Bug 25033

Summary: dtoa.cpp segfaults with g++ 4.4.0
Product: WebKit Reporter: Xan Lopez <xan.lopez>
Component: Web Template FrameworkAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, craig.schlenter, darin, evan, martin.sourada
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
dtoaalias.patch
ap: review+
sunspider results
none
sunspider Mac results none

Xan Lopez
Reported 2009-04-03 11:59:43 PDT
Compiling WebKit with g++ 4.4.0 20090330 and -O2 (this is a pre-release from Fedora 11, but 4.4.0 is about to be released), I get this segfault pretty much in any page: Program received signal SIGSEGV, Segmentation fault. 0x00d12161 in WTF::dtoa () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so.2.2.0 (gdb) bt #0 0x00d12161 in WTF::dtoa () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so.2.2.0 #1 0x00d131b8 in JSC::concatenate () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so.2.2.0 #2 0x00d959c6 in JSC::JITStubs::cti_op_add () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so.2.2.0 #3 0x07c5af47 in ?? () #4 0x00000000 in ?? () It does not happen in debug builds, so I'm not sure how to get anything more useful than that. Googling a bit, it might be related to this: http://patrakov.blogspot.com/2009/03/dont-use-old-dtoac.html , but we seem to use a modified version of that. Any suggestion to further track this down is welcome :)
Attachments
dtoaalias.patch (32.28 KB, patch)
2009-04-04 02:44 PDT, Xan Lopez 		ap: review+
DetailsFormatted DiffDiff
sunspider results (3.28 KB, text/plain)
2009-04-06 08:19 PDT, Gustavo Noronha (kov) 		no flags
Details
sunspider Mac results (3.40 KB, text/plain)
2009-04-07 04:27 PDT, Alexey Proskuryakov 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2009-04-03 12:03:57 PDT
Yow! That's code that no one on the project knows all that much about -- we haven't changed it too much since the original David Gay library it came from. If you have some skills with assembly-language debugging you might be able to figure out what line of code is involved. You don't need to do a debug build to have symbols. You could try building with "-O2 and -g" to see if that helps you figure out what's wrong. Worst case, you could try to find a completely different solution for dtoa -- it might be hard to find one that has correct behavior and great performance, though.
Xan Lopez
Comment 2 2009-04-03 12:15:36 PDT
OK, if it has not changed too much I guess I can try to use the version that comes with gcc and see how it goes with that. What tests should I pay attention to in order to check the performance of each one?
Mark Rowe (bdash)
Comment 3 2009-04-03 13:01:41 PDT
I think that at least one of the sunspider tests exercises dtoa quite heavily.
Alexey Proskuryakov
Comment 4 2009-04-04 02:32:14 PDT
We do have a number of modifications in our copy of dtoa, including support for additional architectures (e.g. middle endian ones), threading and performance fixes. Is the version that comes with gcc very different from the original? If not, maybe we could just make all the same changes on our copy.
Xan Lopez
Comment 5 2009-04-04 02:33:26 PDT
Yes, I just did that. It seems to work OK, although I'm not testing all the codepaths (lots of #ifdef ...). I'll upload the patch now.
Xan Lopez
Comment 6 2009-04-04 02:44:29 PDT
Created attachment 29251 [details] dtoaalias.patch OK, I've tried to explain the issue the best I could in the ChangeLog. I've tried to cover all codepaths, but I haven't actually tested them, just the default one. Also, I have not changed the macros defined when YES_ALIAS is defined, although that is unlikely to work with the changes in the code. Sunspider works with the patch, and the crashers are gone. Unfortunately I can't compare performance with the previous version, since it crashes the browser, but I hope someone else will be able to do that.
Xan Lopez
Comment 7 2009-04-05 13:58:35 PDT
*** Bug 24326 has been marked as a duplicate of this bug. ***
Gustavo Noronha (kov)
Comment 8 2009-04-06 08:19:28 PDT
Created attachment 29278 [details] sunspider results Xan requested that someone ran sunspider on webkit pre- and post-patching with his proposed fix. These are my results.
Alexey Proskuryakov
Comment 9 2009-04-07 04:27:27 PDT
Created attachment 29306 [details] sunspider Mac results No measurable change.
Alexey Proskuryakov
Comment 10 2009-04-07 04:38:01 PDT
Comment on attachment 29251 [details] dtoaalias.patch r=me
Xan Lopez
Comment 11 2009-04-07 04:48:50 PDT
Committed as r42262, thanks.
Craig Schlenter
Comment 12 2009-05-18 11:07:05 PDT
dtoa.cpp is getting strict aliasing warnings again in trunk with gcc 4.4 after the latest changes. I'm running this in chromium but it's the same code as far as I can tell. /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp: In function 'void WTF::mult(WTF::BigInt&, const WTF::BigInt&)': /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:505: warning: dereferencing pointer '<anonymous>' does break strict-aliasing rules /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:505: note: initialized from here /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:505: warning: dereferencing pointer 'xc.43' does break strict-aliasing rules /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:505: note: initialized from here /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:517: warning: dereferencing pointer '<anonymous>' does break strict-aliasing rules /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:517: note: initialized from here /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:517: warning: dereferencing pointer 'xc.43' does break strict-aliasing rules /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:517: note: initialized from here /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp: In function 'void WTF::dtoa(char*, double, int, int*, int*, char**)': /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:293: warning: '<anonymous>' may be used uninitialized in this function /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:2135: note: '<anonymous>' was declared here Compiling /home/craig/chromium.git/src/sconsbuild/Release/obj/third_party/WebKit/JavaScriptCore/pcre/pcre_compile.os Compiling /home/craig/chromium.git/src/sconsbuild/Release/obj/third_party/WebKit/JavaScriptCore/pcre/pcre_exec.os /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp: In function 'double WTF::strtod(const char*, char**)': /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:736: warning: dereferencing pointer 'xc.62' does break strict-aliasing rules /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:736: note: initialized from here /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:736: warning: dereferencing pointer '<anonymous>' does break strict-aliasing rules /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:736: note: initialized from here /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:743: warning: dereferencing pointer 'xc.62' does break strict-aliasing rules /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:743: note: initialized from here /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:743: warning: dereferencing pointer '<anonymous>' does break strict-aliasing rules /home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:743: note: initialized from here Rolling back to r42264 makes things happy - I have not tried the in-between revisions yet. What's the best plan of action here - reopen this bug (I can't do that) or file a new one? Thank you!!
Evan Martin
Comment 13 2009-05-18 11:13:25 PDT
Reopening based on Craig's comment.
Evan Martin
Comment 14 2009-05-18 11:14:03 PDT
Actually, wait, no, this bug is about segfaulting. Craig, maybe your comment belongs as a new bug?
Craig Schlenter
Comment 15 2009-05-18 11:45:01 PDT
(In reply to comment #14) > Actually, wait, no, this bug is about segfaulting. Craig, maybe your comment > belongs as a new bug? I have created https://bugs.webkit.org/show_bug.cgi?id=25857 and Cc'ed Xan. Thank you.
Note You need to log in before you can comment on or make changes to this bug.