165747 – FTL: Dumping disassembly requires that code origin is set when making polymorphic tail calls.

Bug 165747 - FTL: Dumping disassembly requires that code origin is set when making polymorphic tail calls.

Summary: FTL: Dumping disassembly requires that code origin is set when making polymor...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-12-11 22:24 PST by Michael Saboff
Modified:	2016-12-12 09:11 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (2.77 KB, patch) 2016-12-11 22:40 PST, Michael Saboff	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2016-12-11 22:24:10 PST

If you try to dump disassembly in code with a polymorphic tail call, you get a crash similar to:

ASSERTION FAILED: codeBlock()->canGetCodeOrigin(index)
/Volumes/Data/src/webkit/Source/JavaScriptCore/interpreter/CallFrame.cpp(172) : JSC::CodeOrigin JSC::ExecState::codeOrigin()
1   0x106b918fd WTFCrash
2   0x105c28eef JSC::ExecState::codeOrigin()
3   0x1068b24f3 JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine(JSC::MacroAssemblerCodeRef const&, JSC::VM&, JSC::JSCell const*, JSC::ExecState*, JSC::CallLinkInfo&, WTF::Vector<JSC::PolymorphicCallCase, 0ul, WTF::CrashOnOverflow, 16ul> const&, std::__1::unique_ptr<unsigned int [], std::__1::default_delete<unsigned int []> >)
4   0x1068b2916 JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine(JSC::MacroAssemblerCodeRef const&, JSC::VM&, JSC::JSCell const*, JSC::ExecState*, JSC::CallLinkInfo&, WTF::Vector<JSC::PolymorphicCallCase, 0ul, WTF::CrashOnOverflow, 16ul> const&, std::__1::unique_ptr<unsigned int [], std::__1::default_delete<unsigned int []> >)
5   0x106921956 JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant)
6   0x1064e3ba8 operationLinkPolymorphicCall
7   0x2af7dcc01ada
8   0x2af7dcc0e86a
9   0x2af7dcc0e01a
10  0x1066f4185 llint_entry
11  0x1066eca4e vmEntryToJavaScript
12  0x1064d0af2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
13  0x10644bc94 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
14  0x105cf879d JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
15  0x10348c121 runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul, WTF::CrashOnOverflow, 16ul> const&, WTF::String const&, bool, bool, bool)
16  0x103483f9a runJSC(JSC::VM*, CommandLine)
17  0x103482afd jscmain(int, char**)
18  0x103482a4e main
19  0x7fffbfa88255 start
Segmentation fault: 11

Comment 1 Michael Saboff 2016-12-11 22:40:47 PST

Created attachment 296893 [details]
Patch

Comment 2 Filip Pizlo 2016-12-12 08:43:57 PST

Comment on attachment 296893 [details]
Patch

Heh.  I can't remember the number of times I've hit code origin issues in tail calls.

Comment 3 WebKit Commit Bot 2016-12-12 09:11:03 PST

Comment on attachment 296893 [details]
Patch

Clearing flags on attachment: 296893

Committed r209708: <http://trac.webkit.org/changeset/209708>

Comment 4 WebKit Commit Bot 2016-12-12 09:11:06 PST

All reviewed patches have been landed.  Closing bug.