Bug 132738

Summary: REGRESSION(r167094): JSC crashes on ARM Traditional
Product: WebKit Reporter: Csaba Osztrogonác <ossy>
Component: New BugsAssignee: Martin Hodovan <mhodovan.u-szeged>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, mark.lam, msaboff, ossy, zherczeg
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 108645, 131205    
Attachments:
Description Flags
Proposed patch none

Description Csaba Osztrogonác 2014-05-09 05:18:53 PDT 
After r167094 JSC crashes at the beginning on ARM Traditional.

Program received signal SIGSEGV, Segmentation fault.
0x0041e0ac in llint_entry ()
(gdb) bt
#0  0x0041e0ac in llint_entry ()
#1  0x00000000 in ?? ()


   0x0041e09c <llint_entry+2680>:       push    {lr}
   0x0041e0a0 <llint_entry+2684>:       push    {r11}
   0x0041e0a4 <llint_entry+2688>:       mov     r11, sp
   0x0041e0a8 <llint_entry+2692>:       ldr     r1, [r11, #8]
=> 0x0041e0ac <llint_entry+2696>:       ldr     r12, [r1, #316] ; 0x13c
   0x0041e0b0 <llint_entry+2700>:       adds    r12, r12, #5
   0x0041e0b4 <llint_entry+2704>:       str     r12, [r1, #316] ; 0x13c
   0x0041e0b8 <llint_entry+2708>:       bmi     0x41e0ec <llint_entry+2760>
   0x0041e0bc <llint_entry+2712>:       subs    sp, sp, #8
   0x0041e0c0 <llint_entry+2716>:       mov     r0, r11
   0x0041e0c4 <llint_entry+2720>:       mov     r1, r9
   0x0041e0c8 <llint_entry+2724>:       bl      0x4dfab0 <llint_entry_osr>
   0x0041e0cc <llint_entry+2728>:       adds    sp, sp, #8
   0x0041e0d0 <llint_entry+2732>:       tst     r0, r0
   0x0041e0d4 <llint_entry+2736>:       beq     0x41e0e8 <llint_entry+2756>
   0x0041e0d8 <llint_entry+2740>:       mov     sp, r11
   0x0041e0dc <llint_entry+2744>:       pop     {r11}
   0x0041e0e0 <llint_entry+2748>:       pop     {lr}

The crash occurs inside the llint_program_prologue function.
Comment 1 Martin Hodovan 2014-05-09 06:08:41 PDT 
I managed to debug what happens here. The jump table
contains invalid addresses and llint_program_prologue
isn't called properly.
 
The branch instruction jumps to 0x0041e0a2 instead of
0x0041e09c - the start of the function. 0x0041e0a2 isn't
4 bytes aligned, but the CPU starts executing this code
from push {r11}, which breaks the stack and ldr tries
to load from an invalid address.
Comment 2 Martin Hodovan 2014-05-09 06:22:05 PDT 
Created attachment 231150 [details]
Proposed patch
Comment 3 Zoltan Herczeg 2014-05-09 07:10:55 PDT 
Comment on attachment 231150 [details]
Proposed patch

Nice catch. r=me
Comment 4 WebKit Commit Bot 2014-05-09 07:42:30 PDT 
Comment on attachment 231150 [details]
Proposed patch

Clearing flags on attachment: 231150

Committed r168530: <http://trac.webkit.org/changeset/168530>
Comment 5 WebKit Commit Bot 2014-05-09 07:42:33 PDT 
All reviewed patches have been landed.  Closing bug.