Bug 126585 - CStack Branch: ARM64 Crash running ecma/FunctionObjects/15.3.1.1-3.js
Summary: CStack Branch: ARM64 Crash running ecma/FunctionObjects/15.3.1.1-3.js
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-07 11:15 PST by Michael Saboff
Modified: 2014-01-07 11:26 PST (History)
0 users

See Also:

Attachments
Patch (2.25 KB, patch)
2014-01-07 11:23 PST, Michael Saboff 		ggaren: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2014-01-07 11:15:59 PST 
Running ecma/FunctionObjects/15.3.1.1-3.js on ARM64 crashes due to an ASSERT failure emitting an add instruction with the stack pointer as the destination register.

(lldb) bt
* thread #1: tid = 0x4e360b, 0x000000010072d010 JavaScriptCore`WTFCrash + 68 at Assertions.cpp:341, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
    frame #0: 0x000000010072d010 JavaScriptCore`WTFCrash + 68 at Assertions.cpp:341
    frame #1: 0x000000010011b524 JavaScriptCore`JSC::ARM64Assembler::xOrZr(reg=sp) + 72 at ARM64Assembler.h:3230
    frame #2: 0x000000010011cc2c JavaScriptCore`JSC::ARM64Assembler::addSubtractShiftedRegister(sf=Datasize_64, op=AddOp_ADD, S=DontSetFlags, shift=LSL, rm=x16, imm6=0, rn=x29, rd=sp) + 328 at ARM64Assembler.h:3258
    frame #3: 0x00000001002e03c0 JavaScriptCore`void JSC::ARM64Assembler::add<64, (this=0x000000016fd7c3a0, rd=sp, rn=x29, rm=x16, shift=LSL, amount=0)0>(JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID, JSC::ARM64Assembler::ShiftType, int) + 232 at ARM64Assembler.h:937
    frame #4: 0x00000001002e02cc JavaScriptCore`void JSC::ARM64Assembler::add<64, (this=0x000000016fd7c3a0, rd=sp, rn=x29, rm=x16)0>(JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID) + 52 at ARM64Assembler.h:918
    frame #5: 0x00000001002e0100 JavaScriptCore`JSC::MacroAssemblerARM64::add64(this=0x000000016fd7c3a0, imm=TrustedImm32 at 0x000000016fd7ba90, src=x29, dest=sp) + 304 at MacroAssemblerARM64.h:254
  * frame #6: 0x00000001002d7ec8 JavaScriptCore`JSC::MacroAssembler::addPtr(this=0x000000016fd7c3a0, imm=TrustedImm32 at 0x000000016fd7bac0, src=x29, dest=sp) + 56 at MacroAssembler.h:704
    frame #7: 0x000000010041c9c8 JavaScriptCore`JSC::JIT::privateCompile(this=0x000000016fd7c3a0, effort=JITCompilationCanFail) + 1696 at JIT.cpp:553
    frame #8: 0x00000001003337b4 JavaScriptCore`JSC::JIT::compile(vm=0x0000000101574000, codeBlock=0x000000013d643ec0, effort=JITCompilationCanFail) + 76 at JIT.h:200
    frame #9: 0x000000010054f87c JavaScriptCore`JSC::LLInt::jitCompileAndSetHeuristics(codeBlock=0x000000013d643ec0, exec=0x000000016fd80740) + 276 at LLIntSlowPaths.cpp:311
    frame #10: 0x0000000100546f0c JavaScriptCore`llint_loop_osr(exec=0x000000016fd80740, pc=0x0000000101c2fbd0) + 168 at LLIntSlowPaths.cpp:399
    frame #11: 0x00000001005564a0 JavaScriptCore`llint_op_loop_hint + 68
    frame #12: 0x0000000100556664 JavaScriptCore`llint_op_call + 284
    frame #13: 0x000000010055129c JavaScriptCore`callToJavaScript + 420
Comment 1 Michael Saboff 2014-01-07 11:23:32 PST 
Created attachment 220536 [details]
Patch
Comment 2 Geoffrey Garen 2014-01-07 11:25:04 PST 
Comment on attachment 220536 [details]
Patch

r=me
Comment 3 Michael Saboff 2014-01-07 11:26:43 PST 
Committed r161439: <http://trac.webkit.org/changeset/161439>