Bug 132738

Summary: REGRESSION(r167094): JSC crashes on ARM Traditional
Product: WebKit Reporter: Csaba Osztrogonác <ossy>
Component: New BugsAssignee: Martin Hodovan <mhodovan.u-szeged>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, mark.lam, msaboff, ossy, zherczeg
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 108645, 131205    
Attachments:
Description Flags
Proposed patch none

Csaba Osztrogonác
Reported 2014-05-09 05:18:53 PDT
After r167094 JSC crashes at the beginning on ARM Traditional. Program received signal SIGSEGV, Segmentation fault. 0x0041e0ac in llint_entry () (gdb) bt #0 0x0041e0ac in llint_entry () #1 0x00000000 in ?? () 0x0041e09c <llint_entry+2680>: push {lr} 0x0041e0a0 <llint_entry+2684>: push {r11} 0x0041e0a4 <llint_entry+2688>: mov r11, sp 0x0041e0a8 <llint_entry+2692>: ldr r1, [r11, #8] => 0x0041e0ac <llint_entry+2696>: ldr r12, [r1, #316] ; 0x13c 0x0041e0b0 <llint_entry+2700>: adds r12, r12, #5 0x0041e0b4 <llint_entry+2704>: str r12, [r1, #316] ; 0x13c 0x0041e0b8 <llint_entry+2708>: bmi 0x41e0ec <llint_entry+2760> 0x0041e0bc <llint_entry+2712>: subs sp, sp, #8 0x0041e0c0 <llint_entry+2716>: mov r0, r11 0x0041e0c4 <llint_entry+2720>: mov r1, r9 0x0041e0c8 <llint_entry+2724>: bl 0x4dfab0 <llint_entry_osr> 0x0041e0cc <llint_entry+2728>: adds sp, sp, #8 0x0041e0d0 <llint_entry+2732>: tst r0, r0 0x0041e0d4 <llint_entry+2736>: beq 0x41e0e8 <llint_entry+2756> 0x0041e0d8 <llint_entry+2740>: mov sp, r11 0x0041e0dc <llint_entry+2744>: pop {r11} 0x0041e0e0 <llint_entry+2748>: pop {lr} The crash occurs inside the llint_program_prologue function.
Attachments
Proposed patch (1.69 KB, patch)
2014-05-09 06:22 PDT, Martin Hodovan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Martin Hodovan
Comment 1 2014-05-09 06:08:41 PDT
I managed to debug what happens here. The jump table contains invalid addresses and llint_program_prologue isn't called properly. The branch instruction jumps to 0x0041e0a2 instead of 0x0041e09c - the start of the function. 0x0041e0a2 isn't 4 bytes aligned, but the CPU starts executing this code from push {r11}, which breaks the stack and ldr tries to load from an invalid address.
Martin Hodovan
Comment 2 2014-05-09 06:22:05 PDT
Created attachment 231150 [details] Proposed patch
Zoltan Herczeg
Comment 3 2014-05-09 07:10:55 PDT
Comment on attachment 231150 [details] Proposed patch Nice catch. r=me
WebKit Commit Bot
Comment 4 2014-05-09 07:42:30 PDT
Comment on attachment 231150 [details] Proposed patch Clearing flags on attachment: 231150 Committed r168530: <http://trac.webkit.org/changeset/168530>
WebKit Commit Bot
Comment 5 2014-05-09 07:42:33 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.