Bug 90728 - REGRESSION(r118555): Assertion failure in JSC::DFG::AssemblyHelpers::decodedCodeMapFor on MathJax v2.0 sample
Summary: REGRESSION(r118555): Assertion failure in JSC::DFG::AssemblyHelpers::decodedC...
Status: UNCONFIRMED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Critical
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-07 09:28 PDT by Sergey Khodych
Modified: 2013-07-09 07:47 PDT (History)
9 users (show)

See Also:

Attachments
MathJax v2.0 sample (71.25 KB, application/zip)
2012-07-07 09:31 PDT, Sergey Khodych 		no flags Details
a simple fix (1.58 KB, patch)
2012-09-25 09:43 PDT, Yong Li 		fpizlo: review-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Khodych 2012-07-07 09:28:34 PDT 
To reproduce:

Load MathJax sample file test/sample-eqnum.html from mathjax_sample.zip

webkit is built by following command:

./Tools/Scripts/build-webkit --qt --minimal --debug

Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff65ec7d4 in JSC::DFG::AssemblyHelpers::decodedCodeMapFor (this=0x7fffffffc730, codeBlock=0x105e330) at ../../../../Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp:47
47          ASSERT(codeBlock->jitCodeMap());
(gdb) bt
#0  0x00007ffff65ec7d4 in JSC::DFG::AssemblyHelpers::decodedCodeMapFor (this=0x7fffffffc730, codeBlock=0x105e330)
    at ../../../../Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp:47
#1  0x00007ffff663fb46 in JSC::DFG::OSRExitCompiler::compileExit (this=0x7fffffffc850, exit=..., recovery=0x0)
    at ../../../../Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp:647
#2  0x00007ffff663bc6a in JSC::DFG::compileOSRExit (exec=0x7fff9c1efdc8) at ../../../../Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp:79
#3  0x00007fffa05ffaad in ?? ()
#4  0x00007fffffffc920 in ?? ()
#5  0x00007fff9c1c4a80 in ?? ()
#6  0x00007fff95ed3c60 in ?? ()
#7  0x00007fff95a98600 in ?? ()
#8  0x00007fff00000004 in ?? ()
#9  0x00007fff95e407c0 in ?? ()
#10 0x00007ffff7e0ff40 in ?? ()
#11 0x00007fffffffc960 in ?? ()
#12 0x00007fffffffc970 in ?? ()
#13 0x00007fffa0744100 in ?? ()
#14 0x0000000000943688 in ?? ()
#15 0x00007fff9c1efdc8 in ?? ()
#16 0x0000000000000000 in ?? ()
Comment 1 Sergey Khodych 2012-07-07 09:31:04 PDT 
Created attachment 151144 [details]
MathJax v2.0 sample
Comment 2 Yong Li 2012-09-25 08:35:23 PDT 
It seems DFGOSRExitCompiler assumes setJITCodeMap is always called, however when LLINT isn't enabled, and canBeOptimized() = true, the jitCodeMap is left null.

#if ENABLE(DFG_JIT) || ENABLE(LLINT)
    if (canBeOptimized()
#if ENABLE(LLINT)
        || true
#endif
        ) {
        CompactJITCodeMap::Encoder jitCodeMapEncoder;
        for (unsigned bytecodeOffset = 0; bytecodeOffset < m_labels.size();
++bytecodeOffset) {
            if (m_labels[bytecodeOffset].isSet())
                jitCodeMapEncoder.append(bytecodeOffset,
patchBuffer.offsetOf(m_labels[bytecodeOffset]));
        }
        m_codeBlock->setJITCodeMap(jitCodeMapEncoder.finish());
    }

Filip?
Comment 3 Yong Li 2012-09-25 09:43:54 PDT 
Created attachment 165632 [details]
a simple fix
Comment 4 Daniel Drake 2012-12-01 07:26:11 PST 
Reproduced this crash on Fedora 18 (x86), webkitgtk-1.10.1.

