112380 – Add runtime check for improper register allocations in DFG

Bug 112380 - Add runtime check for improper register allocations in DFG

Summary: Add runtime check for improper register allocations in DFG

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:

Depends on:	111777
Blocks:	112609
	Show dependency tree / graph

Reported:	2013-03-14 14:23 PDT by Michael Saboff
Modified:	2017-06-12 11:55 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (9.23 KB, patch) 2013-03-14 14:48 PDT, Michael Saboff	ggaren: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2013-03-14 14:23:09 PDT

The recent bug https://bugs.webkit.org/show_bug.cgi?id=111777 - "Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article" had a symptom not at all related to the cause.  Defects like it are difficult to track down and it isn't clear when adding or modifying the DFG JIT code generator that one has created such a problem.  Therefore we should create a runtime check to find, via ASSERT, that a register allocation has been added in an unsafe location.

Comment 1 Michael Saboff 2013-03-14 14:48:04 PDT

Created attachment 193190 [details]
Patch

No new tests were added with this patch, as existing tests should work unchanged unless they have unsafe register allocations and then they'll crash.

Comment 2 WebKit Review Bot 2013-03-14 14:51:02 PDT

Attachment 193190 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/assembler/AbstractMacroAssembler.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/WTF/ChangeLog', u'Source/WTF/wtf/Platform.h']" exit_code: 1
Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:696:  This { should be at the end of the previous line  [whitespace/braces] [4]
Total errors found: 1 in 7 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 3 Michael Saboff 2013-03-15 11:55:16 PDT

When enabled and an improper register allocation is found, the process will ASSERT fail and provide a backtrace similar to:

ASSERTION FAILED: Unsafe branch over register allocation at offset 126
!(low <= m_offset && m_offset <= high)
/Volumes/Data/src/webkit/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(706) : void JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int)
1   0x10ef79f0c JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int)
2   0x10ef791e8 JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int)
3   0x10ef7616f JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const
4   0x10f0500f7 JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality(JSC::DFG::Edge, JSC::DFG::Edge)
5   0x10f029f57 JSC::DFG::SpeculativeJIT::compare(JSC::DFG::Node*, JSC::MacroAssemblerX86Common::RelationalCondition, JSC::MacroAssemblerX86Common::DoubleCondition, unsigned long (*)(JSC::ExecState*, long long, long long))
6   0x10f0554a5 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
7   0x10f02127f JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
8   0x10f021b2e JSC::DFG::SpeculativeJIT::compile()
9   0x10efe4499 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)
10  0x10efe5a7d JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
11  0x10efc49a0 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
12  0x10efc433c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
13  0x10f09fc91 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
14  0x10f0a03eb JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
15  0x10f09ce29 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
16  0x10f09cb45 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int)
17  0x10eefb02f JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
18  0x10eef0aae JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
19  0x10f10aebf cti_optimize
20  0x10f113470 jscGeneratedNativeCode
21  0x10f0d00e4 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*)
22  0x10f0c87b9 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*)
23  0x10f0c7f07 JSC::eval(JSC::ExecState*)
24  0x10f110da1 cti_op_call_eval
25  0x10f113470 jscGeneratedNativeCode
26  0x10f0d00e4 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*)
27  0x10f0ccbc8 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
28  0x10ef3d117 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
29  0x111603e42 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
30  0x111e8b173 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*)
31  0x111e8b2c4 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&)

Comment 4 Geoffrey Garen 2013-03-15 12:02:43 PDT

Comment on attachment 193190 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=193190&action=review

r=me

> Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:728
> +            unsigned temp;
> +            temp = offset1;
> +            offset1 = offset2;
> +            offset2 = temp;

Please use std::swap.

> Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:770
> +    Vector<RegisterAllocationOffset, 10> m_unsafeRegisterAllocationForBranchingOver;

I think it would be a little clearer just to call this, and related functions, something like "registerAlloationOffsets". There's nothing inherently unsafe about the data we're tracking -- we just happen to use the data to discover unsafe actions.

> Source/WTF/wtf/Platform.h:856
> +#if !defined(ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION) && ENABLE(DFG_JIT)
> +#define ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION 0
> +#endif

Let's turn this on by default in debug builds, so it can help us catch bugs.

