RESOLVED FIXED 244952
[JSC] Crash on ARMv7 due to DFG OSR exit code 
https://bugs.webkit.org/show_bug.cgi?id=244952
Summary [JSC] Crash on ARMv7 due to DFG OSR exit code
Asumu Takikawa
Reported 2022-09-08 16:37:09 PDT
Created attachment 462214 [details] Crash reproduction file It's possible to trigger a segfault while running the attached JS file (minimized from a much larger example contained in the Wasm GC tests, thanks to Mikhail Gadelha) on ARMv7 JSC: ``` # example of how to run the crashing test $ ~/WebKit/WebKitBuild/Debug/bin/jsc --thresholdForJITAfterWarmUp=45 --thresholdForOptimizeAfterWarmUp=21 -m crash.js Segmentation fault ``` This bug appears to be triggered by a storeCell instruction used in the DFG OSR exit code for reifying inlined call frames. The store itself is reasonable, but the macroassembler on ARMv7 seems to create a register conflict when the memory address for the store takes a particular form, as it triggers a less used codepath in the macroassembler.
Attachments
Crash reproduction file (72.19 KB, application/x-javascript)
2022-09-08 16:37 PDT, Asumu Takikawa 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Asumu Takikawa
Comment 1 2022-09-08 18:49:56 PDT
Pull request: https://github.com/WebKit/WebKit/pull/4148
EWS
Comment 2 2022-09-12 10:05:19 PDT
Committed 254390@main (31e6bf54bd0f): <https://commits.webkit.org/254390@main> Reviewed commits have been landed. Closing PR #4148 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2022-09-12 10:06:18 PDT
<rdar://problem/99826962>
Note You need to log in before you can comment on or make changes to this bug.