| Summary: | [JSC] Crash on ARMv7 due to DFG OSR exit code | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Asumu Takikawa <asumu> | ||||
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | webkit-bug-importer | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
Pull request: https://github.com/WebKit/WebKit/pull/4148 Committed 254390@main (31e6bf54bd0f): <https://commits.webkit.org/254390@main> Reviewed commits have been landed. Closing PR #4148 and removing active labels. |
Created attachment 462214 [details] Crash reproduction file It's possible to trigger a segfault while running the attached JS file (minimized from a much larger example contained in the Wasm GC tests, thanks to Mikhail Gadelha) on ARMv7 JSC: ``` # example of how to run the crashing test $ ~/WebKit/WebKitBuild/Debug/bin/jsc --thresholdForJITAfterWarmUp=45 --thresholdForOptimizeAfterWarmUp=21 -m crash.js Segmentation fault ``` This bug appears to be triggered by a storeCell instruction used in the DFG OSR exit code for reifying inlined call frames. The store itself is reasonable, but the macroassembler on ARMv7 seems to create a register conflict when the memory address for the store takes a particular form, as it triggers a less used codepath in the macroassembler.