RESOLVED DUPLICATE of bug 159720 160157
REGRESSION(r203537): It made many tests crash on ARMv7 with ARM instruction set 
https://bugs.webkit.org/show_bug.cgi?id=160157
Summary REGRESSION(r203537): It made many tests crash on ARMv7 with ARM instruction set
Csaba Osztrogonác
Reported 2016-07-25 02:13:57 PDT
JSCOnly Linux ARMv7 Traditional Release: - before: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1613 - after: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1623 ( https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1637 ) crash log on ARMv7 with ARM instruction set: Running stress/exit-after-int52-to-double.js.default stress/exit-after-int52-to-double.js.default: ASSERTION FAILED: linkBuffer.isValid() stress/exit-after-int52-to-double.js.default: ../../Source/JavaScriptCore/jit/JITMathIC.h(130) : void JSC::JITMathIC<Generator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr) [with GeneratorType = JSC::JITAddGenerator] stress/exit-after-int52-to-double.js.default: 1 0xb6394fb0 WTFCrash stress/exit-after-int52-to-double.js.default: 2 0xb5ea3104 JSC::JITMathIC<JSC::JITAddGenerator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr) stress/exit-after-int52-to-double.js.default: 3 0xb5e9a0b8 stress/exit-after-int52-to-double.js.default: Segmentation fault stress/exit-after-int52-to-double.js.default: ERROR: Unexpected exit code: 139 FAIL: stress/exit-after-int52-to-double.js.default It seems it is a similar to bug159720 . Can't we disable this new feature somehow similar to https://trac.webkit.org/changeset/203272 ?
Attachments
Add attachment proposed patch, testcase, etc.
Csaba Osztrogonác
Comment 1 2016-07-25 05:15:48 PDT
I can confirm that this bug and bug159720 have the same root. The problem is that "auto jump = jit.jump();" allocates a constant on the constant pool which makes linkBuffer ctor not to allocate. But the question is still open, can we disable IC generating on ARM traditional until we can find the proper fix? Because now it is completely broken and there are 2700 crashing stress tests. *** This bug has been marked as a duplicate of bug 159720 ***
Csaba Osztrogonác
Comment 2 2016-07-28 05:16:26 PDT
(In reply to comment #0) > Can't we disable this new feature somehow similar to > https://trac.webkit.org/changeset/203272 ? ARM assembler is completely broken more than a month ago because of this IC refactoring work. It would be great to get an answer if we can workaround it or not.
Saam Barati
Comment 3 2016-07-28 08:50:20 PDT
You can make MathIC generateInline always return false before generating any code. This will make the resulting code quite slow though. It will lead to a C call for every JS add.
Csaba Osztrogonác
Comment 4 2016-07-29 11:10:07 PDT
(In reply to comment #3) > You can make MathIC generateInline always return false before > generating any code. This will make the resulting code quite > slow though. It will lead to a C call for every JS add. Uploaded a patch to bug159759 to disable it.
Note You need to log in before you can comment on or make changes to this bug.