Bug 112609 - EFL: Unsafe branch detected in compilePutByValForFloatTypedArray()
Summary: EFL: Unsafe branch detected in compilePutByValForFloatTypedArray()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords:
Depends on: 112380 112680
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-18 12:40 PDT by Michael Saboff
Modified: 2013-03-19 04:14 PDT (History)
4 users (show)

See Also:

Attachments
Patch (11.06 KB, patch)
2013-03-18 18:51 PDT, Michael Saboff 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2013-03-18 12:40:52 PDT 
After change set r145931: <http://trac.webkit.org/changeset/145931> was landed for https://bugs.webkit.org/show_bug.cgi?id=112380, he following assert failure started happening:

crash log for WebProcess (pid <unknown>):
STDOUT: <empty>
STDERR: ERROR: Thread name "com.apple.WebKit.ProcessLauncher" is longer than 31 characters and will be truncated by Visual Studio
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*)
STDERR: ERROR: Thread name "com.apple.WebKit.EventDispatcher" is longer than 31 characters and will be truncated by Visual Studio
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*)
STDERR: ERROR: Thread name "com.apple.WebKit.PluginProcessConnectionManager" is longer than 31 characters and will be truncated by Visual Studio
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*)
STDERR: ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 496 in jump offset range 496..524
STDERR: !(low <= m_offset && m_offset <= high)
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(704) : void JSC::AbstractMacroAssembler<AssemblerType>::RegisterAllocationOffset::check(unsigned int, unsigned int) [with AssemblerType = JSC::X86Assembler]
STDERR: 1   0x7fe38a9e5180 JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int)
STDERR: 2   0x7fe38a9e46f4 JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int)
STDERR: 3   0x7fe38a9e42e2 JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const
STDERR: 4   0x7fe38aa71d63 JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray(JSC::TypedArrayDescriptor const&, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID, JSC::DFG::Node*, unsigned long)
STDERR: 5   0x7fe38aa9cac9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
STDERR: 6   0x7fe38aa6d0e7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
STDERR: 7   0x7fe38aa6d84f JSC::DFG::SpeculativeJIT::compile()
STDERR: 8   0x7fe38aa3a0f8 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)
STDERR: 9   0x7fe38aa3b325 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
STDERR: 10  0x7fe38aa298f8 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
STDERR: 11  0x7fe38aa2917c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
STDERR: 12  0x7fe38abe4997 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
STDERR: 13  0x7fe38abe4c8c JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
STDERR: 14  0x7fe38abe2e9a JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
STDERR: 15  0x7fe38abe2617 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int)
STDERR: 16  0x7fe38a938a7d JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
STDERR: 17  0x7fe38a932766 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
STDERR: 18  0x7fe38ab38a7e
STDERR: 19  0x7fe38ab35ab8
STDERR: 20  0x7fe33d45c058
Comment 1 Michael Saboff 2013-03-18 18:51:32 PDT 
Created attachment 193714 [details]
Patch
Comment 2 Geoffrey Garen 2013-03-18 19:57:23 PDT 
Comment on attachment 193714 [details]
Patch

r=me
Comment 3 WebKit Review Bot 2013-03-18 20:25:14 PDT 
Comment on attachment 193714 [details]
Patch

Clearing flags on attachment: 193714

Committed r146174: <http://trac.webkit.org/changeset/146174>
Comment 4 WebKit Review Bot 2013-03-18 20:25:17 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 5 Ryosuke Niwa 2013-03-18 21:33:58 PDT 
Comment on attachment 193714 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=193714&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324
> +            GPRReg resultGPR - result.gpr();

We're seeing a build failure on this line.
Comment 6 Ryosuke Niwa 2013-03-18 21:33:58 PDT 
Comment on attachment 193714 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=193714&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324
> +            GPRReg resultGPR - result.gpr();

We're seeing a build failure on this line.
Comment 7 Ryosuke Niwa 2013-03-18 21:34:41 PDT 
http://build.webkit.org/builders/EFL%20Linux%2032-bit%20Release%20%28Build%29/builds/15966/steps/compile-webkit/logs/stdio

/mnt/buildbot/efl-linux-slave-3/efl-linux-32-release/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp: In member function 'void JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)':
/mnt/buildbot/efl-linux-slave-3/efl-linux-32-release/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324:30: error: expected initializer before '-' token
/mnt/buildbot/efl-linux-slave-3/efl-linux-32-release/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2327:32: error: 'resultGPR' was not declared in this scope
make[2]: *** [Source/JavaScriptCore/CMakeFiles/javascriptcore_efl.dir/dfg/DFGSpeculativeJIT32_64.cpp.o] Error 1
Comment 8 Michael Saboff 2013-03-18 21:35:50 PDT 
(In reply to comment #6)
> (From update of attachment 193714 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=193714&action=review
> 
> > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324
> > +            GPRReg resultGPR - result.gpr();
> 
> We're seeing a build failure on this line.

I thought I fixed that.  Probably in my build, but not in the patch.   Doh!  Fixing now.
Comment 9 Michael Saboff 2013-03-18 21:45:34 PDT 
(In reply to comment #8)
> (In reply to comment #6)
> > (From update of attachment 193714 [details] [details])
> > View in context: https://bugs.webkit.org/attachment.cgi?id=193714&action=review
> > 
> > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2324
> > > +            GPRReg resultGPR - result.gpr();
> > 
> > We're seeing a build failure on this line.
> 
> I thought I fixed that.  Probably in my build, but not in the patch.   Doh!  Fixing now.

Fixed landed in change set r146178 <https://trac.webkit.org/changeset/146178>
Comment 10 Csaba Osztrogonác 2013-03-19 04:14:47 PDT 
It caused a regression on 32 bit, here is the new bug report for it: https://bugs.webkit.org/show_bug.cgi?id=112680