Bug 110184 - REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms
Summary: REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Critical
Assignee: Filip Pizlo
URL:
Keywords: Qt, QtTriaged
Depends on:
Blocks: 108645 79668 110072
  Show dependency treegraph
 
Reported: 2013-02-18 23:15 PST by Csaba Osztrogonác
Modified: 2013-02-19 02:43 PST (History)
12 users (show)

See Also:


Attachments
possible patch (5.67 KB, patch)
2013-02-19 00:04 PST, Filip Pizlo
no flags Details | Formatted Diff | Diff
better patch (6.49 KB, patch)
2013-02-19 00:06 PST, Filip Pizlo
no flags Details | Formatted Diff | Diff
better patch (7.52 KB, patch)
2013-02-19 00:17 PST, Filip Pizlo
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Csaba Osztrogonác 2013-02-18 23:15:09 PST
See the Qt bots for details:
- http://build.webkit.sed.hu/results/x86-32%20Linux%20Qt%20Debug/r143248%20%2824449%29/results.html
- http://build.webkit.org/results/Qt%20Linux%20Release/r143243%20%2857604%29/results.html

Additionally it broke 3 JSC test on ARM traditional platform:
- http://build.webkit.sed.hu/builders/ARMv7%20Linux%20Qt5%20Release%20%28Test%29/builds/7891
(maybe on ARM Thumb2 too, but I don't know, because there isn't Thumb2 buildbot)
Comment 1 Filip Pizlo 2013-02-18 23:37:25 PST
Looking.

Can you get debug symbols for the crashes you're seeing?
Comment 2 Csaba Osztrogonác 2013-02-19 00:03:26 PST
Sure. Here you are:

$ WebKitBuild/Debug/bin/DumpRenderTree
GNU gdb (Ubuntu/Linaro 7.4-2012.02-0ubuntu2) 7.4-2012.02
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/oszi/WebKit/WebKitBuild/Debug/bin/DumpRenderTree...done.
(gdb) run LayoutTests/fast/js/dfg-add-not-number.html
Starting program: /home/oszi/WebKit/WebKitBuild/Debug/bin/DumpRenderTree LayoutTests/fast/js/dfg-add-not-number.html
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xf01ffb40 (LWP 17229)]
[New Thread 0xef7ffb40 (LWP 17238)]
[Thread 0xef7ffb40 (LWP 17238) exited]
[New Thread 0xef7ffb40 (LWP 17248)]
[New Thread 0xee983b40 (LWP 17249)]
SHOULD NEVER BE REACHED
/home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp(917) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal(JSC::DFG::Node*, JSC::DataFormat&, JSC::DFG::SpeculationDirection) [with bool strict = false, JSC::DFG::GPRReg = JSC::X86Registers::RegisterID]

