| Summary: | AirLowerAfterRegAlloc may incorrectly use a callee save that’s live as a scratch register | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Saam Barati <saam> | ||||||||||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||
| Severity: | Normal | CC: | benjamin, buildbot, commit-queue, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, ticaiolima, webkit-bug-importer, ysuzuki | ||||||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||||||
| Version: | WebKit Nightly Build | ||||||||||||||
| Hardware: | Unspecified | ||||||||||||||
| OS: | Unspecified | ||||||||||||||
| Attachments: |
|
||||||||||||||
The bug looks to be in Air::lowerAfterRegAlloc. The IR is sound before this, but after this, this phase clobbers a register it shouldn't. Created attachment 315693 [details]
IR dump
look at defs of r19. It looks like lowering of ColdCCall introduced the bug.
Created attachment 315712 [details]
WIP
trying to write a test.
Created attachment 315810 [details]
patch
Attachment 315810 [details] did not pass style-queue:
ERROR: Source/JavaScriptCore/b3/testb3.cpp:15631: Extra space before ) [whitespace/parens] [2]
ERROR: Source/JavaScriptCore/b3/testb3.cpp:15631: Missing space inside { }. [whitespace/braces] [5]
ERROR: Source/JavaScriptCore/b3/testb3.cpp:15638: Consider using CHECK_EQ instead of CHECK(a == b) [readability/check] [2]
Total errors found: 3 in 4 files
If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 315810 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=315810&action=review > Source/JavaScriptCore/ChangeLog:3 > + AirLowerAfterRegAlloc may incorrectly use a callee save thatâs live as a scratch register non-ascii character. Created attachment 315839 [details]
patch for landing
Created attachment 315840 [details]
patch for landing
Comment on attachment 315840 [details] patch for landing Clearing flags on attachment: 315840 Committed r219633: <http://trac.webkit.org/changeset/219633> All reviewed patches have been landed. Closing bug. |
Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Triggered by Thread: 0 Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 ??? 0x000000013b72f30c 0 + 5292356364 1 JavaScriptCore 0x0000000104d1bad4 0x1045e0000 + 7584468 2 JavaScriptCore 0x0000000104d14f90 0x1045e0000 + 7557008 3 JavaScriptCore 0x0000000104bfab18 0x1045e0000 + 6400792 4 JavaScriptCore 0x0000000104bd1ab0 0x1045e0000 + 6232752 5 JavaScriptCore 0x00000001048c5eec 0x1045e0000 + 3038956 6 jsc 0x0000000103e69530 0x103e64000 + 21808 7 jsc 0x0000000103e68840 0x103e64000 + 18496 8 libdyld.dylib 0x0000000185c96a14 0x185c95000 + 6676 Thread 0 crashed with ARM Thread State (64-bit): x0: 0xae81e0addb1644d1 x1: 0x0000000000000000 x2: 0x00000001049cf9c8 x3: 0x0000000000000001 x4: 0x0000000000000002 x5: 0x000000000000003e x6: 0x00000001046e3078 x7: 0x0000000000000003 x8: 0x0000000000000007 x9: 0x0000000001001800 x10: 0x00000001049e2cec x11: 0x0000000000002710 x12: 0x0000000106809200 x13: 0x0000000105379560 x14: 0x00000001069880a0 x15: 0x000000010697c8b0 x16: 0x0000000000000000 x17: 0x0000000000001936 x18: 0x0000000000000000 x19: 0x0000000000000001 x20: 0x0000000000001936 x21: 0x0000000106953ea0 x22: 0x0000000000000144 x23: 0x000000010531c0e8 x24: 0x0000000106993d20 x25: 0x0000000106800000 x26: 0x0000000106aec008 x27: 0xffff000000000000 x28: 0xffff000000000002 fp: 0x000000016bf9aa90 lr: 0x000000013b72f4b0 sp: 0x000000016bf9a9e0 pc: 0x000000013b72f30c cpsr: 0x80000000