Bug 90728

Summary:

REGRESSION(r118555): Assertion failure in JSC::DFG::AssemblyHelpers::decodedCodeMapFor on MathJax v2.0 sample

Product:

WebKit

Reporter:

Sergey Khodych <khodych>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

UNCONFIRMED

Severity:

Critical

CC:

barraclough, dsd, efidler, eric, fpizlo, ggaren, mitya57, yong.li.webkit, ysangkok

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

Linux

Attachments:

Description	Flags
MathJax v2.0 sample	none
a simple fix	fpizlo: review-

Sergey Khodych

Reported 2012-07-07 09:28:34 PDT

To reproduce: Load MathJax sample file test/sample-eqnum.html from mathjax_sample.zip webkit is built by following command: ./Tools/Scripts/build-webkit --qt --minimal --debug Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff65ec7d4 in JSC::DFG::AssemblyHelpers::decodedCodeMapFor (this=0x7fffffffc730, codeBlock=0x105e330) at ../../../../Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp:47 47 ASSERT(codeBlock->jitCodeMap()); (gdb) bt #0 0x00007ffff65ec7d4 in JSC::DFG::AssemblyHelpers::decodedCodeMapFor (this=0x7fffffffc730, codeBlock=0x105e330) at ../../../../Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp:47 #1 0x00007ffff663fb46 in JSC::DFG::OSRExitCompiler::compileExit (this=0x7fffffffc850, exit=..., recovery=0x0) at ../../../../Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp:647 #2 0x00007ffff663bc6a in JSC::DFG::compileOSRExit (exec=0x7fff9c1efdc8) at ../../../../Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp:79 #3 0x00007fffa05ffaad in ?? () #4 0x00007fffffffc920 in ?? () #5 0x00007fff9c1c4a80 in ?? () #6 0x00007fff95ed3c60 in ?? () #7 0x00007fff95a98600 in ?? () #8 0x00007fff00000004 in ?? () #9 0x00007fff95e407c0 in ?? () #10 0x00007ffff7e0ff40 in ?? () #11 0x00007fffffffc960 in ?? () #12 0x00007fffffffc970 in ?? () #13 0x00007fffa0744100 in ?? () #14 0x0000000000943688 in ?? () #15 0x00007fff9c1efdc8 in ?? () #16 0x0000000000000000 in ?? ()

Attachments
MathJax v2.0 sample (71.25 KB, application/zip) 2012-07-07 09:31 PDT, Sergey Khodych	no flags	Details
a simple fix (1.58 KB, patch) 2012-09-25 09:43 PDT, Yong Li	fpizlo: review-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Sergey Khodych

Comment 1 2012-07-07 09:31:04 PDT

Created attachment 151144 [details] MathJax v2.0 sample

Yong Li

Comment 2 2012-09-25 08:35:23 PDT

It seems DFGOSRExitCompiler assumes setJITCodeMap is always called, however when LLINT isn't enabled, and canBeOptimized() = true, the jitCodeMap is left null. #if ENABLE(DFG_JIT) || ENABLE(LLINT) if (canBeOptimized() #if ENABLE(LLINT) || true #endif ) { CompactJITCodeMap::Encoder jitCodeMapEncoder; for (unsigned bytecodeOffset = 0; bytecodeOffset < m_labels.size(); ++bytecodeOffset) { if (m_labels[bytecodeOffset].isSet()) jitCodeMapEncoder.append(bytecodeOffset, patchBuffer.offsetOf(m_labels[bytecodeOffset])); } m_codeBlock->setJITCodeMap(jitCodeMapEncoder.finish()); } Filip?

