Bug 229546

Summary: [JSC] Segfault in stress/typedarray-every.js (32bit)
Product: WebKit Reporter: Xan Lopez <xan.lopez>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, sbarati, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Xan Lopez 2021-08-26 02:35:36 PDT
I believe this is caused by the patch in bug #229229. Not 100% sure because the bots are trying to catch up. Stack trace:

Starting program: /home/igalia/xlopez/WebKit/WebKitBuild/Debug/bin/jsc -f ./JSTests/stress/typedarray-every.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
[New Thread 0xf4039440 (LWP 13807)]

Thread 1 "jsc" received signal SIGABRT, Aborted.
__libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
47	../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file or directory.
(gdb) bt
#0  __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
#1  0xf5eeeea0 in __libc_signal_restore_set (set=0xfffec444) at ../sysdeps/unix/sysv/linux/internal-signals.h:86
#2  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3  0xf5edf7a2 in __GI_abort () at abort.c:79
#4  0xf6d1b3e4 in JSC::ScratchRegisterAllocator::allocateScratch<JSC::GPRInfo> (this=0xfffec7a0) at ../../Source/JavaScriptCore/jit/ScratchRegisterAllocator.cpp:97
#5  0xf6d1223c in JSC::ScratchRegisterAllocator::allocateScratchGPR (this=0xfffec7a0) at ../../Source/JavaScriptCore/jit/ScratchRegisterAllocator.cpp:102
#6  0xf634f08c in JSC::AccessCase::generateWithGuard (this=0xf377bfc0, state=..., fallThrough=...) at ../../Source/JavaScriptCore/bytecode/AccessCase.cpp:1611
#7  0xf6433906 in JSC::PolymorphicAccess::regenerate (this=0xf377bfa0, locker=..., vm=..., globalObject=0xf37c2038, codeBlock=0xf1fadea0, ecmaMode=..., stubInfo=...)
    at ../../Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp:637
#8  0xf644ec48 in operator() (__closure=0xfffed7d4) at ../../Source/JavaScriptCore/bytecode/StructureStubInfo.cpp:221
#9  0xf644eda2 in JSC::StructureStubInfo::addAccessCase (this=0xf3789528, locker=..., globalObject=0xf37c2038, codeBlock=0xf1fadea0, ecmaMode=..., ident=..., 
    accessCase=...) at ../../Source/JavaScriptCore/bytecode/StructureStubInfo.cpp:245
#10 0xf6d0dd20 in JSC::tryCacheArrayPutByVal (globalObject=0xf37c2038, codeBlock=0xf1fadea0, baseValue=..., index=..., stubInfo=...)
    at ../../Source/JavaScriptCore/jit/Repatch.cpp:960
#11 0xf6d0de9e in JSC::repatchArrayPutByVal (globalObject=0xf37c2038, codeBlock=0xf1fadea0, base=..., index=..., stubInfo=..., putKind=JSC::PutKind::NotDirect, 
    ecmaMode=...) at ../../Source/JavaScriptCore/jit/Repatch.cpp:976
#12 0xf6cabfb6 in JSC::putByValOptimize (globalObject=0xf37c2038, codeBlock=0xf1fadea0, baseValue=..., subscript=..., value=..., stubInfo=0xf3789528, profile=0xf37870b8, 
    ecmaMode=...) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1035
#13 0xf6cac3ce in JSC::operationPutByValNonStrictOptimize (globalObject=0xf37c2038, encodedBaseValue=-17390199368, encodedSubscript=-4294967295, encodedValue=-4294967291, 
    stubInfo=0xf3789528, profile=0xf37870b8) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1087
#14 0xf36fe5a4 in ?? ()
Comment 1 Yusuke Suzuki 2021-08-26 03:00:57 PDT
Created attachment 436486 [details]
Patch
Comment 2 Yusuke Suzuki 2021-08-26 03:18:56 PDT
Created attachment 436489 [details]
Patch
Comment 3 EWS 2021-08-26 11:44:45 PDT
Committed r281638 (240994@main): <https://commits.webkit.org/240994@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 436489 [details].
Comment 4 Radar WebKit Bug Importer 2021-08-26 11:45:31 PDT
<rdar://problem/82400505>