Bug 114018 - Crash due to an assertion in AbstractMacroAssembler.h
Summary: Crash due to an assertion in AbstractMacroAssembler.h
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-05 03:24 PDT by Carlos Garcia Campos
Modified: 2013-10-30 10:48 PDT (History)
10 users (show)

See Also:

Attachments
Patch (2.20 KB, patch)
2013-04-05 03:28 PDT, Carlos Garcia Campos 		no flags Details | Formatted Diff | Diff
Updated patch to use TrustedImm32 (1.99 KB, patch)
2013-05-20 02:40 PDT, Carlos Garcia Campos 		bfulgham: review+
commit-queue: commit-queue-
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos Garcia Campos 2013-04-05 03:24:32 PDT 
Program terminated with signal 11, Segmentation fault.
#0  0x04eaf128 in JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::TrustedImmPtr::TrustedImmPtr (this=0x77feeba0, value=2)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:187
187	            ASSERT_UNUSED(value, !value);
(gdb) bt
#0  0x04eaf128 in JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::TrustedImmPtr::TrustedImmPtr (this=0x77feeba0, value=2)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:187
#1  0x04f07b00 in JSC::DFG::SpeculativeJIT::callOperation (this=0x77feec28, operation=0x4eb07b9 <JSC::DFG::operationCreateThis(JSC::ExecState*, JSC::JSObject*, std::int32_t)>, 
    result=JSC::ARMRegisters::r1, object=JSC::ARMRegisters::r0, size=2) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:1274
#2  0x04f133ac in JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator<JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::JumpList, JSC::JSCell* (*)(JSC::ExecState*, JSC::JSObject*, int), JSC::ARMRegisters::RegisterID, JSC::ARMRegisters::RegisterID, unsigned int>::generateInternal (this=0x76839ea8, jit=0x77feec28)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h:218
#3  0x04edf1f2 in JSC::DFG::SlowPathGenerator::generate (this=0x76839ea8, jit=0x77feec28) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h:56
#4  0x04ec8dd0 in JSC::DFG::SpeculativeJIT::runSlowPathGenerators (this=0x77feec28) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:355
#5  0x04e9e1fa in JSC::DFG::JITCompiler::compileFunction (this=0x77feff98, entry=..., entryWithArityCheck=...) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:342
#6  0x04e8f70e in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fb00af8, codeBlock=0x7678ba30, jitCode=..., jitCodeWithArityCheck=0x77151788, osrEntryBytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:161
#7  0x04e8ef94 in JSC::DFG::tryCompileFunction (exec=0x7fb00af8, codeBlock=0x7678ba30, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:179
#8  0x050121b0 in JSC::jitCompileFunctionIfAppropriate (exec=0x7fb00af8, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, 
    effort=JSC::JITCompilationCanFail) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITDriver.h:95
#9  0x050123ba in JSC::prepareFunctionForExecution (exec=0x7fb00af8, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, 
    kind=JSC::CodeForConstruct) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/ExecutionHarness.h:68
#10 0x05010ca6 in JSC::FunctionExecutable::compileForConstructInternal (this=0x77151758, exec=0x7fb00af8, scope=0x79f3d038, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/Executable.cpp:574
#11 0x0501056e in JSC::FunctionExecutable::compileOptimizedForConstruct (this=0x77151758, exec=0x7fb00af8, scope=0x79f3d038, bytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/Executable.cpp:474
#12 0x04dbedcc in JSC::FunctionExecutable::compileOptimizedFor (this=0x77151758, exec=0x7fb00af8, scope=0x79f3d038, bytecodeIndex=0, kind=JSC::CodeForConstruct)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/Executable.h:680
#13 0x04db8c80 in JSC::FunctionCodeBlock::compileOptimized (this=0x775b0400, exec=0x7fb00af8, scope=0x79f3d038, bytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2879
#14 0x04f859e6 in JSC::JITStubThunked_optimize (args=0x77ff0530) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1912
#15 0x04f85920 in cti_optimize () at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1843
#16 0x04f83190 in JSC::tryCacheGetByID (callFrame=0x77ff05e0, codeBlock=0x76d5c86c, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1009
#17 0x00000000 in ?? ()


The problem seem to be that TrustedImmPtr is called for a int32_t and the TrustedImmPtr that receives an int is called, which only expects a 0.
Comment 1 Carlos Garcia Campos 2013-04-05 03:28:32 PDT 
Created attachment 196610 [details]
Patch
Comment 2 Alp Toker 2013-04-06 10:37:02 PDT 
The fix looks correct.

I wonder if it'd be more maintainable to remove the explicit TrustedImmPtr(size_t value) ctor syntactic sugar and require the caller to cast from size_t where needed?
Comment 3 Carlos Garcia Campos 2013-05-17 05:26:49 PDT 
Ping, Could someone review this , please?
Comment 4 Filip Pizlo 2013-05-17 09:25:46 PDT 
Comment on attachment 196610 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=196610&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:906
> -        m_jit.setupArgumentsWithExecState(object, TrustedImmPtr(size));
> +        m_jit.setupArgumentsWithExecState(object, TrustedImmPtr(static_cast<size_t>(size)));

Wouldn't it be better to just change this to use TrustedImm32?

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:1303
> -        m_jit.setupArgumentsWithExecState(object, TrustedImmPtr(size));
> +        m_jit.setupArgumentsWithExecState(object, TrustedImmPtr(static_cast<size_t>(size)));

Ditto.
Comment 5 Carlos Garcia Campos 2013-05-20 02:40:41 PDT 
Created attachment 202265 [details]
Updated patch to use TrustedImm32
Comment 6 Brent Fulgham 2013-10-30 10:34:14 PDT 
Comment on attachment 202265 [details]
Updated patch to use TrustedImm32

r=me
Comment 7 WebKit Commit Bot 2013-10-30 10:48:15 PDT 
Comment on attachment 202265 [details]
Updated patch to use TrustedImm32

Rejecting attachment 202265 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.appspot.com', '--bot-id=webkit-cq-02', 'apply-attachment', '--no-update', '--non-interactive', 202265, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit

Last 500 characters of output:
exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

Parsed 2 diffs from patch file(s).
patching file Source/JavaScriptCore/ChangeLog
Hunk #1 succeeded at 1 with fuzz 3.
patching file Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Hunk #1 FAILED at 903.
1 out of 1 hunk FAILED -- saving rejects to file Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h.rej

Failed to run "[u'/Volumes/Data/EWS/WebKit/Tools/Scripts/svn-apply', '--force', '--reviewer', u'Brent Fulgham']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

Full output: http://webkit-queues.appspot.com/results/17068251