NEW 146629
[MIPS] webkitgtk crashed if JIT is enabled 
https://bugs.webkit.org/show_bug.cgi?id=146629
Summary [MIPS] webkitgtk crashed if JIT is enabled
Jeffrey
Reported 2015-07-06 02:26:35 PDT
Webkitgtk crashed when I run the javascript test. The backtrace and some gdb information list below. warning: Could not load shared library symbols for 82 libraries, e.g. /usr/lib/libwebkitgtk-1.0.so.0. Use the "info sharedlibrary" command to see the complete listing. Do you need "set solib-search-path" or "set sysroot"? Core was generated by `/usr/local/bin/otvwebkit http://10.12.2.99/testcase/regression/testcase.html'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x759f4e08 in ?? () (gdb) bt #0 0x759f4e08 in llint_op_push_name_scope () from /home/otv5/otv5/jeli_pc2/DEVELOP/OTV_WebKit/otvwebkit2.0/otvtarg/tc7356_uclibc_bc/sdk_all/target/usr/lib/libjavascriptcoregtk-1.0.so.0 #1 0x759f4e00 in llint_op_pop_scope () from /home/otv5/otv5/jeli_pc2/DEVELOP/OTV_WebKit/otvwebkit2.0/otvtarg/tc7356_uclibc_bc/sdk_all/target/usr/lib/libjavascriptcoregtk-1.0.so.0 Backtrace stopped: frame did not save the PC (gdb) i reg zero at v0 v1 a0 a1 a2 a3 R0 00000000 00000001 6bfbfd40 fffffffb 6c3e2fa8 7262de0c 759f2bac 72642978 t0 t1 t2 t3 t4 t5 t6 t7 R8 fffffffa fffffffb fffffffe fffffffb 726112f4 00000004 ecb5a59f 6c3e2f98 s0 s1 s2 s3 s4 s5 s6 s7 R16 7f8e1258 7260b000 7262de0c 7260b000 6c1b91a8 6bf5fa68 72642960 7260b000 t8 t9 k0 k1 gp sp s8 ra R24 6c3e2f98 759f2bac 00000000 00000000 6c1b91a8 7f8e0d00 6c3e2fa8 759f4e00 sr lo hi bad cause pc 00008713 00000004 00000000 6c1b18c0 00800008 759f4e08 fsr fir 88800004 00000000 (gdb) x/16i llint_op_push_name_scope 0x759f4e00 <llint_op_push_name_scope>: move a0,s8 0x759f4e04 <llint_op_push_name_scope+4>: move a1,s2 => 0x759f4e08 <llint_op_push_name_scope+8>: lw t9,-30952(gp) 0x759f4e0c <llint_op_push_name_scope+12>: bal 0x759eac98 <llint_slow_path_push_name_scope> 0x759f4e10 <llint_op_push_name_scope+16>: nop 0x759f4e14 <llint_op_push_name_scope+20>: move gp,s4 0x759f4e18 <llint_op_push_name_scope+24>: move s2,v0 0x759f4e1c <llint_op_push_name_scope+28>: move s8,v1 0x759f4e20 <llint_op_push_name_scope+32>: addiu s2,s2,16 0x759f4e24 <llint_op_push_name_scope+36>: lw ra,0(s2) 0x759f4e28 <llint_op_push_name_scope+40>: jr ra 0x759f4e2c <llint_op_push_name_scope+44>: nop 0x759f4e30 <llint_op_throw>: move a0,s8 0x759f4e34 <llint_op_throw+4>: move a1,s2 0x759f4e38 <llint_op_throw+8>: lw t9,-30948(gp) 0x759f4e3c <llint_op_throw+12>: bal 0x759e9864 <llint_slow_path_throw> 0x759f4e40 <llint_op_throw+16>: nop (gdb)
Attachments
test case for this issue. (588 bytes, text/html)
2015-07-06 02:29 PDT, Jeffrey 		no flags
Details
proposed patch (1.39 KB, patch)
2015-07-06 18:04 PDT, Jeffrey 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jeffrey
Comment 1 2015-07-06 02:29:24 PDT
Created attachment 256203 [details] test case for this issue.
Jeffrey
Comment 2 2015-07-06 18:04:57 PDT
Created attachment 256268 [details] proposed patch On MIPS platform, function llint_op_catch() use RA register to compute gp pointor. JSC::CCallHelpers::jumpToExceptionHandler() use T9 register. It will cause a invalid gp pointer when jump to llint_op_catch(). My patch load the function address to RA first. Then copy it to T9 and jump.
Michael Catanzaro
Comment 3 2015-12-30 15:26:10 PST
Guillaume, this look OK? You didn't run into this issue...? (In reply to comment #1) > Created attachment 256203 [details] > test case for this issue. Great. This should probably be added as a testcase under LayoutTests/js.
Guillaume Emont
Comment 4 2016-01-18 18:21:32 PST
(In reply to comment #3) > Guillaume, this look OK? You didn't run into this issue...? I did not run into this issue (yet?), maybe because I've mainly worked with jsc only (only compiling WTF/ and JavaScriptCore/). I am a little confused by the patch though. I understand that $gp is computed by the code of .cpload (emitted by offlineasm for each label), which uses $t9. I don't understand how this is different for llint_op_catch(), though I didn't study the exception code/protocol, and I have a feeling that this is not your regular function, and there might be something done with $ra that I did not understand. > (In reply to comment #1) > > Created attachment 256203 [details] > > test case for this issue. > > Great. This should probably be added as a testcase under LayoutTests/js.
Michael Catanzaro
Comment 5 2016-07-14 05:35:09 PDT
Comment on attachment 256268 [details] proposed patch Jeffrey, could you respond to Guillaume's questions here? Resetting the request flags in the meantime.
Jeffrey
Comment 6 2016-09-08 01:31:10 PDT
(In reply to comment #4) > (In reply to comment #3) > > Guillaume, this look OK? You didn't run into this issue...? > > I did not run into this issue (yet?), maybe because I've mainly worked with > jsc only (only compiling WTF/ and JavaScriptCore/). > I am a little confused by the patch though. I understand that $gp is > computed by the code of .cpload (emitted by offlineasm for each label), > which uses $t9. I don't understand how this is different for > llint_op_catch(), though I didn't study the exception code/protocol, and I > have a feeling that this is not your regular function, and there might be > something done with $ra that I did not understand. > > > (In reply to comment #1) > > > Created attachment 256203 [details] > > > test case for this issue. > > > > Great. This should probably be added as a testcase under LayoutTests/js. The .cpload uses $ra register to compute the $gp value. The jumpToExceptionHandler() uses $t9 as jump register now. Then in llint_op_catch() function, $ra will get a incorrect value. This will cause the $gp value is incorrect too.
Note You need to log in before you can comment on or make changes to this bug.