RESOLVED FIXED126585
CStack Branch: ARM64 Crash running ecma/FunctionObjects/15.3.1.1-3.js 
https://bugs.webkit.org/show_bug.cgi?id=126585
Summary CStack Branch: ARM64 Crash running ecma/FunctionObjects/15.3.1.1-3.js
Michael Saboff
Reported 2014-01-07 11:15:59 PST
Running ecma/FunctionObjects/15.3.1.1-3.js on ARM64 crashes due to an ASSERT failure emitting an add instruction with the stack pointer as the destination register. (lldb) bt * thread #1: tid = 0x4e360b, 0x000000010072d010 JavaScriptCore`WTFCrash + 68 at Assertions.cpp:341, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x000000010072d010 JavaScriptCore`WTFCrash + 68 at Assertions.cpp:341 frame #1: 0x000000010011b524 JavaScriptCore`JSC::ARM64Assembler::xOrZr(reg=sp) + 72 at ARM64Assembler.h:3230 frame #2: 0x000000010011cc2c JavaScriptCore`JSC::ARM64Assembler::addSubtractShiftedRegister(sf=Datasize_64, op=AddOp_ADD, S=DontSetFlags, shift=LSL, rm=x16, imm6=0, rn=x29, rd=sp) + 328 at ARM64Assembler.h:3258 frame #3: 0x00000001002e03c0 JavaScriptCore`void JSC::ARM64Assembler::add<64, (this=0x000000016fd7c3a0, rd=sp, rn=x29, rm=x16, shift=LSL, amount=0)0>(JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID, JSC::ARM64Assembler::ShiftType, int) + 232 at ARM64Assembler.h:937 frame #4: 0x00000001002e02cc JavaScriptCore`void JSC::ARM64Assembler::add<64, (this=0x000000016fd7c3a0, rd=sp, rn=x29, rm=x16)0>(JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID, JSC::ARM64Registers::RegisterID) + 52 at ARM64Assembler.h:918 frame #5: 0x00000001002e0100 JavaScriptCore`JSC::MacroAssemblerARM64::add64(this=0x000000016fd7c3a0, imm=TrustedImm32 at 0x000000016fd7ba90, src=x29, dest=sp) + 304 at MacroAssemblerARM64.h:254 * frame #6: 0x00000001002d7ec8 JavaScriptCore`JSC::MacroAssembler::addPtr(this=0x000000016fd7c3a0, imm=TrustedImm32 at 0x000000016fd7bac0, src=x29, dest=sp) + 56 at MacroAssembler.h:704 frame #7: 0x000000010041c9c8 JavaScriptCore`JSC::JIT::privateCompile(this=0x000000016fd7c3a0, effort=JITCompilationCanFail) + 1696 at JIT.cpp:553 frame #8: 0x00000001003337b4 JavaScriptCore`JSC::JIT::compile(vm=0x0000000101574000, codeBlock=0x000000013d643ec0, effort=JITCompilationCanFail) + 76 at JIT.h:200 frame #9: 0x000000010054f87c JavaScriptCore`JSC::LLInt::jitCompileAndSetHeuristics(codeBlock=0x000000013d643ec0, exec=0x000000016fd80740) + 276 at LLIntSlowPaths.cpp:311 frame #10: 0x0000000100546f0c JavaScriptCore`llint_loop_osr(exec=0x000000016fd80740, pc=0x0000000101c2fbd0) + 168 at LLIntSlowPaths.cpp:399 frame #11: 0x00000001005564a0 JavaScriptCore`llint_op_loop_hint + 68 frame #12: 0x0000000100556664 JavaScriptCore`llint_op_call + 284 frame #13: 0x000000010055129c JavaScriptCore`callToJavaScript + 420
Attachments
Patch (2.25 KB, patch)
2014-01-07 11:23 PST, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2014-01-07 11:23:32 PST
Created attachment 220536 [details] Patch
Geoffrey Garen
Comment 2 2014-01-07 11:25:04 PST
Comment on attachment 220536 [details] Patch r=me
Michael Saboff
Comment 3 2014-01-07 11:26:43 PST
Committed r161439: <http://trac.webkit.org/changeset/161439>
Note You need to log in before you can comment on or make changes to this bug.