(A)) predicting Other, double ratio 0.000000 1: < 1:-> SetArgument(arg1(B)) predicting Int, double ratio 0.000000 2: < 1:-> SetArgument(arg2(C)) predicting Int, double ratio 0.000000 3: < 1:-> SetArgument(arg3(D)) predicting Int, double ratio 0.000000 4: < 1:0> GetLocal(@0, arg0(A)) predicting Other, double ratio 0.000000 5: < 1:0> ConvertThis(@4) 6: skipped < 0:-> SetLocal(@5, arg0(E)) 7: skipped < 0:-> SetLocal(@5, r0(F)) 8: < 1:1> GetLocal(@1, arg1(B)) predicting Int, double ratio 0.000000 9: skipped < 0:-> SetLocal(@8, r1(G)) 10: < 1:2> GetLocal(@2, arg2(C)) predicting Int, double ratio 0.000000 11: skipped < 0:-> SetLocal(@10, r2(H)) 12: < 1:3> GetLocal(@3, arg3(D)) predicting Int, double ratio 0.000000 13: skipped < 0:-> SetLocal(@12, r3(I)) 14: < 1:4> JSConstant($0 = Int32: 1) 15: skipped < 0:-> SetLocal(@14, r4(J)) 16: < 1:4> NewArray(@8, @10, @12, @14) 17: skipped < 0:-> SetLocal(@16, r1(K)) 18: <!0:-> PutById(@5, @16, id0{V}) 19: < 1:4> JSConstant($1 = Undefined) 20: <!0:-> Return(@19) vars after: (None, []) (None, []) (None, []) (None, []) : (None, []) (None, []) (None, []) (None, []) (None, []) SpeculativeJIT generating Node @0 (bc#0) at JIT offset 0x8a SpeculativeJIT generating Node @1 (bc#0) at JIT offset 0x8a SpeculativeJIT generating Node @2 (bc#0) at JIT offset 0x8a SpeculativeJIT generating Node @3 (bc#0) at JIT offset 0x8a SpeculativeJIT generating Node @4 (bc#1) at JIT offset 0x8a GetLocal > format(8) -> JS, vr#0, r1 r0 SpeculativeJIT generating Node @5 (bc#1) at JIT offset 0x92 ConvertThis > isOtherPrediction -> Cell, vr#0, r2 SpeculativeJIT skipping Node @6 (bc#1) at JIT offset 0xb0 SpeculativeJIT skipping Node @7 (bc#3) at JIT offset 0xb0 SpeculativeJIT generating Node @8 (bc#6) at JIT offset 0xb0 -> Integer, vr#1, r4 SpeculativeJIT skipping Node @9 (bc#6) at JIT offset 0xb4 SpeculativeJIT generating Node @10 (bc#9) at JIT offset 0xb4 -> Integer, vr#2, r7 SpeculativeJIT skipping Node @11 (bc#9) at JIT offset 0xb8 SpeculativeJIT generating Node @12 (bc#12) at JIT offset 0xb8 -> Integer, vr#3, r8 SpeculativeJIT skipping Node @13 (bc#12) at JIT offset 0xbc SpeculativeJIT generating Node @14 (bc#15) at JIT offset 0xbc -> None, vr#4 SpeculativeJIT skipping Node @15 (bc#15) at JIT offset 0xbc SpeculativeJIT generating Node @16 (bc#18) at JIT offset 0xbc -> Cell, vr#4, r0 SpeculativeJIT skipping Node @17 (bc#18) at JIT offset 0x168 SpeculativeJIT generating Node @18 (bc#22) at JIT offset 0x168 SpecCell@5 SpeculativeJIT generating Node @19 (bc#31) at JIT offset 0x1ec -> None, vr#4 SpeculativeJIT generating Node @20 (bc#31) at JIT offset 0x1ec JIT code for 0x4803b7d8 start at [0x47706d00, 0x47706f88). Size = 648. ============================================================================================================= Breakpoint 1, JSC::DFG::operationPutByIdNonStrictOptimizeWithReturnAddress (exec=0x49e630e8, encodedValue=0x4776f2c0fffffffb, base=0x48007790, propertyName=0x47706e99, returnAddress=...) (gdb) i r r0 0x49e630e8 1239822568 <-- exec r1 0x477565a0 1198876064 <-- payload of encodedValue r2 0xfffffffb 4294967291 <-- tag of encodedValue r3 0x4776f2c0 1198977728 <-- base r4 0x0 0 r5 0x49e630e8 1239822568 r6 0xe9 233 r7 0x4776f2c0 1198977728 r8 0x0 0 r9 0x4776f2c0 1198977728 r10 0xffffffff 4294967295 r11 0xffffffff 4294967295 r12 0x4154b299 1096069785 sp 0xbeffe5f0 0xbeffe5f0 lr 0x47706e99 1198550681 pc 0x4154b29e 0x4154b29e cpsr 0x60000030 1610612784 ============================================================================================================= I think there is not any problem in register values. but argument values used in "operationPutByIdNonStrictOptimizeWithReturnAddress" are something wrong. According to ARM calling convention, if one of the parameters is 64 bits long, then either r0 and r1 or r2 and r3 will be used - but not r1 and r2. Is there any other step to gratify this convention? 622667 1 fpizlo 2012-05-13 22:48:15 -0700 *** This bug has been marked as a duplicate of bug 84449 ***