Comment 5 Michael Saboff 2013-03-15 12:37:41 PDT

Committed r145931: <http://trac.webkit.org/changeset/145931>

Comment 6 Thiago Marcos P. Santos 2013-03-18 09:04:52 PDT

(In reply to comment #5)
> Committed r145931: <http://trac.webkit.org/changeset/145931>

Looks like it caught the first bug on WebAudio. I have several failing on EFL Debug bot after this patch:

crash log for WebProcess (pid <unknown>):
STDOUT: <empty>
STDERR: ERROR: Thread name "com.apple.WebKit.ProcessLauncher" is longer than 31 characters and will be truncated by Visual Studio
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*)
STDERR: ERROR: Thread name "com.apple.WebKit.EventDispatcher" is longer than 31 characters and will be truncated by Visual Studio
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*)
STDERR: ERROR: Thread name "com.apple.WebKit.PluginProcessConnectionManager" is longer than 31 characters and will be truncated by Visual Studio
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*)
STDERR: ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 496 in jump offset range 496..524
STDERR: !(low <= m_offset && m_offset <= high)
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(704) : void JSC::AbstractMacroAssembler<AssemblerType>::RegisterAllocationOffset::check(unsigned int, unsigned int) [with AssemblerType = JSC::X86Assembler]
STDERR: 1   0x7fe38a9e5180 JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int)
STDERR: 2   0x7fe38a9e46f4 JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int)
STDERR: 3   0x7fe38a9e42e2 JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const
STDERR: 4   0x7fe38aa71d63 JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray(JSC::TypedArrayDescriptor const&, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID, JSC::DFG::Node*, unsigned long)
STDERR: 5   0x7fe38aa9cac9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
STDERR: 6   0x7fe38aa6d0e7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
STDERR: 7   0x7fe38aa6d84f JSC::DFG::SpeculativeJIT::compile()
STDERR: 8   0x7fe38aa3a0f8 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)
STDERR: 9   0x7fe38aa3b325 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
STDERR: 10  0x7fe38aa298f8 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
STDERR: 11  0x7fe38aa2917c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
STDERR: 12  0x7fe38abe4997 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
STDERR: 13  0x7fe38abe4c8c JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
STDERR: 14  0x7fe38abe2e9a JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
STDERR: 15  0x7fe38abe2617 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int)
STDERR: 16  0x7fe38a938a7d JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
STDERR: 17  0x7fe38a932766 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
STDERR: 18  0x7fe38ab38a7e
STDERR: 19  0x7fe38ab35ab8
STDERR: 20  0x7fe33d45c058

Comment 7 Andras Becsi 2013-03-18 09:31:35 PDT

The same ASSERT is hit in debug Qt MiniBrowser (x86_64 Linux) when loading wired.com

ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 216 in jump offset range 216..262

0x00007ffff1e45358 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check (this=0x7fffffffb1a8, low=216, high=262)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:704
704                 RELEASE_ASSERT_WITH_MESSAGE(!(low <= m_offset && m_offset <= high), "Unsafe branch over register allocation at instruction offset %u in jump offset range %u..%u", m_offset, low, high);
(gdb) bt
#0  0x00007ffff1e45358 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check (this=0x7fffffffb1a8, low=216, high=262)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:704
#1  0x00007ffff1e44998 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange (this=0x7fffffffb0d0, offset1=216, offset2=262)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:728
#2  0x00007ffff1e445ac in JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link (this=0x7fffffff6790, masm=0x7fffffffb0d0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:542
#3  0x00007ffff1ef06ee in JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality (this=0x7fffffffa470, leftChild=..., rightChild=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1433
#4  0x00007ffff1ed1d71 in JSC::DFG::SpeculativeJIT::compare (this=0x7fffffffa470, node=0x7fff818605b0, condition=JSC::MacroAssemblerX86Common::Equal, doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation=
    0x7ffff1ea46bb <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3438
#5  0x00007ffff1ef5528 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470, node=0x7fff818605b0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2328
#6  0x00007ffff1ec9b59 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470, block=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1762
#7  0x00007ffff1eca2c7 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1880
#8  0x00007ffff1e982d2 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffb0d0, speculative=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108
#9  0x00007ffff1e99531 in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffb0d0, entry=..., entryWithArityCheck=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302
#10 0x00007ffff1e886ac in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fff833ff530, codeBlock=0x1620370, jitCode=..., jitCodeWithArityCheck=0x7ffff7eef3c0, osrEntryBytecodeIndex=0)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGDriver.cpp:161
#11 0x00007ffff1e87e84 in JSC::DFG::tryCompileFunction (exec=0x7fff833ff530, codeBlock=0x1620370, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGDriver.cpp:179
#12 0x00007ffff201e5b9 in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff833ff530, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, effort=JSC::JITCompilationCanFail)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITDriver.h:95
#13 0x00007ffff201e8ab in JSC::prepareFunctionForExecution (exec=0x7fff833ff530, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, kind=JSC::CodeForCall)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/ExecutionHarness.h:68
#14 0x00007ffff201cafa in JSC::FunctionExecutable::compileForCallInternal (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.cpp:538
#15 0x00007ffff201c277 in JSC::FunctionExecutable::compileOptimizedForCall (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.cpp:463
#16 0x00007ffff1d6e143 in JSC::FunctionExecutable::compileOptimizedFor (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0, kind=JSC::CodeForCall)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.h:678
#17 0x00007ffff1d68af2 in JSC::FunctionCodeBlock::compileOptimized (this=0x817dc0, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2879
#18 0x00007ffff1f6524e in JSC::cti_optimize (args=0x7fffffffc9b0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:1899
#19 0x00007ffff1f6226d in JSC::tryCacheGetByID (callFrame=0x7fff833ff530, codeBlock=0x7ffff7ecfc70, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7fff00000000)
    at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:996
#20 0x00007fff833ff060 in ?? ()
#21 0x00007fff00000000 in ?? ()
#22 0x00007ffff18536d1 in WebCore::jsDocumentCookie (exec=0x7fffffffc9b0, slotBase=...) at generated/JSDocument.cpp:514

