Bug 146629

Summary: [MIPS] webkitgtk crashed if JIT is enabled
Product: WebKit Reporter: Jeffrey <Jeffrey.li>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: annulen, cgarcia, fpizlo, guijemont, jbriance, mcatanzaro, ossy, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Other   
OS: Linux   
Attachments:
Description Flags
test case for this issue.
none
proposed patch none

Description Jeffrey 2015-07-06 02:26:35 PDT 
Webkitgtk crashed when I run the javascript test. The backtrace and some gdb information list below.

warning: Could not load shared library symbols for 82 libraries, e.g. /usr/lib/libwebkitgtk-1.0.so.0.
Use the "info sharedlibrary" command to see the complete listing.
Do you need "set solib-search-path" or "set sysroot"?
Core was generated by `/usr/local/bin/otvwebkit http://10.12.2.99/testcase/regression/testcase.html'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x759f4e08 in ?? ()
(gdb) bt
#0  0x759f4e08 in llint_op_push_name_scope () from /home/otv5/otv5/jeli_pc2/DEVELOP/OTV_WebKit/otvwebkit2.0/otvtarg/tc7356_uclibc_bc/sdk_all/target/usr/lib/libjavascriptcoregtk-1.0.so.0
#1  0x759f4e00 in llint_op_pop_scope () from /home/otv5/otv5/jeli_pc2/DEVELOP/OTV_WebKit/otvwebkit2.0/otvtarg/tc7356_uclibc_bc/sdk_all/target/usr/lib/libjavascriptcoregtk-1.0.so.0
Backtrace stopped: frame did not save the PC
(gdb) i reg
          zero       at       v0       v1       a0       a1       a2       a3
 R0   00000000 00000001 6bfbfd40 fffffffb 6c3e2fa8 7262de0c 759f2bac 72642978
            t0       t1       t2       t3       t4       t5       t6       t7
 R8   fffffffa fffffffb fffffffe fffffffb 726112f4 00000004 ecb5a59f 6c3e2f98
            s0       s1       s2       s3       s4       s5       s6       s7
 R16  7f8e1258 7260b000 7262de0c 7260b000 6c1b91a8 6bf5fa68 72642960 7260b000
            t8       t9       k0       k1       gp       sp       s8       ra
 R24  6c3e2f98 759f2bac 00000000 00000000 6c1b91a8 7f8e0d00 6c3e2fa8 759f4e00
            sr       lo       hi      bad    cause       pc
      00008713 00000004 00000000 6c1b18c0 00800008 759f4e08
           fsr      fir
      88800004 00000000
(gdb) x/16i llint_op_push_name_scope
   0x759f4e00 <llint_op_push_name_scope>:       move    a0,s8
   0x759f4e04 <llint_op_push_name_scope+4>:     move    a1,s2
=> 0x759f4e08 <llint_op_push_name_scope+8>:     lw      t9,-30952(gp)
   0x759f4e0c <llint_op_push_name_scope+12>:    bal     0x759eac98 <llint_slow_path_push_name_scope>
   0x759f4e10 <llint_op_push_name_scope+16>:    nop
   0x759f4e14 <llint_op_push_name_scope+20>:    move    gp,s4
   0x759f4e18 <llint_op_push_name_scope+24>:    move    s2,v0
   0x759f4e1c <llint_op_push_name_scope+28>:    move    s8,v1
   0x759f4e20 <llint_op_push_name_scope+32>:    addiu   s2,s2,16
   0x759f4e24 <llint_op_push_name_scope+36>:    lw      ra,0(s2)
   0x759f4e28 <llint_op_push_name_scope+40>:    jr      ra
   0x759f4e2c <llint_op_push_name_scope+44>:    nop
   0x759f4e30 <llint_op_throw>: move    a0,s8
   0x759f4e34 <llint_op_throw+4>:       move    a1,s2
   0x759f4e38 <llint_op_throw+8>:       lw      t9,-30948(gp)
   0x759f4e3c <llint_op_throw+12>:      bal     0x759e9864 <llint_slow_path_throw>
   0x759f4e40 <llint_op_throw+16>:      nop
(gdb)
Comment 1 Jeffrey 2015-07-06 02:29:24 PDT 
Created attachment 256203 [details]
test case for this issue.
Comment 2 Jeffrey 2015-07-06 18:04:57 PDT 
Created attachment 256268 [details]
proposed patch

On MIPS platform, function llint_op_catch() use RA register to compute gp pointor. JSC::CCallHelpers::jumpToExceptionHandler() use T9 register. It will cause a invalid gp pointer when jump to llint_op_catch().
My patch load the function address to RA first. Then copy it to T9 and jump.
Comment 3 Michael Catanzaro 2015-12-30 15:26:10 PST 
Guillaume, this look OK? You didn't run into this issue...?

(In reply to comment #1)
> Created attachment 256203 [details]
> test case for this issue.

Great. This should probably be added as a testcase under LayoutTests/js.
Comment 4 Guillaume Emont 2016-01-18 18:21:32 PST 
(In reply to comment #3)
> Guillaume, this look OK? You didn't run into this issue...?

I did not run into this issue (yet?), maybe because I've mainly worked with jsc only (only compiling WTF/ and JavaScriptCore/).
I am a little confused by the patch though. I understand that $gp is computed by the code of .cpload (emitted by offlineasm for each label), which uses $t9. I don't understand how this is different for llint_op_catch(), though I didn't study the exception code/protocol, and I have a feeling that this is not your regular function, and there might be something done with $ra that I did not understand.

> (In reply to comment #1)
> > Created attachment 256203 [details]
> > test case for this issue.
> 
> Great. This should probably be added as a testcase under LayoutTests/js.
Comment 5 Michael Catanzaro 2016-07-14 05:35:09 PDT 
Comment on attachment 256268 [details]
proposed patch

Jeffrey, could you respond to Guillaume's questions here? Resetting the request flags in the meantime.
Comment 6 Jeffrey 2016-09-08 01:31:10 PDT 
(In reply to comment #4)
> (In reply to comment #3)
> > Guillaume, this look OK? You didn't run into this issue...?
> 
> I did not run into this issue (yet?), maybe because I've mainly worked with
> jsc only (only compiling WTF/ and JavaScriptCore/).
> I am a little confused by the patch though. I understand that $gp is
> computed by the code of .cpload (emitted by offlineasm for each label),
> which uses $t9. I don't understand how this is different for
> llint_op_catch(), though I didn't study the exception code/protocol, and I
> have a feeling that this is not your regular function, and there might be
> something done with $ra that I did not understand.
> 
> > (In reply to comment #1)
> > > Created attachment 256203 [details]
> > > test case for this issue.
> > 
> > Great. This should probably be added as a testcase under LayoutTests/js.

The .cpload uses $ra register to compute the $gp value. The jumpToExceptionHandler() uses $t9 as jump register now. Then in llint_op_catch() function, $ra will get a incorrect value. This will cause the $gp value is incorrect too.