Bug 119440

Summary:

REGRESSION(r153612): It made jsc and layout tests crash

Product:

WebKit

Reporter:

Csaba Osztrogonác <ossy>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

abrhm, barraclough, commit-queue, fpizlo, ggaren, jbriance, kadam, mark.lam, mhahnenberg, msaboff, oliver, ossy, zarvai

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

119140

Attachments:

Description	Flags
Patch	none

Description Csaba Osztrogonác 2013-08-02 05:41:36 PDT

After http://trac.webkit.org/changeset/153612 jsc and layout tests
started to crash on 64 bit bit in debug mode. (at least on Qt)

Here is a GDB backtrace on r153636:

 gdb --args ../../../../WebKitBuild/Debug/bin/jsc -s  -f ./ecma/shell.js -f ./ecma/Boolean/15.6.4.2-4-n.js
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/webkitbuildbot/oszi/WebKit/WebKitBuild/Debug/bin/jsc...done.
(gdb) run
Starting program: /home/webkitbuildbot/oszi/WebKit/WebKitBuild/Debug/bin/jsc -s -f ./ecma/shell.js -f ./ecma/Boolean/15.6.4.2-4-n.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffb4309700 (LWP 29393)]
[New Thread 0x7fffb3ae9700 (LWP 29394)]
[New Thread 0x7fffb32e8700 (LWP 29395)]
[New Thread 0x7fffb2ae7700 (LWP 29396)]
[New Thread 0x7fffb22e6700 (LWP 29397)]
[New Thread 0x7fffb1ae5700 (LWP 29398)]
[New Thread 0x7fffb12e4700 (LWP 29399)]
15.6.4.2-4-n Boolean.prototype.toString()

Program received signal SIGSEGV, Segmentation fault.
0x00007fffb06e4160 in ?? ()
(gdb) bt
#0  0x00007fffb06e4160 in ?? ()
#1  0x00007fffffffb550 in ?? ()
#2  0x000000000068efcb in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
#3  0x00000000006a0682 in JSC::JITCode::execute (this=0x1024bb0, stack=0xff2668, callFrame=0x7fffb06e4160, vm=0xfe1730)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46
#4  0x000000000068c9e3 in JSC::Interpreter::execute (this=0xff2650, eval=0x7ffff7e3fdf0, callFrame=0x7fffb06e4108, thisValue=..., scope=0x7fffb05fffc8)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1208
#5  0x0000000000687609 in JSC::eval (callFrame=0x7fffb06e4108) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:148
#6  0x00000000006dace6 in JSC::LLInt::llint_slow_path_call_eval (exec=0x7fffb06e40a0, pc=0x1026fc8)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1109
#7  0x0000000000ab5737 in llint_op_call_eval ()
#8  0x00007fffffffca80 in ?? ()
#9  0x000000000068efcb in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
#10 0x00000000006a0682 in JSC::JITCode::execute (this=0x101c760, stack=0xff2668, callFrame=0x7fffb06e4058, vm=0xfe1730)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46
#11 0x000000000068af4f in JSC::Interpreter::execute (this=0xff2650, program=0x7ffff7e3fe70, callFrame=0x7ffff7f7f8e0, thisObj=0x7ffff7e7feb0)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:856
#12 0x00000000007728fd in JSC::evaluate (exec=0x7ffff7f7f8e0, source=..., thisValue=..., returnedException=0x7fffffffe080)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:83
#13 0x000000000040ff8c in runWithScripts (globalObject=0x7ffff7f7f870, scripts=..., dump=false)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jsc.cpp:596
#14 0x0000000000410c97 in jscmain (argc=6, argv=0x7fffffffe348) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jsc.cpp:812
#15 0x000000000040fd68 in main (argc=6, argv=0x7fffffffe348) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jsc.cpp:554
(gdb)

Comment 1 Csaba Osztrogonác 2013-08-02 05:42:29 PDT

r153611: http://build.webkit.sed.hu/builders/x86-64%20Linux%20Qt%20Debug/builds/29901
r153612: http://build.webkit.sed.hu/builders/x86-64%20Linux%20Qt%20Debug/builds/29888

Comment 2 Csaba Osztrogonác 2013-08-02 05:47:53 PDT

+info:
  - pass with disabled JIT
  - fail with enabled JIT + enabled DFG JIT
  - fail with enabled JIT + disabled DFG JIT

Comment 3 Csaba Osztrogonác 2013-08-02 06:01:32 PDT

Some related disassembly:

