WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
285206
[JSC] Loop Unrolling should not change Branch to Jump
https://bugs.webkit.org/show_bug.cgi?id=285206
Summary
[JSC] Loop Unrolling should not change Branch to Jump
rhezashan
Reported
2024-12-27 18:26:28 PST
Created
attachment 473694
[details]
PoC 1. This bug only crash on `@main` debug target 2. Run with `./bin/jsc ./poc5.js` 3. I'm filling as security for preaction, please update as needed. # commit @main ``` commit d7ba780797fcdce60dc5c981fb9f233b93e360b1 (HEAD -> main, origin/main, origin/HEAD) Author: Ahmad Saleem <
ahmad.saleem792+github@gmail.com
> Date: Fri Dec 27 06:01:47 2024 -0800 ``` # Error Stack ``` DFG ASSERTION FAILED: Live bytecode local not available: operand = loc7, availabilityMap = {locals = arg0:FlushedJSValue/Unavailable loc8:ConflictingFlush/D@61 loc9:ConflictingFlush/D@146; heap = }, origin = bc#94 /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp(181) : bool JSC::DFG::OSRAvailabilityAnalysisPhase<(lambda at /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp:201:31), (lambda at /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp:202:31)>::run() [HeadFunctor = (lambda at /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp:201:31), TailFunctor = (lambda at /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp:202:31)] AddressSanitizer:DEADLYSIGNAL ================================================================= ==201472==ERROR: AddressSanitizer: ABRT on unknown address 0x03e800031300 (pc 0x7ff6fac9eb1c bp 0x7ff6ae7fdfe0 sp 0x7ff6ae7fdfa0 T2) SCARINESS: 10 (signal) #0 0x7ff6fac9eb1c in pthread_kill nptl/pthread_kill.c:44:76 #1 0x7ff6fac4526d in raise signal/../sysdeps/posix/raise.c:26:13 #2 0x7ff6fac288fe in abort stdlib/abort.c:79:7 #3 0x5c9dbe5b1d0f in WTFCrashWithInfo(int, char const*, char const*, int) /home/rheza/jsc-build-debug-asan-clang/WTF/Headers/wtf/Assertions.h:913:5 #4 0x5c9dbf4b4149 in JSC::DFG::OSRAvailabilityAnalysisPhase<JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_0, JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_1>::run() /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp:181:37 #5 0x5c9dbf4b281f in bool JSC::DFG::runAndLog<JSC::DFG::OSRAvailabilityAnalysisPhase<JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_0, JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_1>>(JSC::DFG::OSRAvailabilityAnalysisPhase<JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_0, JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_1>&) /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGPhase.h:86:25 #6 0x5c9dbf48ff8b in bool JSC::DFG::runPhase<JSC::DFG::OSRAvailabilityAnalysisPhase<JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_0, JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_1>, JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_0, JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_1>(JSC::DFG::Graph&, JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_0, JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&)::$_1) /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGPhase.h:97:12 #7 0x5c9dbf48fe64 in JSC::DFG::performOSRAvailabilityAnalysis(JSC::DFG::Graph&) /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp:203:12 #8 0x5c9dbf5f8992 in JSC::DFG::(anonymous namespace)::ObjectAllocationSinkingPhase::performSinking() /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:815:9 #9 0x5c9dbf5f86c7 in JSC::DFG::(anonymous namespace)::ObjectAllocationSinkingPhase::run() /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:797:14 #10 0x5c9dbf5f7adf in bool JSC::DFG::runAndLog<JSC::DFG::(anonymous namespace)::ObjectAllocationSinkingPhase>(JSC::DFG::(anonymous namespace)::ObjectAllocationSinkingPhase&) /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGPhase.h:86:25 #11 0x5c9dbf4cdf42 in bool JSC::DFG::runPhase<JSC::DFG::(anonymous namespace)::ObjectAllocationSinkingPhase>(JSC::DFG::Graph&) /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGPhase.h:97:12 #12 0x5c9dbf4cde14 in JSC::DFG::performObjectAllocationSinking(JSC::DFG::Graph&) /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:2659:12 #13 0x5c9dbf78f1af in JSC::DFG::Plan::compileInThreadImpl() /home/rheza/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:403:13 #14 0x5c9dc0885d71 in JSC::JITPlan::compileInThread(JSC::JITWorklistThread*) /home/rheza/WebKit/Source/JavaScriptCore/jit/JITPlan.cpp:207:28 #15 0x5c9dc095432e in JSC::JITWorklistThread::work() /home/rheza/WebKit/Source/JavaScriptCore/jit/JITWorklistThread.cpp:125:13 #16 0x5c9dc337b5ad in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const /home/rheza/WebKit/Source/WTF/wtf/AutomaticThread.cpp:225:37 #17 0x5c9dc337ac28 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() /home/rheza/WebKit/Source/WTF/wtf/Function.h:53:39 #18 0x5c9dbf82d4e3 in WTF::Function<void ()>::operator()() const /home/rheza/jsc-build-debug-asan-clang/WTF/Headers/wtf/Function.h:82:35 #19 0x5c9dc35c0aaa in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/rheza/WebKit/Source/WTF/wtf/Threading.cpp:265:5 #20 0x5c9dc36b8ad4 in WTF::wtfThreadEntryPoint(void*) /home/rheza/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241:5 #21 0x5c9dbe573f4c in asan_thread_start(void*) asan_interceptors.cpp.o AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT nptl/pthread_kill.c:44:76 in pthread_kill Thread T2 (JITWorker) created by T0 here: #0 0x5c9dbe55bdd5 in pthread_create (/home/rheza/jsc-build-debug-asan-clang/bin/jsc+0xc38dd5) (BuildId: d375323a0269f976d515624d1d29f3bdf0d7a9fd) #1 0x5c9dc36b8873 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, std::optional<unsigned long>, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) /home/rheza/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:315:17 #2 0x5c9dc35c110e in WTF::Thread::create(WTF::ASCIILiteral, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) /home/rheza/WebKit/Source/WTF/wtf/Threading.cpp:281:32 #3 0x5c9dc3377801 in WTF::AutomaticThread::start(WTF::AbstractLocker const&) /home/rheza/WebKit/Source/WTF/wtf/AutomaticThread.cpp:167:5 #4 0x5c9dc33771c0 in WTF::AutomaticThreadCondition::notifyOne(WTF::AbstractLocker const&) /home/rheza/WebKit/Source/WTF/wtf/AutomaticThread.cpp:56:21 #5 0x5c9dc094e42a in JSC::JITWorklist::enqueue(WTF::Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan>, WTF::DefaultRefDerefTraits<JSC::JITPlan>>) /home/rheza/WebKit/Source/JavaScriptCore/jit/JITWorklist.cpp:103:29 #6 0x5c9dc09dc47c in JSC::LLInt::jitCompileAndSetHeuristics(JSC::VM&, JSC::CodeBlock*) /home/rheza/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:409:45 #7 0x5c9dc09dadb2 in JSC::LLInt::entryOSR(JSC::CodeBlock*, char const*, JSC::LLInt::EntryKind) /home/rheza/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:427:10 #8 0x5c9dc09db214 in llint_entry_osr_function_for_construct_arityCheck /home/rheza/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:472:12 #9 0x5c9dc2626780 in llint_function_for_construct_arity_check LowLevelInterpreter.cpp #10 0x5c9dc2648ddf in llint_op_construct LowLevelInterpreter.cpp #11 0x5c9dc26220af in llint_call_javascript LowLevelInterpreter.cpp #12 0x5c9dc0672c57 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) /home/rheza/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1177:28 #13 0x5c9dc0f42f1d in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) /home/rheza/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:138:37 #14 0x5c9dbe6e81f5 in runWithOptions(GlobalObject*, CommandLine&, bool&) /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:3820:35 #15 0x5c9dbe63ddcb in jscmain(int, char**)::$_0::operator()(JSC::VM&, GlobalObject*, bool&) const /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:4509:13 #16 0x5c9dbe5bf553 in int runJSC<jscmain(int, char**)::$_0>(CommandLine const&, bool, jscmain(int, char**)::$_0 const&) /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:4300:13 #17 0x5c9dbe5b9d98 in jscmain(int, char**) /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:4502:18 #18 0x5c9dbe5b959e in main /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:3576:15 #19 0x7ff6fac2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #20 0x7ff6fac2a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #21 0x5c9dbe4dd3a4 in _start (/home/rheza/jsc-build-debug-asan-clang/bin/jsc+0xbba3a4) (BuildId: d375323a0269f976d515624d1d29f3bdf0d7a9fd) ==201472==ABORTING ```
Attachments
PoC
(2.30 KB, text/javascript)
2024-12-27 18:26 PST
,
rhezashan
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2024-12-27 18:26:42 PST
<
rdar://problem/142111593
>
Yusuke Suzuki
Comment 2
2025-01-22 06:01:27 PST
ToT issue.
Yusuke Suzuki
Comment 3
2025-01-22 06:04:33 PST
Pull request:
https://github.com/WebKit/WebKit/pull/39378
EWS
Comment 4
2025-01-22 22:26:25 PST
Committed
289279@main
(cd234bf8bc36): <
https://commits.webkit.org/289279@main
> Reviewed commits have been landed. Closing PR #39378 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug