Bug 140095 - Debug ASan builds frequently crash in Register::jsValue under DFG::prepareOSREntry
Summary: Debug ASan builds frequently crash in Register::jsValue under DFG::prepareOSR...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-05 13:50 PST by Alexey Proskuryakov
Modified: 2015-01-06 16:26 PST (History)
3 users (show)

See Also:

Attachments
proposed fix (1.20 KB, patch)
2015-01-05 15:50 PST, Alexey Proskuryakov 		andersca: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2015-01-05 13:50:48 PST 
In release builds, Register::jsValue is inlined into DFG::prepareOSREntry, so a blacklist line we have in webkit-asan-ignore.txt is sufficient. But in debug builds, it is not inlined, so we crash in this function.

Adding Register::jsValue to the blacklist is not the best fix, because this function is used elsewhere. The better fix is to blacklist the whole file.
Comment 1 Alexey Proskuryakov 2015-01-05 15:50:25 PST 
Created attachment 244013 [details]
proposed fix

Actually, blacklisting the file doesn't work - if we do that, we get a non-ASan version of the inline function in DFGOSREntry.o, but it is later eliminated by the linker in favor of an ASanified copy from another file.

So I only see two options:
1. Blacklist Register::jsValue(), and ask for a better solution (which I propose here).
2. Make a copy of Register::jsValue() function with a different name, just for the purpose of using it in prepareOSREntry() in a blacklist.
Comment 2 Alexey Proskuryakov 2015-01-06 16:26:11 PST 
Committed <http://trac.webkit.org/r178005>.