Bug 147123
| Summary: | JavaScriptCore LLInt crash with VS2015RC | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris Vienneau <chris.vno> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | achristensen, msaboff |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | Windows 7 | ||
Chris Vienneau
I have recently been attempting to move to VS2015 which I was discussing in the webkit-dev mail list:
https://lists.webkit.org/pipermail/webkit-dev/2015-July/027536.html
When compiling with VS2015RC when I run with my test application I’m finding that most websites, facebook.com for example, are crashing in LowLevelInterpreterWin.asm code identified by LowLevelInterpreter.asm:476:
_offlineasm_doCall__177_loadConstantOrVariable__done:
cmp rbx, rcx ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1798
jne _offlineasm_doCall__opCallSlow
movsxd rbx, dword ptr [32 + r8 + rsi * 8] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:114
sal ebx, 3 ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1800
neg rbx ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1801
add rbx, rbp ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1802
mov qword ptr [24 + rbx], rcx ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1803
movsxd rcx, dword ptr [24 + r8 + rsi * 8] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:114
mov dword ptr [36 + rbp], esi ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1805
mov dword ptr [32 + rbx], ecx ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1806
add rbx, 16 ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:1807
mov rsp, rbx ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:472
call qword ptr [32 + rdx] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:476
mov rcx, qword ptr [16 + rbp] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:461
mov edi, dword ptr [56 + rcx] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:449
sal rdi, 3 ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:450
add rdi, 64 ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:451
mov rsp, rbp ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:456
sub rsp, rdi
mov esi, dword ptr [36 + rbp] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:45
mov r8, qword ptr [16 + rbp] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:46
mov r8, qword ptr [104 + r8] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:47
movsxd rdx, dword ptr [8 + r8 + rsi * 8] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:114
mov qword ptr [0 + rbp + rdx * 8], rax ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:49
mov rcx, qword ptr [64 + r8 + rsi * 8] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint\LowLevelInterpreter.asm:118
mov qword ptr [16 + rcx], rax ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:491
add rsi, 9 ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:31
jmp qword ptr [0 + r8 + rsi * 8] ; ..\..\JavaScriptCore\local\JavaScriptCore\llint/LowLevelInterpreter64.asm:27
I tried regenerating the asm files but still have the issue. I expect that some updates need to be done to the asm generator for vs2015 unfortunatly, I don't have the expertise to validate/update the asm generator. Have you found this issue too? Any suggestion on how to correct the crash?
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Michael Saboff
Please provide the webkit SVN revision that you are experiencing the problem. That way we can look at the source for LowLevelInterpreter files and correlate the line numbers.
Saying that, it looks like you are in the "doCall()" macro in LowLevelInterpreter64.asm which includes the "callTargetFunction()" macro in LowLevelInterpreter.asm. That macro includes the line
call LLIntCallLinkInfo::machineCodeTarget[callLinkInfo]
which I believe is where you are crashing. What are the details of the crash as far as type, register contents, etc? Are we trying to access a bad address, jump to a non-existent address or something else?
Chris Vienneau
Sorry for going dark on this one for a while, we were in the middle of some big upgrades. Just recently we found the cause of the problem, there was a bug in a new version of the allocator we were using which was not reliably setting the executable bits on the memory. This manifested itself as access violations in random JITed code. You can consider the issue resolved, thanks for your consideration.
Chris
Alex Christensen
That's good to hear. Thanks!