Bug 114018

Summary: Crash due to an assertion in AbstractMacroAssembler.h
Product: WebKit Reporter: Carlos Garcia Campos <cgarcia>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: alp, commit-queue, ctruta, fpizlo, ggaren, mark.lam, oliver, ossy, rgabor, zherczeg
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Updated patch to use TrustedImm32 bfulgham: review+, commit-queue: commit-queue-

Carlos Garcia Campos
Reported 2013-04-05 03:24:32 PDT
Program terminated with signal 11, Segmentation fault. #0 0x04eaf128 in JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::TrustedImmPtr::TrustedImmPtr (this=0x77feeba0, value=2) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:187 187 ASSERT_UNUSED(value, !value); (gdb) bt #0 0x04eaf128 in JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::TrustedImmPtr::TrustedImmPtr (this=0x77feeba0, value=2) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:187 #1 0x04f07b00 in JSC::DFG::SpeculativeJIT::callOperation (this=0x77feec28, operation=0x4eb07b9 <JSC::DFG::operationCreateThis(JSC::ExecState*, JSC::JSObject*, std::int32_t)>, result=JSC::ARMRegisters::r1, object=JSC::ARMRegisters::r0, size=2) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:1274 #2 0x04f133ac in JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator<JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::JumpList, JSC::JSCell* (*)(JSC::ExecState*, JSC::JSObject*, int), JSC::ARMRegisters::RegisterID, JSC::ARMRegisters::RegisterID, unsigned int>::generateInternal (this=0x76839ea8, jit=0x77feec28) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h:218 #3 0x04edf1f2 in JSC::DFG::SlowPathGenerator::generate (this=0x76839ea8, jit=0x77feec28) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h:56 #4 0x04ec8dd0 in JSC::DFG::SpeculativeJIT::runSlowPathGenerators (this=0x77feec28) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:355 #5 0x04e9e1fa in JSC::DFG::JITCompiler::compileFunction (this=0x77feff98, entry=..., entryWithArityCheck=...) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:342 #6 0x04e8f70e in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fb00af8, codeBlock=0x7678ba30, jitCode=..., jitCodeWithArityCheck=0x77151788, osrEntryBytecodeIndex=0) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:161 #7 0x04e8ef94 in JSC::DFG::tryCompileFunction (exec=0x7fb00af8, codeBlock=0x7678ba30, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:179 #8 0x050121b0 in JSC::jitCompileFunctionIfAppropriate (exec=0x7fb00af8, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, effort=JSC::JITCompilationCanFail) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITDriver.h:95 #9 0x050123ba in JSC::prepareFunctionForExecution (exec=0x7fb00af8, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, kind=JSC::CodeForConstruct) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/ExecutionHarness.h:68 #10 0x05010ca6 in JSC::FunctionExecutable::compileForConstructInternal (this=0x77151758, exec=0x7fb00af8, scope=0x79f3d038, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/Executable.cpp:574 #11 0x0501056e in JSC::FunctionExecutable::compileOptimizedForConstruct (this=0x77151758, exec=0x7fb00af8, scope=0x79f3d038, bytecodeIndex=0) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/Executable.cpp:474 #12 0x04dbedcc in JSC::FunctionExecutable::compileOptimizedFor (this=0x77151758, exec=0x7fb00af8, scope=0x79f3d038, bytecodeIndex=0, kind=JSC::CodeForConstruct) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/Executable.h:680 #13 0x04db8c80 in JSC::FunctionCodeBlock::compileOptimized (this=0x775b0400, exec=0x7fb00af8, scope=0x79f3d038, bytecodeIndex=0) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2879 #14 0x04f859e6 in JSC::JITStubThunked_optimize (args=0x77ff0530) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1912 #15 0x04f85920 in cti_optimize () at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1843 #16 0x04f83190 in JSC::tryCacheGetByID (callFrame=0x77ff05e0, codeBlock=0x76d5c86c, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x0) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1009 #17 0x00000000 in ?? () The problem seem to be that TrustedImmPtr is called for a int32_t and the TrustedImmPtr that receives an int is called, which only expects a 0.
Attachments
Patch (2.20 KB, patch)
2013-04-05 03:28 PDT, Carlos Garcia Campos 		no flags
DetailsFormatted DiffDiff
Updated patch to use TrustedImm32 (1.99 KB, patch)
2013-05-20 02:40 PDT, Carlos Garcia Campos 		bfulgham: review+
commit-queue: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1 2013-04-05 03:28:32 PDT
Created attachment 196610 [details] Patch
Alp Toker
Comment 2 2013-04-06 10:37:02 PDT
The fix looks correct. I wonder if it'd be more maintainable to remove the explicit TrustedImmPtr(size_t value) ctor syntactic sugar and require the caller to cast from size_t where needed?
Carlos Garcia Campos
Comment 3 2013-05-17 05:26:49 PDT
Ping, Could someone review this , please?
Filip Pizlo
Comment 4 2013-05-17 09:25:46 PDT
Comment on attachment 196610 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=196610&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:906 > - m_jit.setupArgumentsWithExecState(object, TrustedImmPtr(size)); > + m_jit.setupArgumentsWithExecState(object, TrustedImmPtr(static_cast<size_t>(size))); Wouldn't it be better to just change this to use TrustedImm32? > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:1303 > - m_jit.setupArgumentsWithExecState(object, TrustedImmPtr(size)); > + m_jit.setupArgumentsWithExecState(object, TrustedImmPtr(static_cast<size_t>(size))); Ditto.
Carlos Garcia Campos
Comment 5 2013-05-20 02:40:41 PDT
Created attachment 202265 [details] Updated patch to use TrustedImm32
Brent Fulgham
Comment 6 2013-10-30 10:34:14 PDT
Comment on attachment 202265 [details] Updated patch to use TrustedImm32 r=me
WebKit Commit Bot
Comment 7 2013-10-30 10:48:15 PDT
Comment on attachment 202265 [details] Updated patch to use TrustedImm32 Rejecting attachment 202265 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.appspot.com', '--bot-id=webkit-cq-02', 'apply-attachment', '--no-update', '--non-interactive', 202265, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Last 500 characters of output: exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Parsed 2 diffs from patch file(s). patching file Source/JavaScriptCore/ChangeLog Hunk #1 succeeded at 1 with fuzz 3. patching file Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h Hunk #1 FAILED at 903. 1 out of 1 hunk FAILED -- saving rejects to file Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h.rej Failed to run "[u'/Volumes/Data/EWS/WebKit/Tools/Scripts/svn-apply', '--force', '--reviewer', u'Brent Fulgham']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Full output: http://webkit-queues.appspot.com/results/17068251
Note You need to log in before you can comment on or make changes to this bug.