RESOLVED FIXED 206276
[JSC][32bit] Assert failure bytecodeIndex.offset() < instructions().size() in UnlinkedCodeBlock::expressionRangeForBytecodeIndex 
https://bugs.webkit.org/show_bug.cgi?id=206276
Summary [JSC][32bit] Assert failure bytecodeIndex.offset() < instructions().size() in...
Fujii Hironori
Reported 2020-01-14 21:19:44 PST
[Win][32bit] Assert failure bytecodeIndex.offset() < instructions().size() in UnlinkedCodeBlock::expressionRangeForBytecodeIndex AppleWin, 32bit, debug build trunk@254556 The assertion fails at almost every web sites using JS. I don't know which revision is the culprit. release builds work fine. callstack: > JavaScriptCore.dll!abort() Line 77 C++ > JavaScriptCore.dll!WTFCrashWithInfo(int __formal=184, const char * __formal=0x046fe770, const char * __formal=0x046fe394, int __formal=2258) Line 619 C++ > JavaScriptCore.dll!JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex(JSC::BytecodeIndex bytecodeIndex={...}, int & divot=0, int & startOffset=0, int & endOffset=0, unsigned int & line=0, unsigned int & column=0) Line 184 C++ > JavaScriptCore.dll!JSC::CodeBlock::expressionRangeForBytecodeIndex(JSC::BytecodeIndex bytecodeIndex={...}, int & divot=0, int & startOffset=0, int & endOffset=0, unsigned int & line=0, unsigned int & column=0) Line 1906 C++ > JavaScriptCore.dll!JSC::appendSourceToError(JSC::JSGlobalObject * globalObject=0x0cf76c68, JSC::CallFrame * callFrame=0x0c41ffa8, JSC::ErrorInstance * exception=0x26290cf8, JSC::BytecodeIndex bytecodeIndex={...}) Line 76 C++ > JavaScriptCore.dll!JSC::ErrorInstance::finishCreation(JSC::JSGlobalObject * globalObject=0x0cf76c68, JSC::VM & vm={...}, const WTF::String & message={...}, bool useCurrentFrame=true) Line 131 C++ > JavaScriptCore.dll!JSC::ErrorInstance::create(JSC::JSGlobalObject * globalObject=0x0cf76c68, JSC::VM & vm={...}, JSC::Structure * structure=0x0d2229e0, const WTF::String & message={...}, WTF::String(*)(const WTF::String &, const WTF::String &, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) appender=0x03d862b0, JSC::RuntimeType type=TypeUndefined, bool useCurrentFrame=true) Line 62 C++ > JavaScriptCore.dll!JSC::createTypeError(JSC::JSGlobalObject * globalObject=0x0cf76c68, const WTF::String & message={...}, WTF::String(*)(const WTF::String &, const WTF::String &, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) appender=0x03d862b0, JSC::RuntimeType type=TypeUndefined) Line 78 C++ > JavaScriptCore.dll!JSC::createError(JSC::JSGlobalObject * globalObject=0x0cf76c68, JSC::JSValue value={...}, const WTF::String & message={...}, WTF::String(*)(const WTF::String &, const WTF::String &, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) appender=0x03d862b0) Line 281 C++ > JavaScriptCore.dll!JSC::createNotAConstructorError(JSC::JSGlobalObject * globalObject=0x0cf76c68, JSC::JSValue value={...}) Line 309 C++ > JavaScriptCore.dll!JSC::LLInt::handleHostCall(JSC::CallFrame * calleeFrame=0x0c41ff28, JSC::JSValue callee={...}, JSC::CodeSpecializationKind kind=CodeForConstruct) Line 1490 C++ > JavaScriptCore.dll!JSC::LLInt::setUpCall(JSC::CallFrame * calleeFrame=0x0c41ff28, JSC::CodeSpecializationKind kind=CodeForConstruct, JSC::JSValue calleeAsValue={...}, JSC::LLIntCallLinkInfo * callLinkInfo=0x263f3928) Line 1517 C++ > JavaScriptCore.dll!JSC::LLInt::genericCall<JSC::OpConstruct>(JSC::CodeBlock * codeBlock=0x0d08a920, JSC::CallFrame * callFrame=0x0c41ffa8, JSC::OpConstruct && bytecode={...}, JSC::CodeSpecializationKind kind=CodeForConstruct) Line 1579 C++ > JavaScriptCore.dll!llint_slow_path_construct(JSC::CallFrame * callFrame=0x0c41ffa8, const JSC::Instruction * pc=0x263b5524) Line 1600 C++ > JavaScriptCore.dll!JSC::LLInt::CLoop::execute(JSC::OpcodeID entryOpcodeID=llint_vm_entry_to_javascript, void * executableAddress=0x000000db, JSC::VM * vm=0x0ba46fd8, JSC::ProtoCallFrame * protoCallFrame=0x012fe510, bool isInitializationPass=false) Line 20151 C++ > JavaScriptCore.dll!vmEntryToJavaScript(void * executableAddress=0x000000db, JSC::VM * vm=0x0ba46fd8, JSC::ProtoCallFrame * protoCallFrame=0x012fe510) Line 171 C++ > JavaScriptCore.dll!JSC::JITCode::execute(JSC::VM * vm=0x0ba46fd8, JSC::ProtoCallFrame * protoCallFrame=0x012fe510) Line 38 C++ > JavaScriptCore.dll!JSC::Interpreter::executeProgram(const JSC::SourceCode & source={...}, JSC::JSGlobalObject * __formal=0x0cf76c68, JSC::JSObject * thisObj=0x0cf302c8) Line 849 C++ > JavaScriptCore.dll!JSC::evaluate(JSC::JSGlobalObject * globalObject=0x0cf76c68, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}, WTF::NakedPtr<JSC::Exception> & returnedException={...}) Line 148 C++ > JavaScriptCore.dll!JSC::profiledEvaluate(JSC::JSGlobalObject * globalObject=0x0cf76c68, JSC::ProfilingReason reason=Other, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}, WTF::NakedPtr<JSC::Exception> & returnedException={...}) Line 161 C++ > WebKit.dll!WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject * lexicalGlobalObject=0x0cf76c68, JSC::ProfilingReason reason=Other, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}, WTF::NakedPtr<JSC::Exception> & returnedException={...}) Line 79 C++ > WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode={...}, WebCore::DOMWrapperWorld & world={...}) Line 143 C++ > WebKit.dll!WebCore::ScriptController::evaluateInWorldIgnoringException(const WebCore::ScriptSourceCode & sourceCode={...}, WebCore::DOMWrapperWorld & world={...}) Line 116 C++ > WebKit.dll!WebCore::ScriptController::evaluateIgnoringException(const WebCore::ScriptSourceCode & sourceCode={...}) Line 163 C++ > WebKit.dll!WebCore::ScriptElement::executeClassicScript(const WebCore::ScriptSourceCode & sourceCode={...}) Line 394 C++ > WebKit.dll!WebCore::LoadableClassicScript::execute(WebCore::ScriptElement & scriptElement={...}) Line 123 C++ > WebKit.dll!WebCore::ScriptElement::executeScriptAndDispatchEvent(WebCore::LoadableScript & loadableScript={...}) Line 432 C++ > WebKit.dll!WebCore::ScriptElement::executePendingScript(WebCore::PendingScript & pendingScript={...}) Line 440 C++ > WebKit.dll!WebCore::ScriptRunner::timerFired() Line 132 C++ > [External Code] > WebKit.dll!WTF::Detail::CallableWrapper<std::_Binder<std::_Unforced,void (__thiscall WebCore::ScriptRunner::*&)(void),WebCore::ScriptRunner *>,void>::call() Line 52 C++ > WebKit.dll!WTF::Function<void __cdecl(void)>::operator()() Line 84 C++ > WebKit.dll!WebCore::Timer::fired() Line 127 C++ > WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 129 C++ > WebKit.dll!WebCore::ThreadTimers::setSharedTimer::__l8::<lambda>() Line 69 C++ > WebKit.dll!WTF::Detail::CallableWrapper<void <lambda>(void),void>::call() Line 52 C++ > WebKit.dll!WTF::Function<void __cdecl(void)>::operator()() Line 84 C++ > WebKit.dll!WebCore::MainThreadSharedTimer::fired() Line 84 C++ > WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd=0x00180a86, unsigned int message=49988, unsigned int wParam=0, long lParam=0) Line 89 C++ > [External Code] > user32.dll![Frames below may be incorrect and/or missing, no symbols loaded for user32.dll] Unknown > WebKit.dll!WebKitMessageLoop::run(HACCEL__ * hAccelTable=0x0cd10a11) Line 94 C++ > MiniBrowserLib.dll!wWinMain(HINSTANCE__ * hInstance=0x00920000, HINSTANCE__ * hPrevInstance=0x00000000, wchar_t * lpstrCmdLine=0x0152611c, int nCmdShow=10) Line 124 C++ > MiniBrowserLib.dll!dllLauncherEntryPoint(HINSTANCE__ * hInstance=0x00920000, HINSTANCE__ * hPrevInstance=0x00000000, wchar_t * lpstrCmdLine=0x0152611c, int nCmdShow=10) Line 145 C++ > MiniBrowser.exe!wWinMain(HINSTANCE__ * hInstance=0x00920000, HINSTANCE__ * hPrevInstance=0x00000000, wchar_t * lpstrCmdLine=0x0152611c, int nCmdShow=10) Line 232 C++ > [External Code]
