Bug 140095

Summary:

Debug ASan builds frequently crash in Register::jsValue under DFG::prepareOSREntry

Product:

WebKit

Reporter:

Alexey Proskuryakov <ap>

Component:

JavaScriptCore

Assignee:

Alexey Proskuryakov <ap>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

fpizlo, ggaren, mrowe

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed fix	andersca: review+

Description Alexey Proskuryakov 2015-01-05 13:50:48 PST

In release builds, Register::jsValue is inlined into DFG::prepareOSREntry, so a blacklist line we have in webkit-asan-ignore.txt is sufficient. But in debug builds, it is not inlined, so we crash in this function.

Adding Register::jsValue to the blacklist is not the best fix, because this function is used elsewhere. The better fix is to blacklist the whole file.

Comment 1 Alexey Proskuryakov 2015-01-05 15:50:25 PST

Created attachment 244013 [details]
proposed fix

Actually, blacklisting the file doesn't work - if we do that, we get a non-ASan version of the inline function in DFGOSREntry.o, but it is later eliminated by the linker in favor of an ASanified copy from another file.

So I only see two options:
1. Blacklist Register::jsValue(), and ask for a better solution (which I propose here).
2. Make a copy of Register::jsValue() function with a different name, just for the purpose of using it in prepareOSREntry() in a blacklist.

Comment 2 Alexey Proskuryakov 2015-01-06 16:26:11 PST

Committed <http://trac.webkit.org/r178005>.