Bug 112609

Summary: EFL: Unsafe branch detected in compilePutByValForFloatTypedArray()
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: ossy, rniwa, tmpsantos, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 112380, 112680    
Bug Blocks:    
Attachments:
Description Flags
Patch none

Michael Saboff
Reported 2013-03-18 12:40:52 PDT
After change set r145931: <http://trac.webkit.org/changeset/145931> was landed for https://bugs.webkit.org/show_bug.cgi?id=112380, he following assert failure started happening: crash log for WebProcess (pid <unknown>): STDOUT: <empty> STDERR: ERROR: Thread name "com.apple.WebKit.ProcessLauncher" is longer than 31 characters and will be truncated by Visual Studio STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*) STDERR: ERROR: Thread name "com.apple.WebKit.EventDispatcher" is longer than 31 characters and will be truncated by Visual Studio STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*) STDERR: ERROR: Thread name "com.apple.WebKit.PluginProcessConnectionManager" is longer than 31 characters and will be truncated by Visual Studio STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*) STDERR: ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 496 in jump offset range 496..524 STDERR: !(low <= m_offset && m_offset <= high) STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(704) : void JSC::AbstractMacroAssembler<AssemblerType>::RegisterAllocationOffset::check(unsigned int, unsigned int) [with AssemblerType = JSC::X86Assembler] STDERR: 1 0x7fe38a9e5180 JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int) STDERR: 2 0x7fe38a9e46f4 JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int) STDERR: 3 0x7fe38a9e42e2 JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const STDERR: 4 0x7fe38aa71d63 JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray(JSC::TypedArrayDescriptor const&, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID, JSC::DFG::Node*, unsigned long) STDERR: 5 0x7fe38aa9cac9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) STDERR: 6 0x7fe38aa6d0e7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) STDERR: 7 0x7fe38aa6d84f JSC::DFG::SpeculativeJIT::compile() STDERR: 8 0x7fe38aa3a0f8 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) STDERR: 9 0x7fe38aa3b325 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) STDERR: 10 0x7fe38aa298f8 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) STDERR: 11 0x7fe38aa2917c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) STDERR: 12 0x7fe38abe4997 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) STDERR: 13 0x7fe38abe4c8c JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) STDERR: 14 0x7fe38abe2e9a JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) STDERR: 15 0x7fe38abe2617 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 16 0x7fe38a938a7d JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) STDERR: 17 0x7fe38a932766 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 18 0x7fe38ab38a7e STDERR: 19 0x7fe38ab35ab8 STDERR: 20 0x7fe33d45c058
Attachments
Patch (11.06 KB, patch)
2013-03-18 18:51 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2013-03-18 18:51:32 PDT
Created attachment 193714 [details] Patch
Geoffrey Garen
Comment 2 2013-03-18 19:57:23 PDT
Comment on attachment 193714 [details] Patch r=me
WebKit Review Bot
Comment 3 2013-03-18 20:25:14 PDT
Comment on attachment 193714 [details] Patch Clearing flags on attachment: 193714 Committed r146174: <http://trac.webkit.org/changeset/146174>
WebKit Review Bot
Comment 4 2013-03-18 20:25:17 PDT
All reviewed patches have been landed. Closing bug.
Ryosuke Niwa
Comment 5 2013-03-18 21:33:58 PDT
Comment on attachment 193714 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=193714&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324 > + GPRReg resultGPR - result.gpr(); We're seeing a build failure on this line.
Ryosuke Niwa
Comment 6 2013-03-18 21:33:58 PDT
Comment on attachment 193714 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=193714&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324 > + GPRReg resultGPR - result.gpr(); We're seeing a build failure on this line.
Ryosuke Niwa
Comment 7 2013-03-18 21:34:41 PDT
http://build.webkit.org/builders/EFL%20Linux%2032-bit%20Release%20%28Build%29/builds/15966/steps/compile-webkit/logs/stdio /mnt/buildbot/efl-linux-slave-3/efl-linux-32-release/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp: In member function 'void JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)': /mnt/buildbot/efl-linux-slave-3/efl-linux-32-release/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324:30: error: expected initializer before '-' token /mnt/buildbot/efl-linux-slave-3/efl-linux-32-release/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2327:32: error: 'resultGPR' was not declared in this scope make[2]: *** [Source/JavaScriptCore/CMakeFiles/javascriptcore_efl.dir/dfg/DFGSpeculativeJIT32_64.cpp.o] Error 1
Michael Saboff
Comment 8 2013-03-18 21:35:50 PDT
(In reply to comment #6) > (From update of attachment 193714 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=193714&action=review > > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324 > > + GPRReg resultGPR - result.gpr(); > > We're seeing a build failure on this line. I thought I fixed that. Probably in my build, but not in the patch. Doh! Fixing now.
Michael Saboff
Comment 9 2013-03-18 21:45:34 PDT
(In reply to comment #8) > (In reply to comment #6) > > (From update of attachment 193714 [details] [details]) > > View in context: https://bugs.webkit.org/attachment.cgi?id=193714&action=review > > > > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324 > > > + GPRReg resultGPR - result.gpr(); > > > > We're seeing a build failure on this line. > > I thought I fixed that. Probably in my build, but not in the patch. Doh! Fixing now. Fixed landed in change set r146178 <https://trac.webkit.org/changeset/146178>
Csaba Osztrogonác
Comment 10 2013-03-19 04:14:47 PDT
It caused a regression on 32 bit, here is the new bug report for it: https://bugs.webkit.org/show_bug.cgi?id=112680
Note You need to log in before you can comment on or make changes to this bug.