RESOLVED FIXED 229546
[JSC] Segfault in stress/typedarray-every.js (32bit) 
https://bugs.webkit.org/show_bug.cgi?id=229546
Summary [JSC] Segfault in stress/typedarray-every.js (32bit)
Xan Lopez
Reported 2021-08-26 02:35:36 PDT
I believe this is caused by the patch in bug #229229. Not 100% sure because the bots are trying to catch up. Stack trace: Starting program: /home/igalia/xlopez/WebKit/WebKitBuild/Debug/bin/jsc -f ./JSTests/stress/typedarray-every.js [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1". [New Thread 0xf4039440 (LWP 13807)] Thread 1 "jsc" received signal SIGABRT, Aborted. __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 47 ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file or directory. (gdb) bt #0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 #1 0xf5eeeea0 in __libc_signal_restore_set (set=0xfffec444) at ../sysdeps/unix/sysv/linux/internal-signals.h:86 #2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48 #3 0xf5edf7a2 in __GI_abort () at abort.c:79 #4 0xf6d1b3e4 in JSC::ScratchRegisterAllocator::allocateScratch<JSC::GPRInfo> (this=0xfffec7a0) at ../../Source/JavaScriptCore/jit/ScratchRegisterAllocator.cpp:97 #5 0xf6d1223c in JSC::ScratchRegisterAllocator::allocateScratchGPR (this=0xfffec7a0) at ../../Source/JavaScriptCore/jit/ScratchRegisterAllocator.cpp:102 #6 0xf634f08c in JSC::AccessCase::generateWithGuard (this=0xf377bfc0, state=..., fallThrough=...) at ../../Source/JavaScriptCore/bytecode/AccessCase.cpp:1611 #7 0xf6433906 in JSC::PolymorphicAccess::regenerate (this=0xf377bfa0, locker=..., vm=..., globalObject=0xf37c2038, codeBlock=0xf1fadea0, ecmaMode=..., stubInfo=...) at ../../Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp:637 #8 0xf644ec48 in operator() (__closure=0xfffed7d4) at ../../Source/JavaScriptCore/bytecode/StructureStubInfo.cpp:221 #9 0xf644eda2 in JSC::StructureStubInfo::addAccessCase (this=0xf3789528, locker=..., globalObject=0xf37c2038, codeBlock=0xf1fadea0, ecmaMode=..., ident=..., accessCase=...) at ../../Source/JavaScriptCore/bytecode/StructureStubInfo.cpp:245 #10 0xf6d0dd20 in JSC::tryCacheArrayPutByVal (globalObject=0xf37c2038, codeBlock=0xf1fadea0, baseValue=..., index=..., stubInfo=...) at ../../Source/JavaScriptCore/jit/Repatch.cpp:960 #11 0xf6d0de9e in JSC::repatchArrayPutByVal (globalObject=0xf37c2038, codeBlock=0xf1fadea0, base=..., index=..., stubInfo=..., putKind=JSC::PutKind::NotDirect, ecmaMode=...) at ../../Source/JavaScriptCore/jit/Repatch.cpp:976 #12 0xf6cabfb6 in JSC::putByValOptimize (globalObject=0xf37c2038, codeBlock=0xf1fadea0, baseValue=..., subscript=..., value=..., stubInfo=0xf3789528, profile=0xf37870b8, ecmaMode=...) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1035 #13 0xf6cac3ce in JSC::operationPutByValNonStrictOptimize (globalObject=0xf37c2038, encodedBaseValue=-17390199368, encodedSubscript=-4294967295, encodedValue=-4294967291, stubInfo=0xf3789528, profile=0xf37870b8) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1087 #14 0xf36fe5a4 in ?? ()
Attachments
Patch (3.16 KB, patch)
2021-08-26 03:00 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (3.19 KB, patch)
2021-08-26 03:18 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2021-08-26 03:00:57 PDT
Created attachment 436486 [details] Patch
Yusuke Suzuki
Comment 2 2021-08-26 03:18:56 PDT
Created attachment 436489 [details] Patch
EWS
Comment 3 2021-08-26 11:44:45 PDT
Committed r281638 (240994@main): <https://commits.webkit.org/240994@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 436489 [details].
Radar WebKit Bug Importer
Comment 4 2021-08-26 11:45:31 PDT
<rdar://problem/82400505>
Note You need to log in before you can comment on or make changes to this bug.