RESOLVED FIXED 161356
JITMathIC was misusing maxJumpReplacementSize 
https://bugs.webkit.org/show_bug.cgi?id=161356
Summary JITMathIC was misusing maxJumpReplacementSize
mitz
Reported 2016-08-29 16:02:38 PDT
On an iPhone 5, The Web Content process is failing an assertion in JITMathIC<JSC::JITAddGenerator>::generateInline(): ASSERTION FAILED: static_cast<ptrdiff_t>(inlineSize) <= MacroAssembler::maxJumpReplacementSize() Source/JavaScriptCore/jit/JITMathIC.h(89) : bool JSC::JITMathIC<JSC::JITAddGenerator>::generateInline(JSC::CCallHelpers &, JSC::MathICGenerationState &, bool) [Generator = JSC::JITAddGenerator] 1 0x376ae2f WTFCrash 2 0x341f6f3 JSC::JITMathIC<JSC::JITAddGenerator>::generateInline(JSC::CCallHelpers&, JSC::MathICGenerationState&, bool) 3 0x33fc137 void JSC::JIT::emitMathICFast<JSC::JITAddGenerator, long long (*)(JSC::ExecState*, long long, long long, JSC::ArithProfile*), long long (*)(JSC::ExecState*, long long, long long)>(JSC::JITMathIC<JSC::JITAddGenerator>*, JSC::Instruction*, long long (*)(JSC::ExecState*, long long, long long, JSC::ArithProfile*), long long (*)(JSC::ExecState*, long long, long long)) 4 0x33fbe23 JSC::JIT::emit_op_add(JSC::Instruction*) 5 0x33f0469 JSC::JIT::privateCompileMainPass() 6 0x33f2379 JSC::JIT::compileWithoutLinking(JSC::JITCompilationEffort) 7 0x34df131 JSC::JITWorklist::Plan::compileInThread() 8 0x34ded7f JSC::JITWorklist::Plan::compileNow(JSC::CodeBlock*) 9 0x34dec5d JSC::JITWorklist::compileLater(JSC::CodeBlock*) 10 0x356accb JSC::LLInt::jitCompileAndSetHeuristics(JSC::CodeBlock*, JSC::ExecState*) 11 0x356aea1 llint_replace 12 0x3578d09 llint_entry 13 0x357aa55 llint_entry 14 0x357ad67 llint_entry 15 0x3575261 vmEntryToJavaScript 16 0x34060ff JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 17 0x33c8811 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 18 0x2fb599d JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 19 0x3446953 JSC::boundThisNoArgsFunctionCall(JSC::ExecState*) 20 0x5e45ac61 21 0x357aa9f llint_entry 22 0x3575261 vmEntryToJavaScript 23 0x34060ff JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 24 0x33c8811 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 25 0x2fb599d JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 26 0x2fb5b47 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 27 0x349f939 JSC::JSJobMicrotask::run(JSC::ExecState*) 28 0x5cc75a3 WebCore::JSMainThreadExecState::runTask(JSC::ExecState*, JSC::Microtask&) 29 0x5cc74fd WebCore::JSDOMWindowMicrotaskCallback::call() 30 0x5cc7489 WebCore::JSDOMWindowBase::queueTaskToEventLoop(JSC::JSGlobalObject const*, WTF::Ref<JSC::Microtask>&&)::$_0::operator()() 31 0x5cc73b9 WTF::Function<void ()>::CallableWrapper<WebCore::JSDOMWindowBase::queueTaskToEventLoop(JSC::JSGlobalObject const*, WTF::Ref<JSC::Microtask>&&)::$_0>::call()
Attachments
patch (7.00 KB, patch)
2016-08-31 20:29 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2016-08-29 16:03:25 PDT
<rdar://problem/28065560>
mitz
Comment 2 2016-08-29 16:06:03 PDT
inlineSize is 10, MacroAssembler::maxJumpReplacementSize() is 4.
Saam Barati
Comment 3 2016-08-31 19:24:17 PDT
*** Bug 161468 has been marked as a duplicate of this bug. ***
Saam Barati
Comment 4 2016-08-31 20:29:46 PDT
Created attachment 287589 [details] patch
WebKit Commit Bot
Comment 5 2016-09-01 01:24:16 PDT
Comment on attachment 287589 [details] patch Clearing flags on attachment: 287589 Committed r205283: <http://trac.webkit.org/changeset/205283>
WebKit Commit Bot
Comment 6 2016-09-01 01:24:23 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.