159880 – JSC JIT Broken on ARMv7 Traditional (without Thumb2)

Bug 159880 - JSC JIT Broken on ARMv7 Traditional (without Thumb2)

Summary: JSC JIT Broken on ARMv7 Traditional (without Thumb2)

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Csaba Osztrogonác

URL:
Keywords:

Depends on:
Blocks:	108645
	Show dependency tree / graph

Reported:	2016-07-18 10:13 PDT by Carlos Alberto Lopez Perez
Modified:	2016-07-20 00:31 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (2.07 KB, patch) 2016-07-19 09:10 PDT, Csaba Osztrogonác	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos Alberto Lopez Perez 2016-07-18 10:13:39 PDT

When building WebKitGTK+ for ARMv7 (armhf) with traditional ARM intruction set (-marm) instead of building with Thumb2 instruction set (-mthumb) the JSC JIT fails at run-time. It builds fine, but then any webpage with JavaScript will make the WebProcess crash.

I have been able to reproduce this with 2.12.3. Not sure if its reproducible with current trunk, I will try to reproduce it there also.

It seems that GNU/Linux armhf distributions build with Thumb2 (-mthumb) by default. At least on Debian the default toolchain (gcc compiler) is built with --with-mode=thumb on armhhf. Therefore the GTK+ ARM buildbot (that runs on Debian) is only testing the ARMv7 Thumb2 build.

Related: https://bugzilla.yoctoproject.org/show_bug.cgi?id=9474

Comment 1 Carlos Alberto Lopez Perez 2016-07-18 20:25:33 PDT

It seems the issue is also reproducible on current trunk (tried with r203370).

The command line jsc interpreter also crashes:

root@raspberrypi3:~# jsc
>>> 1 + 1
Segmentation fault


Not sure if this only affects the GTK+ port or EFL/JSCOnly are also affected?

Comment 2 Tomas Popela 2016-07-19 02:32:43 PDT

(In reply to comment #1)
> Not sure if this only affects the GTK+ port or EFL/JSCOnly are also affected?

JSCOnly affected as well. Crashing with SIGILL, Illegal instruction. Also I cannot obtain anything useful from the backtrace..

Core was generated by `./jsc'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0xb62049ba in JSC::slow_path_enter (exec=0xb6fb5a28, pc=0xb6fb5be0) at ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:592
592     ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp: No such file or directory.
[Current thread is 1 (Thread 0xb2d6e220 (LWP 29498))]
(gdb) bt full
#0  0xb62049ba in JSC::slow_path_enter (exec=0xb6fb5a28, pc=0xb6fb5be0) at ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:592
        vm = @0xb6fb5a28: <error reading variable>
        tracer = {<No data fields>}
        codeBlock = 0xb6fb5be0
#1  0xb60a347c in llint_entry () at ../../Source/JavaScriptCore/runtime/Butterfly.h:58
No symbol table info available.
#2  0x00000000 in ?? ()
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Comment 3 Csaba Osztrogonác 2016-07-19 03:10:34 PDT

(In reply to comment #2)
> (In reply to comment #1)
> > Not sure if this only affects the GTK+ port or EFL/JSCOnly are also affected?
> 
> JSCOnly affected as well. Crashing with SIGILL, Illegal instruction. Also I
> cannot obtain anything useful from the backtrace..
> 
> Core was generated by `./jsc'.
> Program terminated with signal SIGILL, Illegal instruction.
> #0  0xb62049ba in JSC::slow_path_enter (exec=0xb6fb5a28, pc=0xb6fb5be0) at
> ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:592
> 592     ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp: No such
> file or directory.
> [Current thread is 1 (Thread 0xb2d6e220 (LWP 29498))]
> (gdb) bt full
> #0  0xb62049ba in JSC::slow_path_enter (exec=0xb6fb5a28, pc=0xb6fb5be0) at
> ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:592
>         vm = @0xb6fb5a28: <error reading variable>
>         tracer = {<No data fields>}
>         codeBlock = 0xb6fb5be0
> #1  0xb60a347c in llint_entry () at
> ../../Source/JavaScriptCore/runtime/Butterfly.h:58
> No symbol table info available.
> #2  0x00000000 in ?? ()
> No symbol table info available.
> Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Did you get it on ARMv7 hardware? 
Could you provide a disassembly near this illegal instruction?

Comment 4 Csaba Osztrogonác 2016-07-19 08:06:34 PDT

After digging it with Tomas, it seems we ran into a GNU gold linker bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=19410

I'm going to prepare a workaround to use the BFD linker on ARM.

Comment 5 Csaba Osztrogonác 2016-07-19 09:10:09 PDT

Created attachment 284011 [details]
Patch

Comment 6 WebKit Commit Bot 2016-07-19 09:11:17 PDT

Attachment 284011 [details] did not pass style-queue:


ERROR: Source/cmake/OptionsCommon.cmake:76:  The parentheses after the last listitem "#if !defined(thumb2) && !defined(__thumb2__" should be in a new line.  [list/parentheses] [5]
Total errors found: 1 in 2 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 7 Tomas Popela 2016-07-19 22:45:39 PDT

I can confirm that the patch provided by Ossy fixes the issue.

Comment 8 WebKit Commit Bot 2016-07-20 00:31:48 PDT

Comment on attachment 284011 [details]
Patch

Clearing flags on attachment: 284011

Committed r203446: <http://trac.webkit.org/changeset/203446>

Comment 9 WebKit Commit Bot 2016-07-20 00:31:52 PDT

All reviewed patches have been landed.  Closing bug.