It happens while loading various pages such as http://tirania.org/blog/archive/2012/Oct-22.html and http://www.bbc.co.uk/weather/sg6

Program received signal SIGSEGV, Segmentation fault.
0xb611d7c9 in JSC::DFG::AssemblyHelpers::decodedCodeMapFor ()
   from /lib/libjavascriptcoregtk-3.0.so.0
#0  0xb611d7c9 in JSC::DFG::AssemblyHelpers::decodedCodeMapFor ()
   from /lib/libjavascriptcoregtk-3.0.so.0
#1  0xb615965d in JSC::DFG::OSRExitCompiler::compileExit ()
   from /lib/libjavascriptcoregtk-3.0.so.0
#2  0xb615d649 in compileOSRExit () from /lib/libjavascriptcoregtk-3.0.so.0
#3  0xabf19866 in ?? ()
#4  0xb61d7c52 in JSC::Interpreter::executeCall ()
   from /lib/libjavascriptcoregtk-3.0.so.0
#5  0xb62b4993 in JSC::call () from /lib/libjavascriptcoregtk-3.0.so.0
#6  0xbfffe3c4 in ?? ()

A more complete trace can be found in bug #102762.

I've tested Yong's patch (above) and it solves the issue. Any chance of a review?
Comment 5 Daniel Drake 2012-12-17 00:36:52 PST 
Bump. This crash is still hurting, and there is a patch here waiting for review. I've tested it for the last few weeks, and it seems to be working fine.
Comment 6 Filip Pizlo 2012-12-17 15:35:03 PST 
(In reply to comment #2)
> It seems DFGOSRExitCompiler assumes setJITCodeMap is always called, however when LLINT isn't enabled, and canBeOptimized() = true, the jitCodeMap is left null.
> 
> #if ENABLE(DFG_JIT) || ENABLE(LLINT)
>     if (canBeOptimized()
> #if ENABLE(LLINT)
>         || true
> #endif
>         ) {
>         CompactJITCodeMap::Encoder jitCodeMapEncoder;
>         for (unsigned bytecodeOffset = 0; bytecodeOffset < m_labels.size();
> ++bytecodeOffset) {
>             if (m_labels[bytecodeOffset].isSet())
>                 jitCodeMapEncoder.append(bytecodeOffset,
> patchBuffer.offsetOf(m_labels[bytecodeOffset]));
>         }
>         m_codeBlock->setJITCodeMap(jitCodeMapEncoder.finish());
>     }
> 
> Filip?

How can canBeOptimized() == true lead to jitCodeMap being null in the above code?
Comment 7 Filip Pizlo 2012-12-17 15:37:23 PST 
Comment on attachment 165632 [details]
a simple fix

View in context: https://bugs.webkit.org/attachment.cgi?id=165632&action=review

> Source/JavaScriptCore/jit/JIT.cpp:-764
> -    if (canBeOptimized()
> -#if ENABLE(LLINT)
> -        || true
> -#endif
> -        ) {

I think the problem here is that we should be emitting a code map when m_codeBlock->canCompileWithDFG() returns anything other than CannotCompile, whereas now we're just emitting the map when it returns CanCompile.  This will happen since the other return value (ShouldProfile) indicates that the DFG may choose to inline the code block even if it doesn't compile it directly, and inlined code blocks better have jitCodeMaps.

Could you do this more thorough fix instead?
Comment 8 Yong Li 2012-12-18 07:22:14 PST 
> 
> How can canBeOptimized() == true lead to jitCodeMap being null in the above code?

Probably I meant "= false" and it is a typo.

(In reply to comment #7)
> I think the problem here is that we should be emitting a code map when m_codeBlock->canCompileWithDFG() returns anything other than CannotCompile, whereas now we're just emitting the map when it returns CanCompile.  This will happen since the other return value (ShouldProfile) indicates that the DFG may choose to inline the code block even if it doesn't compile it directly, and inlined code blocks better have jitCodeMaps.
> 
> Could you do this more thorough fix instead?

Thanks. I would give a try. But I don't have enough time at the meantime. Also this issue does bite when LLINT is on. So I cannot promise to work on this any time soon.
Comment 9 Yong Li 2012-12-18 07:22:49 PST 
(In reply to comment #8)
> > 
> > How can canBeOptimized() == true lead to jitCodeMap being null in the above code?
> 
> Probably I meant "= false" and it is a typo.
> 
> (In reply to comment #7)
> > I think the problem here is that we should be emitting a code map when m_codeBlock->canCompileWithDFG() returns anything other than CannotCompile, whereas now we're just emitting the map when it returns CanCompile.  This will happen since the other return value (ShouldProfile) indicates that the DFG may choose to inline the code block even if it doesn't compile it directly, and inlined code blocks better have jitCodeMaps.
> > 
> > Could you do this more thorough fix instead?
> 
> Thanks. I would give a try. But I don't have enough time at the meantime. Also this issue does bite when LLINT is on. So I cannot promise to work on this any time soon.

oops, another typo. should be "does NOT bite when LLINT is on"