Bug 25033 - dtoa.cpp segfaults with g++ 4.4.0
Summary: dtoa.cpp segfaults with g++ 4.4.0
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Template Framework (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
: 24326 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-04-03 11:59 PDT by Xan Lopez
Modified: 2009-05-18 11:45 PDT (History)
5 users (show)

See Also:


Attachments
dtoaalias.patch (32.28 KB, patch)
2009-04-04 02:44 PDT, Xan Lopez
ap: review+
Details | Formatted Diff | Diff
sunspider results (3.28 KB, text/plain)
2009-04-06 08:19 PDT, Gustavo Noronha (kov)
no flags Details
sunspider Mac results (3.40 KB, text/plain)
2009-04-07 04:27 PDT, Alexey Proskuryakov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Xan Lopez 2009-04-03 11:59:43 PDT
Compiling WebKit with g++ 4.4.0 20090330 and -O2 (this is a pre-release from Fedora 11, but 4.4.0 is about to be released), I get this segfault pretty much in any page:

Program received signal SIGSEGV, Segmentation fault.
0x00d12161 in WTF::dtoa () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so.2.2.0
(gdb) bt
#0  0x00d12161 in WTF::dtoa () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so.2.2.0
#1  0x00d131b8 in JSC::concatenate () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so.2.2.0
#2  0x00d959c6 in JSC::JITStubs::cti_op_add () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so.2.2.0
#3  0x07c5af47 in ?? ()
#4  0x00000000 in ?? ()

It does not happen in debug builds, so I'm not sure how to get anything more useful than that. Googling a bit, it might be related to this: http://patrakov.blogspot.com/2009/03/dont-use-old-dtoac.html , but we seem to use a modified version of that.

Any suggestion to further track this down is welcome :)
Comment 1 Darin Adler 2009-04-03 12:03:57 PDT
Yow! That's code that no one on the project knows all that much about -- we haven't changed it too much since the original David Gay library it came from.

If you have some skills with assembly-language debugging you might be able to figure out what line of code is involved. You don't need to do a debug build to have symbols. You could try building with "-O2 and -g" to see if that helps you figure out what's wrong.

Worst case, you could try to find a completely different solution for dtoa -- it might be hard to find one that has correct behavior and great performance, though.
Comment 2 Xan Lopez 2009-04-03 12:15:36 PDT
OK, if it has not changed too much I guess I can try to use the version that comes with gcc and see how it goes with that. What tests should I pay attention to in order to check the performance of each one?
Comment 3 Mark Rowe (bdash) 2009-04-03 13:01:41 PDT
I think that at least one of the sunspider tests exercises dtoa quite heavily.
Comment 4 Alexey Proskuryakov 2009-04-04 02:32:14 PDT
We do have a number of modifications in our copy of dtoa, including support for additional architectures (e.g. middle endian ones), threading and performance fixes.

Is the version that comes with gcc very different from the original? If not, maybe we could just make all the same changes on our copy.
Comment 5 Xan Lopez 2009-04-04 02:33:26 PDT
Yes, I just did that. It seems to work OK, although I'm not testing all the codepaths (lots of #ifdef ...). I'll upload the patch now.
Comment 6 Xan Lopez 2009-04-04 02:44:29 PDT
Created attachment 29251 [details]
dtoaalias.patch

OK, I've tried to explain the issue the best I could in the ChangeLog. I've tried to cover all codepaths, but I haven't actually tested them, just the default one. Also, I have not changed the macros defined when YES_ALIAS is defined, although that is unlikely to work with the changes in the code.

Sunspider works with the patch, and the crashers are gone. Unfortunately I can't compare performance with the previous version, since it crashes the browser, but I hope someone else will be able to do that.
Comment 7 Xan Lopez 2009-04-05 13:58:35 PDT
*** Bug 24326 has been marked as a duplicate of this bug. ***
Comment 8 Gustavo Noronha (kov) 2009-04-06 08:19:28 PDT
Created attachment 29278 [details]
sunspider results

Xan requested that someone ran sunspider on webkit pre- and post-patching with his proposed fix. These are my results.
Comment 9 Alexey Proskuryakov 2009-04-07 04:27:27 PDT
Created attachment 29306 [details]
sunspider Mac results

No measurable change.
Comment 10 Alexey Proskuryakov 2009-04-07 04:38:01 PDT
Comment on attachment 29251 [details]
dtoaalias.patch

r=me
Comment 11 Xan Lopez 2009-04-07 04:48:50 PDT
Committed as r42262, thanks.
Comment 12 Craig Schlenter 2009-05-18 11:07:05 PDT
dtoa.cpp is getting strict aliasing warnings again in trunk with gcc 4.4 after the latest changes. I'm running this in chromium but it's the same code as far as I can tell.

/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp: In function 'void WTF::mult(WTF::BigInt&, const WTF::BigInt&)':
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:505: warning: dereferencing pointer '<anonymous>' does break strict-aliasing rules
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:505: note: initialized from here
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:505: warning: dereferencing pointer 'xc.43' does break strict-aliasing rules
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:505: note: initialized from here
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:517: warning: dereferencing pointer '<anonymous>' does break strict-aliasing rules
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:517: note: initialized from here
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:517: warning: dereferencing pointer 'xc.43' does break strict-aliasing rules
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:517: note: initialized from here
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp: In function 'void WTF::dtoa(char*, double, int, int*, int*, char**)':
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:293: warning: '<anonymous>' may be used uninitialized in this function
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:2135: note: '<anonymous>' was declared here
Compiling /home/craig/chromium.git/src/sconsbuild/Release/obj/third_party/WebKit/JavaScriptCore/pcre/pcre_compile.os
Compiling /home/craig/chromium.git/src/sconsbuild/Release/obj/third_party/WebKit/JavaScriptCore/pcre/pcre_exec.os
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp: In function 'double WTF::strtod(const char*, char**)':
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:736: warning: dereferencing pointer 'xc.62' does break strict-aliasing rules
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:736: note: initialized from here
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:736: warning: dereferencing pointer '<anonymous>' does break strict-aliasing rules
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:736: note: initialized from here
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:743: warning: dereferencing pointer 'xc.62' does break strict-aliasing rules
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:743: note: initialized from here
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:743: warning: dereferencing pointer '<anonymous>' does break strict-aliasing rules
/home/craig/chromium.git/src/third_party/WebKit/JavaScriptCore/wtf/dtoa.cpp:743: note: initialized from here

Rolling back to r42264 makes things happy - I have not tried the in-between revisions yet.

What's the best plan of action here - reopen this bug (I can't do that) or file a new one?

Thank you!!
Comment 13 Evan Martin 2009-05-18 11:13:25 PDT
Reopening based on Craig's comment.
Comment 14 Evan Martin 2009-05-18 11:14:03 PDT
Actually, wait, no, this bug is about segfaulting.  Craig, maybe your comment belongs as a new bug?
Comment 15 Craig Schlenter 2009-05-18 11:45:01 PDT
(In reply to comment #14)
> Actually, wait, no, this bug is about segfaulting.  Craig, maybe your comment
> belongs as a new bug?

I have created https://bugs.webkit.org/show_bug.cgi?id=25857 and Cc'ed Xan.

Thank you.