Bug 159880

Summary: JSC JIT Broken on ARMv7 Traditional (without Thumb2)
Product: WebKit Reporter: Carlos Alberto Lopez Perez <clopez>
Component: JavaScriptCoreAssignee: Csaba Osztrogonác <ossy>
Status: RESOLVED FIXED    
Severity: Normal CC: berto, bugs-noreply, commit-queue, gustavo, mario, ossy, tonikitoo, tpopela, zan
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 108645    
Attachments:
Description Flags
Patch none

Description Carlos Alberto Lopez Perez 2016-07-18 10:13:39 PDT 
When building WebKitGTK+ for ARMv7 (armhf) with traditional ARM intruction set (-marm) instead of building with Thumb2 instruction set (-mthumb) the JSC JIT fails at run-time. It builds fine, but then any webpage with JavaScript will make the WebProcess crash.

I have been able to reproduce this with 2.12.3. Not sure if its reproducible with current trunk, I will try to reproduce it there also.

It seems that GNU/Linux armhf distributions build with Thumb2 (-mthumb) by default. At least on Debian the default toolchain (gcc compiler) is built with --with-mode=thumb on armhhf. Therefore the GTK+ ARM buildbot (that runs on Debian) is only testing the ARMv7 Thumb2 build.

Related: https://bugzilla.yoctoproject.org/show_bug.cgi?id=9474
Comment 1 Carlos Alberto Lopez Perez 2016-07-18 20:25:33 PDT 
It seems the issue is also reproducible on current trunk (tried with r203370).

The command line jsc interpreter also crashes:

root@raspberrypi3:~# jsc
>>> 1 + 1
Segmentation fault


Not sure if this only affects the GTK+ port or EFL/JSCOnly are also affected?
Comment 2 Tomas Popela 2016-07-19 02:32:43 PDT 
(In reply to comment #1)
> Not sure if this only affects the GTK+ port or EFL/JSCOnly are also affected?

JSCOnly affected as well. Crashing with SIGILL, Illegal instruction. Also I cannot obtain anything useful from the backtrace..

Core was generated by `./jsc'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0xb62049ba in JSC::slow_path_enter (exec=0xb6fb5a28, pc=0xb6fb5be0) at ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:592
592     ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp: No such file or directory.
[Current thread is 1 (Thread 0xb2d6e220 (LWP 29498))]
(gdb) bt full
#0  0xb62049ba in JSC::slow_path_enter (exec=0xb6fb5a28, pc=0xb6fb5be0) at ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:592
        vm = @0xb6fb5a28: <error reading variable>
        tracer = {<No data fields>}
        codeBlock = 0xb6fb5be0
#1  0xb60a347c in llint_entry () at ../../Source/JavaScriptCore/runtime/Butterfly.h:58
No symbol table info available.
#2  0x00000000 in ?? ()
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Comment 3 Csaba Osztrogonác 2016-07-19 03:10:34 PDT 
(In reply to comment #2)
> (In reply to comment #1)
> > Not sure if this only affects the GTK+ port or EFL/JSCOnly are also affected?
> 
> JSCOnly affected as well. Crashing with SIGILL, Illegal instruction. Also I
> cannot obtain anything useful from the backtrace..
> 
> Core was generated by `./jsc'.
> Program terminated with signal SIGILL, Illegal instruction.
> #0  0xb62049ba in JSC::slow_path_enter (exec=0xb6fb5a28, pc=0xb6fb5be0) at
> ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:592
> 592     ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp: No such
> file or directory.
> [Current thread is 1 (Thread 0xb2d6e220 (LWP 29498))]
> (gdb) bt full
> #0  0xb62049ba in JSC::slow_path_enter (exec=0xb6fb5a28, pc=0xb6fb5be0) at
> ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:592
>         vm = @0xb6fb5a28: <error reading variable>
>         tracer = {<No data fields>}
>         codeBlock = 0xb6fb5be0
> #1  0xb60a347c in llint_entry () at
> ../../Source/JavaScriptCore/runtime/Butterfly.h:58
> No symbol table info available.
> #2  0x00000000 in ?? ()
> No symbol table info available.
> Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Did you get it on ARMv7 hardware? 
Could you provide a disassembly near this illegal instruction?
Comment 4 Csaba Osztrogonác 2016-07-19 08:06:34 PDT 
After digging it with Tomas, it seems we ran into a GNU gold linker bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=19410

I'm going to prepare a workaround to use the BFD linker on ARM.
Comment 5 Csaba Osztrogonác 2016-07-19 09:10:09 PDT 
Created attachment 284011 [details]
Patch
Comment 6 WebKit Commit Bot 2016-07-19 09:11:17 PDT 
Attachment 284011 [details] did not pass style-queue:


ERROR: Source/cmake/OptionsCommon.cmake:76:  The parentheses after the last listitem "#if !defined(thumb2) && !defined(__thumb2__" should be in a new line.  [list/parentheses] [5]
Total errors found: 1 in 2 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 7 Tomas Popela 2016-07-19 22:45:39 PDT 
I can confirm that the patch provided by Ossy fixes the issue.
Comment 8 WebKit Commit Bot 2016-07-20 00:31:48 PDT 
Comment on attachment 284011 [details]
Patch

Clearing flags on attachment: 284011

Committed r203446: <http://trac.webkit.org/changeset/203446>
Comment 9 WebKit Commit Bot 2016-07-20 00:31:52 PDT 
All reviewed patches have been landed.  Closing bug.