Bug 160157
| Summary: | REGRESSION(r203537): It made many tests crash on ARMv7 with ARM instruction set | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Csaba Osztrogonác <ossy> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Critical | CC: | benjamin, ossy, saam |
| Priority: | P1 | ||
| Version: | Other | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=159720 | ||
| Bug Depends on: | |||
| Bug Blocks: | 108645, 159649 | ||
Csaba Osztrogonác
JSCOnly Linux ARMv7 Traditional Release:
- before: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1613
- after: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1623
( https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Traditional%20Release/builds/1637 )
crash log on ARMv7 with ARM instruction set:
Running stress/exit-after-int52-to-double.js.default
stress/exit-after-int52-to-double.js.default: ASSERTION FAILED: linkBuffer.isValid()
stress/exit-after-int52-to-double.js.default: ../../Source/JavaScriptCore/jit/JITMathIC.h(130) : void JSC::JITMathIC<Generator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr) [with GeneratorType = JSC::JITAddGenerator]
stress/exit-after-int52-to-double.js.default: 1 0xb6394fb0 WTFCrash
stress/exit-after-int52-to-double.js.default: 2 0xb5ea3104 JSC::JITMathIC<JSC::JITAddGenerator>::generateOutOfLine(JSC::VM&, JSC::CodeBlock*, JSC::FunctionPtr)
stress/exit-after-int52-to-double.js.default: 3 0xb5e9a0b8
stress/exit-after-int52-to-double.js.default: Segmentation fault
stress/exit-after-int52-to-double.js.default: ERROR: Unexpected exit code: 139
FAIL: stress/exit-after-int52-to-double.js.default
It seems it is a similar to bug159720 .
Can't we disable this new feature somehow similar to https://trac.webkit.org/changeset/203272 ?
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Csaba Osztrogonác
I can confirm that this bug and bug159720 have the same root.
The problem is that "auto jump = jit.jump();" allocates a constant
on the constant pool which makes linkBuffer ctor not to allocate.
But the question is still open, can we disable IC generating on
ARM traditional until we can find the proper fix? Because now it
is completely broken and there are 2700 crashing stress tests.
*** This bug has been marked as a duplicate of bug 159720 ***
Csaba Osztrogonác
(In reply to comment #0)
> Can't we disable this new feature somehow similar to
> https://trac.webkit.org/changeset/203272 ?
ARM assembler is completely broken more than a month ago because of
this IC refactoring work. It would be great to get an answer if
we can workaround it or not.
Saam Barati
You can make MathIC generateInline always return false before
generating any code. This will make the resulting code quite
slow though. It will lead to a C call for every JS add.
Csaba Osztrogonác
(In reply to comment #3)
> You can make MathIC generateInline always return false before
> generating any code. This will make the resulting code quite
> slow though. It will lead to a C call for every JS add.
Uploaded a patch to bug159759 to disable it.