Attachments
WIP patch (681 bytes, patch)
2020-01-14 22:54 PST, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2020-01-14 21:23:56 PST
instructions().size() was 138001. bytecodeIndex.m_packedBits was 2565690512. > - m_instructions unique_ptr {m_instructions={...} } std::unique_ptr<JSC::InstructionStream,std::default_delete<JSC::InstructionStream>> > - [ptr] 0x0c9b5118 {m_instructions={...} } JSC::InstructionStream * > - m_instructions {...} WTF::Vector<unsigned char,0,WTF::UnsafeVectorOverflow,16,WTF::FastMalloc> > - WTF::VectorBuffer<unsigned char,0,WTF::FastMalloc> {...} WTF::VectorBuffer<unsigned char,0,WTF::FastMalloc> > - WTF::VectorBufferBase<unsigned char,WTF::FastMalloc> {m_buffer=0x263b2e70 "œþ„ýþ«„ü\x10\nûþ" m_capacity=138001 m_size=138001 } WTF::VectorBufferBase<unsigned char,WTF::FastMalloc> > + m_buffer 0x263b2e70 "œþ„ýþ«„ü\x10\nûþ" unsigned char * > m_capacity 138001 unsigned int > m_size 138001 unsigned int > - bytecodeIndex {m_packedBits=2565690512 } JSC::BytecodeIndex > m_packedBits 2565690512 unsigned int
Fujii Hironori
Comment 2 2020-01-14 21:25:03 PST
> bytecodeIndex.offset() 641422628 unsigned int > instructions().size() 138001 unsigned int
Fujii Hironori
Comment 3 2020-01-14 22:54:27 PST
Created attachment 387757 [details] WIP patch
Paulo Matos
Comment 4 2020-01-14 23:19:13 PST
Hi Fujii, thanks for the patch. This is related to bug 203563 which Caio is currently also working on. Might be worth syncing with him.
Fujii Hironori
Comment 5 2020-01-14 23:30:54 PST
(In reply to Fujii Hironori from comment #0) > release builds work fine. No, AppleWin 32bit release builds are unable to run JavaScript. AppleWin 64bit can run JavaScript.
Fujii Hironori
Comment 6 2020-01-14 23:32:58 PST
(In reply to Paulo Matos from comment #4) > Hi Fujii, thanks for the patch. This is related to bug 203563 which Caio is > currently also working on. Might be worth syncing with him. Oh, thank you very much for letting me know it.
Caio Lima
Comment 7 2020-01-15 07:40:31 PST
I uploaded a patch on https://bugs.webkit.org/show_bug.cgi?id=203563 to fix that on 32-bits ports, but I couldn't verify on Windows. Do you mind try it out?
Caio Lima
Comment 8 2020-01-15 07:45:48 PST
Comment on attachment 387757 [details] WIP patch View in context: https://bugs.webkit.org/attachment.cgi?id=387757&action=review > Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:186 > +#endif I don't think this will solve the issue. The problem is that with BytecodeIndex we now "<< 2" its offset to make space for checkpoints storage (See BytecodeIndex.h). For 32-bits, we use "Instructrion*" as the offset and such shift will make us lose some high-order bits when retrieving back with `.offset()`.
Fujii Hironori
Comment 9 2020-01-15 18:25:44 PST
Thank you. Will check today.
Fujii Hironori
Comment 10 2020-01-15 19:38:58 PST
I tested with trunk@254661, Bug 203563 patch, AppleWin 32bit MiniBrowser, debug builds, by browsing some web sites. I confirmed JavaScript works. I realized a lot of bugs while testing. 32bit AppleWin port isn't good shape these days. Anyway, I think they are other issues.
Note You need to log in before you can comment on or make changes to this bug.