Bug 160157

Summary: REGRESSION(r203537): It made many tests crash on ARMv7 with ARM instruction set
Product: WebKit Reporter: Csaba Osztrogonác <ossy>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Critical CC: benjamin, ossy, saam
Priority: P1    
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=159720
Bug Depends on:    
Bug Blocks: 108645, 159649    

Description Csaba Osztrogonác 2016-07-25 02:13:57 PDT 
JSCOnly Linux ARMv7 Traditional Release:
- before: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1613
- after: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1623
( https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1637 )

crash log on ARMv7 with ARM instruction set:

Running stress/exit-after-int52-to-double.js.default
stress/exit-after-int52-to-double.js.default: ASSERTION FAILED: linkBuffer.isValid()
stress/exit-after-int52-to-double.js.default: ../../Source/JavaScriptCore/jit/JITMathIC.h(130) : void JSC::JITMathIC<Generator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr) [with GeneratorType = JSC::JITAddGenerator]
stress/exit-after-int52-to-double.js.default: 1   0xb6394fb0 WTFCrash
stress/exit-after-int52-to-double.js.default: 2   0xb5ea3104 JSC::JITMathIC<JSC::JITAddGenerator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr)
stress/exit-after-int52-to-double.js.default: 3   0xb5e9a0b8
stress/exit-after-int52-to-double.js.default: Segmentation fault
stress/exit-after-int52-to-double.js.default: ERROR: Unexpected exit code: 139
FAIL: stress/exit-after-int52-to-double.js.default

It seems it is a similar to bug159720 .

Can't we disable this new feature somehow similar to https://trac.webkit.org/changeset/203272 ?
Comment 1 Csaba Osztrogonác 2016-07-25 05:15:48 PDT 
I can confirm that this bug and bug159720 have the same root.
The problem is that "auto jump = jit.jump();" allocates a constant
on the constant pool which makes linkBuffer ctor not to allocate.

But the question is still open, can we disable IC generating on
ARM traditional until we can find the proper fix? Because now it
is completely broken and there are 2700 crashing stress tests.

*** This bug has been marked as a duplicate of bug 159720 ***
Comment 2 Csaba Osztrogonác 2016-07-28 05:16:26 PDT 
(In reply to comment #0)
> Can't we disable this new feature somehow similar to
> https://trac.webkit.org/changeset/203272 ?

ARM assembler is completely broken more than a month ago because of 
this IC refactoring work. It would be great to get an answer if
we can workaround it or not.
Comment 3 Saam Barati 2016-07-28 08:50:20 PDT 
You can make MathIC generateInline always return false before
generating any code. This will make the resulting code quite
slow though. It will lead to a C call for every JS add.
Comment 4 Csaba Osztrogonác 2016-07-29 11:10:07 PDT 
(In reply to comment #3)
> You can make MathIC generateInline always return false before
> generating any code. This will make the resulting code quite
> slow though. It will lead to a C call for every JS add.

Uploaded a patch to bug159759 to disable it.