Program received signal SIGSEGV, Segmentation fault.
0xf34b6b19 in ?? () from /lib/i386-linux-gnu/libgcc_s.so.1
(gdb) bt
#0  0xf34b6b19 in ?? () from /lib/i386-linux-gnu/libgcc_s.so.1
#1  0xf34b76e1 in _Unwind_Backtrace () from /lib/i386-linux-gnu/libgcc_s.so.1
#2  0xf33fc007 in backtrace () from /lib/i386-linux-gnu/libc.so.6
#3  0xf62eee21 in WTFGetBacktrace (stack=0xffff69e8, size=0xffff6a6c) at /home/oszi/WebKit/Source/WTF/wtf/Assertions.cpp:249
#4  0xf62eee5d in WTFReportBacktrace () at /home/oszi/WebKit/Source/WTF/wtf/Assertions.cpp:278
#5  0xf6127fbe in JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal<false> (this=0xffff94e4, node=0xedf100e4,
    returnFormat=@0xffff6bf0: JSC::DataFormatNone, direction=JSC::DFG::BackwardSpeculation)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:917
#6  0xf6106b6c in JSC::DFG::SpeculativeJIT::fillSpeculateInt (this=0xffff94e4, node=0xedf100e4, returnFormat=@0xffff6bf0: JSC::DataFormatNone,
    direction=JSC::DFG::BackwardSpeculation) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:927
#7  0xf60f738d in JSC::DFG::SpeculateIntegerOperand::gpr (this=0xffff6be4) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2680
#8  0xf60f7225 in JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand (this=0xffff6be4, jit=0xffff94e4, use=...,
    direction=JSC::DFG::BackwardSpeculation) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2656
#9  0xf60e9ce1 in JSC::DFG::SpeculativeJIT::compileAdd (this=0xffff94e4, node=0xedf1017c)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2981
#10 0xf610e29f in JSC::DFG::SpeculativeJIT::compile (this=0xffff94e4, node=0xedf1017c)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2178
#11 0xf60e34ff in JSC::DFG::SpeculativeJIT::compile (this=0xffff94e4, block=...) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1725
#12 0xf60e3bda in JSC::DFG::SpeculativeJIT::compile (this=0xffff94e4) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1838
#13 0xf60aec4b in JSC::DFG::JITCompiler::compileBody (this=0xffffa72c, speculative=...) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108
#14 0xf60afe1a in JSC::DFG::JITCompiler::compileFunction (this=0xffffa72c, entry=..., entryWithArityCheck=...)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302
#15 0xf60a216e in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0xeea001f0, codeBlock=0x8194f60, jitCode=...,
    jitCodeWithArityCheck=0xedfded44, osrEntryBytecodeIndex=0) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:173
#16 0xf60a1989 in JSC::DFG::tryCompileFunction (exec=0xeea001f0, codeBlock=0x8194f60, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:191
#17 0xf6232a6c in JSC::jitCompileFunctionIfAppropriate (exec=0xeea001f0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=...,
    jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, effort=JSC::JITCompilationCanFail) at /home/oszi/WebKit/Source/JavaScriptCore/jit/JITDriver.h:95
#18 0xf6232d28 in JSC::prepareFunctionForExecution (exec=0xeea001f0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT,
    bytecodeIndex=0, kind=JSC::CodeForCall) at /home/oszi/WebKit/Source/JavaScriptCore/runtime/ExecutionHarness.h:68
#19 0xf6231098 in JSC::FunctionExecutable::compileForCallInternal (this=0xedfded18, exec=0xeea001f0, scope=0xeef7f838, jitType=JSC::JITCode::DFGJIT,
    bytecodeIndex=0) at /home/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:538
#20 0xf62308a9 in JSC::FunctionExecutable::compileOptimizedForCall (this=0xedfded18, exec=0xeea001f0, scope=0xeef7f838, bytecodeIndex=0)
    at /home/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:463
#21 0xf5fa4708 in JSC::FunctionExecutable::compileOptimizedFor (this=0xedfded18, exec=0xeea001f0, scope=0xeef7f838, bytecodeIndex=0, kind=JSC::CodeForCall)
    at /home/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.h:678
#22 0xf5f9f3ed in JSC::FunctionCodeBlock::compileOptimized (this=0x818d4d8, exec=0xeea001f0, scope=0xeef7f838, bytecodeIndex=0)
    at /home/oszi/WebKit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2846
#23 0xf6185c02 in JSC::cti_optimize (args=0xffffacf0) at /home/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1892
#24 0xf6182a6a in JSC::tryCacheGetByID (callFrame=0x0, codeBlock=0xfffffffb, returnAddress=..., baseValue=..., propertyName=..., slot=...,
    stubInfo=0x80b7c44) at /home/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:989
#25 0x5a800000 in ?? ()
#26 0x00000000 in ?? ()
(gdb)
Comment 3 Filip Pizlo 2013-02-19 00:04:45 PST
Created attachment 189007 [details]
possible patch

Can y'all see if this fixes the bugs, on your end?