00000000006c4023 <cti_vm_throw_slowpath>:
  6c4023:       55                      push   %rbp
  6c4024:       48 89 e5                mov    %rsp,%rbp
  6c4027:       48 83 ec 40             sub    $0x40,%rsp
  6c402b:       48 89 7d d8             mov    %rdi,-0x28(%rbp)
  6c402f:       48 8b 45 d8             mov    -0x28(%rbp),%rax
  6c4033:       48 89 c7                mov    %rax,%rdi
  6c4036:       e8 63 2a d9 ff          callq  456a9e <JSC::ExecState::codeBlock() const>
  6c403b:       48 89 c7                mov    %rax,%rdi
  6c403e:       e8 ab 02 dc ff          callq  4842ee <JSC::CodeBlock::vm()>
  6c4043:       48 89 45 f8             mov    %rax,-0x8(%rbp)
  6c4047:       48 8b 45 f8             mov    -0x8(%rbp),%rax
  6c404b:       48 8b 55 d8             mov    -0x28(%rbp),%rdx
  6c404f:       48 89 90 80 90 00 00    mov    %rdx,0x9080(%rax)
  6c4056:       48 8b 45 f8             mov    -0x8(%rbp),%rax
  6c405a:       48 8b 90 50 aa 00 00    mov    0xaa50(%rax),%rdx
  6c4061:       48 8b 4d d8             mov    -0x28(%rbp),%rcx
  6c4065:       48 8b 45 f8             mov    -0x8(%rbp),%rax
  6c4069:       48 89 ce                mov    %rcx,%rsi
  6c406c:       48 89 c7                mov    %rax,%rdi
  6c406f:       e8 4b 5b fe ff          callq  6a9bbf <JSC::jitThrowNew(JSC::VM*, JSC::ExecState*, JSC::JSValue)>
  6c4074:       48 89 c1                mov    %rax,%rcx
  6c4077:       48 89 d0                mov    %rdx,%rax
  6c407a:       48 89 4d c0             mov    %rcx,-0x40(%rbp)
  6c407e:       48 89 45 c8             mov    %rax,-0x38(%rbp)
  6c4082:       48 8b 45 c0             mov    -0x40(%rbp),%rax
  6c4086:       48 89 45 e0             mov    %rax,-0x20(%rbp)
  6c408a:       48 8b 45 c8             mov    -0x38(%rbp),%rax
  6c408e:       48 89 45 e8             mov    %rax,-0x18(%rbp)
  6c4092:       48 8b 55 e0             mov    -0x20(%rbp),%rdx
  6c4096:       48 8b 45 e8             mov    -0x18(%rbp),%rax
  6c409a:       48 89 d7                mov    %rdx,%rdi
  6c409d:       48 89 c6                mov    %rax,%rsi
  6c40a0:       e8 33 59 fe ff          callq  6a99d8 <JSC::encode(JSC::ExceptionHandler)>
  6c40a5:       c9                      leaveq
  6c40a6:       c3                      retq


00000000006a99d8 <JSC::encode(JSC::ExceptionHandler)>:
  6a99d8:       55                      push   %rbp
  6a99d9:       48 89 e5                mov    %rsp,%rbp
  6a99dc:       48 89 fa                mov    %rdi,%rdx
  6a99df:       48 89 f0                mov    %rsi,%rax
  6a99e2:       48 89 55 e0             mov    %rdx,-0x20(%rbp)
  6a99e6:       48 89 45 e8             mov    %rax,-0x18(%rbp)
  6a99ea:       48 8b 45 e0             mov    -0x20(%rbp),%rax
  6a99ee:       48 89 45 f0             mov    %rax,-0x10(%rbp)
  6a99f2:       48 8b 45 e8             mov    -0x18(%rbp),%rax
  6a99f6:       48 89 45 f8             mov    %rax,-0x8(%rbp)
  6a99fa:       48 8b 45 f0             mov    -0x10(%rbp),%rax
  6a99fe:       5d                      pop    %rbp
  6a99ff:       c3                      retq


00000000006bc3fa <ctiVMThrowTrampolineSlowpath>:
  6bc3fa:       4c 89 ef                mov    %r13,%rdi
  6bc3fd:       e8 21 7c 00 00          callq  6c4023 <cti_vm_throw_slowpath>
  6bc402:       ff e2                   jmpq   *%rdx

Comment 4 Michael Saboff 2013-08-02 06:36:59 PDT

*** Bug 119441 has been marked as a duplicate of this bug. ***

Comment 5 Michael Saboff 2013-08-02 06:38:33 PDT

Created attachment 208008 [details]
Patch

Comment 6 Julien Brianceau 2013-08-02 06:48:47 PDT

LGTM:
- run-javascriptcore-tests is OK on X86 64-bit release build
- run-javascriptcore-tests is OK on X86 64-bit debug build
- run-javascriptcore-tests is OK on X86 32-bit release build
- run-javascriptcore-tests is OK on X86 32-bit debug build

Comment 7 Csaba Osztrogonác 2013-08-02 06:50:13 PDT

Comment on attachment 208008 [details]
Patch

LGTM, r=me.

Comment 8 WebKit Commit Bot 2013-08-02 07:44:55 PDT

Comment on attachment 208008 [details]
Patch

Clearing flags on attachment: 208008

Committed r153646: <http://trac.webkit.org/changeset/153646>

Comment 9 WebKit Commit Bot 2013-08-02 07:44:58 PDT

All reviewed patches have been landed.  Closing bug.