Comment 8 Michael Saboff 2013-03-18 10:21:21 PDT

(In reply to comment #7)
> The same ASSERT is hit in debug Qt MiniBrowser (x86_64 Linux) when loading wired.com
> 
> ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 216 in jump offset range 216..262
> 
> 0x00007ffff1e45358 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check (this=0x7fffffffb1a8, low=216, high=262)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:704
> 704                 RELEASE_ASSERT_WITH_MESSAGE(!(low <= m_offset && m_offset <= high), "Unsafe branch over register allocation at instruction offset %u in jump offset range %u..%u", m_offset, low, high);
> (gdb) bt
> #0  0x00007ffff1e45358 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check (this=0x7fffffffb1a8, low=216, high=262)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:704
> #1  0x00007ffff1e44998 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange (this=0x7fffffffb0d0, offset1=216, offset2=262)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:728
> #2  0x00007ffff1e445ac in JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link (this=0x7fffffff6790, masm=0x7fffffffb0d0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:542
> #3  0x00007ffff1ef06ee in JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality (this=0x7fffffffa470, leftChild=..., rightChild=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1433
> #4  0x00007ffff1ed1d71 in JSC::DFG::SpeculativeJIT::compare (this=0x7fffffffa470, node=0x7fff818605b0, condition=JSC::MacroAssemblerX86Common::Equal, doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation=
>     0x7ffff1ea46bb <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3438
> #5  0x00007ffff1ef5528 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470, node=0x7fff818605b0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2328
> #6  0x00007ffff1ec9b59 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470, block=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1762
> #7  0x00007ffff1eca2c7 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1880
> #8  0x00007ffff1e982d2 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffb0d0, speculative=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108
> #9  0x00007ffff1e99531 in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffb0d0, entry=..., entryWithArityCheck=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302
> #10 0x00007ffff1e886ac in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fff833ff530, codeBlock=0x1620370, jitCode=..., jitCodeWithArityCheck=0x7ffff7eef3c0, osrEntryBytecodeIndex=0)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGDriver.cpp:161
> #11 0x00007ffff1e87e84 in JSC::DFG::tryCompileFunction (exec=0x7fff833ff530, codeBlock=0x1620370, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGDriver.cpp:179
> #12 0x00007ffff201e5b9 in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff833ff530, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, effort=JSC::JITCompilationCanFail)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITDriver.h:95
> #13 0x00007ffff201e8ab in JSC::prepareFunctionForExecution (exec=0x7fff833ff530, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, kind=JSC::CodeForCall)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/ExecutionHarness.h:68
> #14 0x00007ffff201cafa in JSC::FunctionExecutable::compileForCallInternal (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.cpp:538
> #15 0x00007ffff201c277 in JSC::FunctionExecutable::compileOptimizedForCall (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.cpp:463
> #16 0x00007ffff1d6e143 in JSC::FunctionExecutable::compileOptimizedFor (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0, kind=JSC::CodeForCall)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.h:678
> #17 0x00007ffff1d68af2 in JSC::FunctionCodeBlock::compileOptimized (this=0x817dc0, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2879
> #18 0x00007ffff1f6524e in JSC::cti_optimize (args=0x7fffffffc9b0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:1899
> #19 0x00007ffff1f6226d in JSC::tryCacheGetByID (callFrame=0x7fff833ff530, codeBlock=0x7ffff7ecfc70, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7fff00000000)
>     at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:996
> #20 0x00007fff833ff060 in ?? ()
> #21 0x00007fff00000000 in ?? ()
> #22 0x00007ffff18536d1 in WebCore::jsDocumentCookie (exec=0x7fffffffc9b0, slotBase=...) at generated/JSDocument.cpp:514