I'm running tests on my end now as well.
Comment 4 Filip Pizlo 2013-02-19 00:05:38 PST
(In reply to comment #2)
> Sure. Here you are:
> 
> $ WebKitBuild/Debug/bin/DumpRenderTree
> GNU gdb (Ubuntu/Linaro 7.4-2012.02-0ubuntu2) 7.4-2012.02
> Copyright (C) 2012 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "i686-linux-gnu".
> For bug reporting instructions, please see:
> <http://bugs.launchpad.net/gdb-linaro/>...
> Reading symbols from /home/oszi/WebKit/WebKitBuild/Debug/bin/DumpRenderTree...done.
> (gdb) run LayoutTests/fast/js/dfg-add-not-number.html
> Starting program: /home/oszi/WebKit/WebKitBuild/Debug/bin/DumpRenderTree LayoutTests/fast/js/dfg-add-not-number.html
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
> [New Thread 0xf01ffb40 (LWP 17229)]
> [New Thread 0xef7ffb40 (LWP 17238)]
> [Thread 0xef7ffb40 (LWP 17238) exited]
> [New Thread 0xef7ffb40 (LWP 17248)]
> [New Thread 0xee983b40 (LWP 17249)]
> SHOULD NEVER BE REACHED
> /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp(917) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal(JSC::DFG::Node*, JSC::DataFormat&, JSC::DFG::SpeculationDirection) [with bool strict = false, JSC::DFG::GPRReg = JSC::X86Registers::RegisterID]
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0xf34b6b19 in ?? () from /lib/i386-linux-gnu/libgcc_s.so.1
> (gdb) bt
> #0  0xf34b6b19 in ?? () from /lib/i386-linux-gnu/libgcc_s.so.1
> #1  0xf34b76e1 in _Unwind_Backtrace () from /lib/i386-linux-gnu/libgcc_s.so.1
> #2  0xf33fc007 in backtrace () from /lib/i386-linux-gnu/libc.so.6
> #3  0xf62eee21 in WTFGetBacktrace (stack=0xffff69e8, size=0xffff6a6c) at /home/oszi/WebKit/Source/WTF/wtf/Assertions.cpp:249
> #4  0xf62eee5d in WTFReportBacktrace () at /home/oszi/WebKit/Source/WTF/wtf/Assertions.cpp:278
> #5  0xf6127fbe in JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal<false> (this=0xffff94e4, node=0xedf100e4,
>     returnFormat=@0xffff6bf0: JSC::DataFormatNone, direction=JSC::DFG::BackwardSpeculation)
>     at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:917
> #6  0xf6106b6c in JSC::DFG::SpeculativeJIT::fillSpeculateInt (this=0xffff94e4, node=0xedf100e4, returnFormat=@0xffff6bf0: JSC::DataFormatNone,
>     direction=JSC::DFG::BackwardSpeculation) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:927
> #7  0xf60f738d in JSC::DFG::SpeculateIntegerOperand::gpr (this=0xffff6be4) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2680
> #8  0xf60f7225 in JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand (this=0xffff6be4, jit=0xffff94e4, use=...,
>     direction=JSC::DFG::BackwardSpeculation) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2656
> #9  0xf60e9ce1 in JSC::DFG::SpeculativeJIT::compileAdd (this=0xffff94e4, node=0xedf1017c)
>     at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2981
> #10 0xf610e29f in JSC::DFG::SpeculativeJIT::compile (this=0xffff94e4, node=0xedf1017c)
>     at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2178
> #11 0xf60e34ff in JSC::DFG::SpeculativeJIT::compile (this=0xffff94e4, block=...) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1725
> #12 0xf60e3bda in JSC::DFG::SpeculativeJIT::compile (this=0xffff94e4) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1838
> #13 0xf60aec4b in JSC::DFG::JITCompiler::compileBody (this=0xffffa72c, speculative=...) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108
> #14 0xf60afe1a in JSC::DFG::JITCompiler::compileFunction (this=0xffffa72c, entry=..., entryWithArityCheck=...)
>     at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302
> #15 0xf60a216e in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0xeea001f0, codeBlock=0x8194f60, jitCode=...,
>     jitCodeWithArityCheck=0xedfded44, osrEntryBytecodeIndex=0) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:173
> #16 0xf60a1989 in JSC::DFG::tryCompileFunction (exec=0xeea001f0, codeBlock=0x8194f60, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0)
>     at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:191
> #17 0xf6232a6c in JSC::jitCompileFunctionIfAppropriate (exec=0xeea001f0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=...,
>     jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, effort=JSC::JITCompilationCanFail) at /home/oszi/WebKit/Source/JavaScriptCore/jit/JITDriver.h:95
> #18 0xf6232d28 in JSC::prepareFunctionForExecution (exec=0xeea001f0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT,
>     bytecodeIndex=0, kind=JSC::CodeForCall) at /home/oszi/WebKit/Source/JavaScriptCore/runtime/ExecutionHarness.h:68
> #19 0xf6231098 in JSC::FunctionExecutable::compileForCallInternal (this=0xedfded18, exec=0xeea001f0, scope=0xeef7f838, jitType=JSC::JITCode::DFGJIT,
>     bytecodeIndex=0) at /home/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:538
> #20 0xf62308a9 in JSC::FunctionExecutable::compileOptimizedForCall (this=0xedfded18, exec=0xeea001f0, scope=0xeef7f838, bytecodeIndex=0)
>     at /home/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:463
> #21 0xf5fa4708 in JSC::FunctionExecutable::compileOptimizedFor (this=0xedfded18, exec=0xeea001f0, scope=0xeef7f838, bytecodeIndex=0, kind=JSC::CodeForCall)
>     at /home/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.h:678
> #22 0xf5f9f3ed in JSC::FunctionCodeBlock::compileOptimized (this=0x818d4d8, exec=0xeea001f0, scope=0xeef7f838, bytecodeIndex=0)
>     at /home/oszi/WebKit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2846
> #23 0xf6185c02 in JSC::cti_optimize (args=0xffffacf0) at /home/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1892
> #24 0xf6182a6a in JSC::tryCacheGetByID (callFrame=0x0, codeBlock=0xfffffffb, returnAddress=..., baseValue=..., propertyName=..., slot=...,
>     stubInfo=0x80b7c44) at /home/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:989
> #25 0x5a800000 in ?? ()
> #26 0x00000000 in ?? ()
> (gdb)

Yep - that's what I'm seeing, too.
Comment 5 Filip Pizlo 2013-02-19 00:06:34 PST
Created attachment 189008 [details]
better patch

fixed another case
Comment 6 Filip Pizlo 2013-02-19 00:17:17 PST
Created attachment 189011 [details]
better patch

Picking off bugs as I find them...
Comment 7 Csaba Osztrogonác 2013-02-19 00:47:47 PST
(In reply to comment #6)
> Created an attachment (id=189011) [details]
> better patch
> 
> Picking off bugs as I find them...

fast/js tests pass for me on 32 bit with this patch.
Comment 8 Csaba Osztrogonác 2013-02-19 01:31:04 PST
cc JSC reviewers
Comment 9 Zoltan Herczeg 2013-02-19 02:21:40 PST
Comment on attachment 189011 [details]
better patch

r=me
Comment 10 WebKit Review Bot 2013-02-19 02:43:20 PST
Comment on attachment 189011 [details]
better patch

Clearing flags on attachment: 189011

Committed r143314: <http://trac.webkit.org/changeset/143314>
Comment 11 WebKit Review Bot 2013-02-19 02:43:24 PST
All reviewed patches have been landed.  Closing bug.