RESOLVED FIXED 268828
[JSC][armv7] Crashes in wasm tests in CallFrameShuffler 
https://bugs.webkit.org/show_bug.cgi?id=268828
Summary [JSC][armv7] Crashes in wasm tests in CallFrameShuffler
Joseph Griego
Reported 2024-02-06 08:15:50 PST
A number of tests, especially wasm tests are failing with this signature, after https://bugs.webkit.org/show_bug.cgi?id=268499 Root cause appears to be using ValueRecovery::InGPR instead of UnboxedInt32InGPR etc. for preserving GPRs when preparing for a tail call. Thread 1 "jsc" received signal SIGABRT, Aborted. __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 47 ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file or directory. (gdb) bt #0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 #1 0xf6dc6ea0 in __libc_signal_restore_set (set=0xfffec1f4) at ../sysdeps/unix/sysv/linux/internal-signals.h:86 #2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48 #3 0xf6db77a2 in __GI_abort () at abort.c:79 #4 0xf763d018 in WTFCrashWithInfo () at /home/igalia/jgriego/proj/webkit/_build/WTF/Headers/wtf/Assertions.h:780 #5 JSC::CallFrameShuffler::emitStore (this=this@entry=0xfffec5e8, location=..., address=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/CallFrameShuffler32_64.cpp:66 #6 0xf7632590 in JSC::CallFrameShuffler::spill (this=0xfffec5e8, cachedRecovery=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/CallFrameShuffler.cpp:290 #7 0xf7637680 in JSC::CallFrameShuffler::ensureGPR (this=0xfffec5e8) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/CallFrameShuffler.h:613 #8 JSC::CallFrameShuffler::ensureGPR (this=0xfffec5e8) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/CallFrameShuffler.h:606 #9 JSC::CallFrameShuffler::acquireGPR (this=0xfffec5e8) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/CallFrameShuffler.h:62 #10 JSC::CallFrameShuffler::prepareForTailCall (this=this@entry=0xfffec5e8) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/CallFrameShuffler.cpp:381 #11 0xf7547294 in operator() (__closure=<optimized out>, __closure=<optimized out>) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:941 #12 0xf72254a4 in WTF::ScopedLambda<void ()>::operator()<>() const (this=0xfffecaa4) at /home/igalia/jgriego/proj/webkit/_build/WTF/Headers/wtf/ScopedLambda.h:56 #13 JSC::DirectCallLinkInfo::emitDirectTailCallFastPath(JSC::CCallHelpers&, WTF::ScopedLambda<void ()>&&) (this=this@entry=0xf449aac0, jit=..., prepareForTailCall=...) at /home/igalia/jgriego /proj/webkit/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp:641 #14 0xf754e844 in JSC::DFG::SpeculativeJIT::emitCall (this=0xfffed4f0, node=<optimized out>) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:942 #15 0xf75515ac in JSC::DFG::SpeculativeJIT::compile (this=this@entry=0xfffed4f0, node=0xf44a75a0) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:3936 #16 0xf74fcea4 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0xfffed4f0) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2601 #17 0xf74fd3a8 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0xfffed4f0) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2474 #18 JSC::DFG::SpeculativeJIT::compileBody (this=this@entry=0xfffed4f0) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2711 #19 0xf74fda00 in JSC::DFG::SpeculativeJIT::compileFunction (this=0xfffed4f0) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:219 #20 0xf745a1f2 in JSC::DFG::Plan::compileInThreadImpl (this=0xf44c16c0) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGPlan.cpp:352 #21 0xf76d1440 in JSC::JITPlan::compileInThread (this=0xf44c16c0, thread=<optimized out>) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/JITPlan.cpp:186 #22 0xf76f8646 in JSC::JITWorklist::enqueue (this=this@entry=0xf4494000, plan=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/JITWorklist.cpp:87 #23 0xf73c91b0 in JSC::DFG::compileImpl (callback=..., mustHandleValues=..., osrEntryBytecodeIndex=..., mode=<optimized out>, profiledDFGCodeBlock=0x0, codeBlock=0xf16987c0, vm=...) at /home/ igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:90 #24 JSC::DFG::compile (vm=..., codeBlock=codeBlock@entry=0xf16987c0, profiledDFGCodeBlock=profiledDFGCodeBlock@entry=0x0, mode=mode@entry=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=. .., mustHandleValues=..., callback=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:106 #25 0xf76d0e76 in JSC::operationOptimize (vmPointer=0xf1800000, bytecodeIndexBits=<optimized out>) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/JITOperations.cpp:2546 #26 0xf3064fb0 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Attachments
Add attachment proposed patch, testcase, etc.
Joseph Griego
Comment 1 2024-02-06 08:18:47 PST
Pull request: https://github.com/WebKit/WebKit/pull/23923
EWS
Comment 2 2024-02-06 20:13:05 PST
Committed 274195@main (47d90d73bf82): <https://commits.webkit.org/274195@main> Reviewed commits have been landed. Closing PR #23923 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2024-02-06 20:14:14 PST
<rdar://problem/122443447>
Note You need to log in before you can comment on or make changes to this bug.