This one is known and being tracked with https://bugs.webkit.org/show_bug.cgi?id=112477

Comment 9 Michael Saboff 2013-03-18 12:41:50 PDT

(In reply to comment #6)
> (In reply to comment #5)
> > Committed r145931: <http://trac.webkit.org/changeset/145931>
> 
> Looks like it caught the first bug on WebAudio. I have several failing on EFL Debug bot after this patch:
> 
> crash log for WebProcess (pid <unknown>):
> STDOUT: <empty>
> STDERR: ERROR: Thread name "com.apple.WebKit.ProcessLauncher" is longer than 31 characters and will be truncated by Visual Studio
> STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*)
> STDERR: ERROR: Thread name "com.apple.WebKit.EventDispatcher" is longer than 31 characters and will be truncated by Visual Studio
> STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*)
> STDERR: ERROR: Thread name "com.apple.WebKit.PluginProcessConnectionManager" is longer than 31 characters and will be truncated by Visual Studio
> STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*)
> STDERR: ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 496 in jump offset range 496..524
> STDERR: !(low <= m_offset && m_offset <= high)
> STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(704) : void JSC::AbstractMacroAssembler<AssemblerType>::RegisterAllocationOffset::check(unsigned int, unsigned int) [with AssemblerType = JSC::X86Assembler]
> STDERR: 1   0x7fe38a9e5180 JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int)
> STDERR: 2   0x7fe38a9e46f4 JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int)
> STDERR: 3   0x7fe38a9e42e2 JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const
> STDERR: 4   0x7fe38aa71d63 JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray(JSC::TypedArrayDescriptor const&, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID, JSC::DFG::Node*, unsigned long)
> STDERR: 5   0x7fe38aa9cac9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
> STDERR: 6   0x7fe38aa6d0e7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
> STDERR: 7   0x7fe38aa6d84f JSC::DFG::SpeculativeJIT::compile()
> STDERR: 8   0x7fe38aa3a0f8 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)
> STDERR: 9   0x7fe38aa3b325 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
> STDERR: 10  0x7fe38aa298f8 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
> STDERR: 11  0x7fe38aa2917c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
> STDERR: 12  0x7fe38abe4997 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
> STDERR: 13  0x7fe38abe4c8c JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
> STDERR: 14  0x7fe38abe2e9a JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
> STDERR: 15  0x7fe38abe2617 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int)
> STDERR: 16  0x7fe38a938a7d JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
> STDERR: 17  0x7fe38a932766 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
> STDERR: 18  0x7fe38ab38a7e
> STDERR: 19  0x7fe38ab35ab8
> STDERR: 20  0x7fe33d45c058

Created https://bugs.webkit.org/show_bug.cgi?id=112609 - "EFL: Unsafe branch detected in compilePutByValForFloatTypedArray()" to track this.  Investigating now.

Comment 10 Yusuke Suzuki 2017-06-12 11:32:02 PDT

Hmmm, it seems that this check is not so correct.
This assersion can be fired even if the code is not buggy.
For example,

SpeculateCellOperand cell(this);
GPRReg cellGPR = cell.gpr();

auto loop = m_jit.label();
...
m_jit.jump().linkTo(loop, &m_jit);

causes assertion failure. But there is no bugs.

Comment 11 Saam Barati 2017-06-12 11:50:30 PDT

(In reply to Yusuke Suzuki from comment #10)
> Hmmm, it seems that this check is not so correct.
> This assersion can be fired even if the code is not buggy.
> For example,
> 
> SpeculateCellOperand cell(this);
> GPRReg cellGPR = cell.gpr();
> 
> auto loop = m_jit.label();
> ...
> m_jit.jump().linkTo(loop, &m_jit);
> 
> causes assertion failure. But there is no bugs.

I vaguely remember one of Filip's patches running into this same assertion recently.

Comment 12 Saam Barati 2017-06-12 11:55:17 PDT

(In reply to Saam Barati from comment #11)
> (In reply to Yusuke Suzuki from comment #10)
> > Hmmm, it seems that this check is not so correct.
> > This assersion can be fired even if the code is not buggy.
> > For example,
> > 
> > SpeculateCellOperand cell(this);
> > GPRReg cellGPR = cell.gpr();
> > 
> > auto loop = m_jit.label();
> > ...
> > m_jit.jump().linkTo(loop, &m_jit);
> > 
> > causes assertion failure. But there is no bugs.
> 
> I vaguely remember one of Filip's patches running into this same assertion
> recently.

Looks like the same thing, discussion here:
https://bugs.webkit.org/show_bug.cgi?id=164108

Fil filed this bug:
https://bugs.webkit.org/show_bug.cgi?id=170974

He solved it in his patch by padding w/ a nop