RESOLVED FIXED184891
[WinCairo] Fix js/regexp-unicode.html crash. 
https://bugs.webkit.org/show_bug.cgi?id=184891
Summary [WinCairo] Fix js/regexp-unicode.html crash.
Ross Kirsling
Reported 2018-04-23 10:55:45 PDT
Layout test js/regexp-unicode.html is currently crashing for WinCairo, but only in Release mode. As a more pointed repro case, one can simply execute the line `/\u{1044f}/u.test("\ud801\udc4f")` in JSC. This seems to be another MSVC __forceinline issue.
Attachments
Patch (2.61 KB, patch)
2018-04-23 11:03 PDT, Ross Kirsling 		no flags
DetailsFormatted DiffDiff
Patch (3.23 KB, patch)
2018-04-25 11:25 PDT, Ross Kirsling 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ross Kirsling
Comment 1 2018-04-23 11:03:25 PDT
Created attachment 338594 [details] Patch
Alex Christensen
Comment 2 2018-04-24 10:27:57 PDT
Comment on attachment 338594 [details] Patch This feels like it's just covering up another bug. I've seen bugs like this before that are actually from using uninitialized memory.
Mark Lam
Comment 3 2018-04-24 10:31:52 PDT
Comment on attachment 338594 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=338594&action=review > Source/JavaScriptCore/ChangeLog:10 > + MSVC evidently can't handle __forceinline here. Can you please explain why __forceinline would result in a crash in the first place? It doesn't make sense that a change in inlining behavior would resolve a crash short of working around a compiler bug. You'll need to provide proof if that is the case.
Ross Kirsling
Comment 4 2018-04-24 10:33:02 PDT
(In reply to Alex Christensen from comment #2) > Comment on attachment 338594 [details] > Patch > > This feels like it's just covering up another bug. I've seen bugs like this > before that are actually from using uninitialized memory. That is indeed the type of crash here, but it claims to be occurring at: https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/runtime/RegExpInlines.h#L279 ...which seems like it's probably not accurate due to optimization. Unfortunately, there's no repro with RelWithDebInfo, so I'm a bit confused how to proceed...
Ross Kirsling
Comment 5 2018-04-24 10:33:56 PDT
(In reply to Mark Lam from comment #3) > Comment on attachment 338594 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=338594&action=review > > > Source/JavaScriptCore/ChangeLog:10 > > + MSVC evidently can't handle __forceinline here. > > Can you please explain why __forceinline would result in a crash in the > first place? It doesn't make sense that a change in inlining behavior would > resolve a crash short of working around a compiler bug. You'll need to > provide proof if that is the case. I agree. In particular, it's perplexing that AppleWin doesn't seem to have such an issue (though I imagine this is almost certainly a 32-bit/64-bit difference).
Ross Kirsling
Comment 6 2018-04-24 17:42:12 PDT
It appears that during the call to YarrJIT::execute here, %rdi gets overwritten (to 0xDC00): https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/runtime/RegExpInlines.h#L269 > call rax > movups xmm1,xmmword ptr [rax] Now, when we reach the return here, which destination register gets chosen evidently depends on __forceinline: https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/runtime/RegExpInlines.h#L279 Specifically, with `inline` we have... > movups xmmword ptr [rbx],xmm1 ...but with `__forceinline` we have... > movups xmmword ptr [rdi],xmm1 As established, %rdi has already been changed to 0xDC00, so the latter crashes with a write violation.
Ross Kirsling
Comment 7 2018-04-25 11:25:43 PDT
Created attachment 338762 [details] Patch
Yusuke Suzuki
Comment 8 2018-04-25 11:27:35 PDT
Comment on attachment 338762 [details] Patch r=me
WebKit Commit Bot
Comment 9 2018-04-25 12:35:05 PDT
Comment on attachment 338762 [details] Patch Clearing flags on attachment: 338762 Committed r231009: <https://trac.webkit.org/changeset/231009>
WebKit Commit Bot
Comment 10 2018-04-25 12:35:07 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 11 2018-04-25 12:36:21 PDT
<rdar://problem/39730640>
Note You need to log in before you can comment on or make changes to this bug.