Yong Li

Comment 3 2012-09-25 09:43:54 PDT

Created attachment 165632 [details] a simple fix

Daniel Drake

Comment 4 2012-12-01 07:26:11 PST

Reproduced this crash on Fedora 18 (x86), webkitgtk-1.10.1. It happens while loading various pages such as http://tirania.org/blog/archive/2012/Oct-22.html and http://www.bbc.co.uk/weather/sg6 Program received signal SIGSEGV, Segmentation fault. 0xb611d7c9 in JSC::DFG::AssemblyHelpers::decodedCodeMapFor () from /lib/libjavascriptcoregtk-3.0.so.0 #0 0xb611d7c9 in JSC::DFG::AssemblyHelpers::decodedCodeMapFor () from /lib/libjavascriptcoregtk-3.0.so.0 #1 0xb615965d in JSC::DFG::OSRExitCompiler::compileExit () from /lib/libjavascriptcoregtk-3.0.so.0 #2 0xb615d649 in compileOSRExit () from /lib/libjavascriptcoregtk-3.0.so.0 #3 0xabf19866 in ?? () #4 0xb61d7c52 in JSC::Interpreter::executeCall () from /lib/libjavascriptcoregtk-3.0.so.0 #5 0xb62b4993 in JSC::call () from /lib/libjavascriptcoregtk-3.0.so.0 #6 0xbfffe3c4 in ?? () A more complete trace can be found in bug #102762. I've tested Yong's patch (above) and it solves the issue. Any chance of a review?

Daniel Drake

Comment 5 2012-12-17 00:36:52 PST

Bump. This crash is still hurting, and there is a patch here waiting for review. I've tested it for the last few weeks, and it seems to be working fine.

Filip Pizlo

Comment 6 2012-12-17 15:35:03 PST

(In reply to comment #2) > It seems DFGOSRExitCompiler assumes setJITCodeMap is always called, however when LLINT isn't enabled, and canBeOptimized() = true, the jitCodeMap is left null. > > #if ENABLE(DFG_JIT) || ENABLE(LLINT) > if (canBeOptimized() > #if ENABLE(LLINT) > || true > #endif > ) { > CompactJITCodeMap::Encoder jitCodeMapEncoder; > for (unsigned bytecodeOffset = 0; bytecodeOffset < m_labels.size(); > ++bytecodeOffset) { > if (m_labels[bytecodeOffset].isSet()) > jitCodeMapEncoder.append(bytecodeOffset, > patchBuffer.offsetOf(m_labels[bytecodeOffset])); > } > m_codeBlock->setJITCodeMap(jitCodeMapEncoder.finish()); > } > > Filip? How can canBeOptimized() == true lead to jitCodeMap being null in the above code?

Filip Pizlo

Comment 7 2012-12-17 15:37:23 PST

Comment on attachment 165632 [details] a simple fix View in context: https://bugs.webkit.org/attachment.cgi?id=165632&action=review > Source/JavaScriptCore/jit/JIT.cpp:-764 > - if (canBeOptimized() > -#if ENABLE(LLINT) > - || true > -#endif > - ) { I think the problem here is that we should be emitting a code map when m_codeBlock->canCompileWithDFG() returns anything other than CannotCompile, whereas now we're just emitting the map when it returns CanCompile. This will happen since the other return value (ShouldProfile) indicates that the DFG may choose to inline the code block even if it doesn't compile it directly, and inlined code blocks better have jitCodeMaps. Could you do this more thorough fix instead?

Yong Li

Comment 8 2012-12-18 07:22:14 PST

> > How can canBeOptimized() == true lead to jitCodeMap being null in the above code? Probably I meant "= false" and it is a typo. (In reply to comment #7) > I think the problem here is that we should be emitting a code map when m_codeBlock->canCompileWithDFG() returns anything other than CannotCompile, whereas now we're just emitting the map when it returns CanCompile. This will happen since the other return value (ShouldProfile) indicates that the DFG may choose to inline the code block even if it doesn't compile it directly, and inlined code blocks better have jitCodeMaps. > > Could you do this more thorough fix instead? Thanks. I would give a try. But I don't have enough time at the meantime. Also this issue does bite when LLINT is on. So I cannot promise to work on this any time soon.

Yong Li

Comment 9 2012-12-18 07:22:49 PST

(In reply to comment #8) > > > > How can canBeOptimized() == true lead to jitCodeMap being null in the above code? > > Probably I meant "= false" and it is a typo. > > (In reply to comment #7) > > I think the problem here is that we should be emitting a code map when m_codeBlock->canCompileWithDFG() returns anything other than CannotCompile, whereas now we're just emitting the map when it returns CanCompile. This will happen since the other return value (ShouldProfile) indicates that the DFG may choose to inline the code block even if it doesn't compile it directly, and inlined code blocks better have jitCodeMaps. > > > > Could you do this more thorough fix instead? > > Thanks. I would give a try. But I don't have enough time at the meantime. Also this issue does bite when LLINT is on. So I cannot promise to work on this any time soon. oops, another typo. should be "does NOT bite when LLINT is on"

Note You need to log in before you can comment on or make changes to this bug.