Bug 147123

Summary: JavaScriptCore LLInt crash with VS2015RC
Product: WebKit Reporter: Chris Vienneau <chris.vno>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: achristensen, msaboff
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows 7   

Description Chris Vienneau 2015-07-20 14:03:33 PDT 
I have recently been attempting to move to VS2015 which I was discussing in the webkit-dev mail list:
https://lists.webkit.org/pipermail/webkit-dev/2015-July/027536.html

When compiling with VS2015RC when I run with my test application I’m finding that most websites, facebook.com for example, are crashing in LowLevelInterpreterWin.asm code identified by LowLevelInterpreter.asm:476:
  _offlineasm_doCall__177_loadConstantOrVariable__done:
    cmp rbx, rcx                                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1798
    jne _offlineasm_doCall__opCallSlow
    movsxd rbx, dword ptr [32 + r8 + rsi * 8]                ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:114
   sal ebx, 3                                               ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1800
    neg rbx                                                  ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1801
    add rbx, rbp                                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1802
    mov qword ptr [24 + rbx], rcx                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1803
    movsxd rcx, dword ptr [24 + r8 + rsi * 8]                ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:114
    mov dword ptr [36 + rbp], esi                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1805
    mov dword ptr [32 + rbx], ecx                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1806
    add rbx, 16                                              ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1807
    mov rsp, rbx                                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:472
    call qword ptr [32 + rdx]                                ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:476
    mov rcx, qword ptr [16 + rbp]                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:461
    mov edi, dword ptr [56 + rcx]                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:449
    sal rdi, 3                                               ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:450
    add rdi, 64                                              ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:451
    mov rsp, rbp                                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:456
    sub rsp, rdi
    mov esi, dword ptr [36 + rbp]                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:45
    mov r8, qword ptr [16 + rbp]                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:46
    mov r8, qword ptr [104 + r8]                             ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:47
    movsxd rdx, dword ptr [8 + r8 + rsi * 8]                 ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:114
    mov qword ptr [0 + rbp + rdx * 8], rax                   ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:49
    mov rcx, qword ptr [64 + r8 + rsi * 8]                   ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:118
    mov qword ptr [16 + rcx], rax                            ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:491
    add rsi, 9                                               ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:31
    jmp qword ptr [0 + r8 + rsi * 8]                         ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:27

I tried regenerating the asm files but still have the issue.  I expect that some updates need to be done to the asm generator for vs2015 unfortunatly, I don't have the expertise to validate/update the asm generator.  Have you found this issue too?  Any suggestion on how to correct the crash?
Comment 1 Michael Saboff 2015-07-31 17:25:11 PDT 
Please provide the webkit SVN revision that you are experiencing the problem.  That way we can look at the source for LowLevelInterpreter files and correlate the line numbers.

Saying that, it looks like you are in the "doCall()" macro in LowLevelInterpreter64.asm which includes the "callTargetFunction()" macro in LowLevelInterpreter.asm.  That macro includes the line
    call LLIntCallLinkInfo::machineCodeTarget[callLinkInfo]
which I believe is where you are crashing.  What are the details of the crash as far as type, register contents, etc?  Are we trying to access a bad address, jump to a non-existent address or something else?
Comment 2 Chris Vienneau 2015-09-30 11:07:36 PDT 
Sorry for going dark on this one for a while, we were in the middle of some big upgrades.  Just recently we found the cause of the problem, there was a bug in a new version of the allocator we were using which was not reliably setting the executable bits on the memory.  This manifested itself as access violations in random JITed code.  You can consider the issue resolved, thanks for your consideration.

Chris
Comment 3 Alex Christensen 2015-09-30 16:26:50 PDT 
That's good to hear.  Thanks!