RESOLVED FIXED 119440
REGRESSION(r153612): It made jsc and layout tests crash 
https://bugs.webkit.org/show_bug.cgi?id=119440
Summary REGRESSION(r153612): It made jsc and layout tests crash
Csaba Osztrogonác
Reported 2013-08-02 05:41:36 PDT
After http://trac.webkit.org/changeset/153612 jsc and layout tests started to crash on 64 bit bit in debug mode. (at least on Qt) Here is a GDB backtrace on r153636: gdb --args ../../../../WebKitBuild/Debug/bin/jsc -s -f ./ecma/shell.js -f ./ecma/Boolean/15.6.4.2-4-n.js GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>... Reading symbols from /home/webkitbuildbot/oszi/WebKit/WebKitBuild/Debug/bin/jsc...done. (gdb) run Starting program: /home/webkitbuildbot/oszi/WebKit/WebKitBuild/Debug/bin/jsc -s -f ./ecma/shell.js -f ./ecma/Boolean/15.6.4.2-4-n.js [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffb4309700 (LWP 29393)] [New Thread 0x7fffb3ae9700 (LWP 29394)] [New Thread 0x7fffb32e8700 (LWP 29395)] [New Thread 0x7fffb2ae7700 (LWP 29396)] [New Thread 0x7fffb22e6700 (LWP 29397)] [New Thread 0x7fffb1ae5700 (LWP 29398)] [New Thread 0x7fffb12e4700 (LWP 29399)] 15.6.4.2-4-n Boolean.prototype.toString() Program received signal SIGSEGV, Segmentation fault. 0x00007fffb06e4160 in ?? () (gdb) bt #0 0x00007fffb06e4160 in ?? () #1 0x00007fffffffb550 in ?? () #2 0x000000000068efcb in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #3 0x00000000006a0682 in JSC::JITCode::execute (this=0x1024bb0, stack=0xff2668, callFrame=0x7fffb06e4160, vm=0xfe1730) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46 #4 0x000000000068c9e3 in JSC::Interpreter::execute (this=0xff2650, eval=0x7ffff7e3fdf0, callFrame=0x7fffb06e4108, thisValue=..., scope=0x7fffb05fffc8) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1208 #5 0x0000000000687609 in JSC::eval (callFrame=0x7fffb06e4108) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:148 #6 0x00000000006dace6 in JSC::LLInt::llint_slow_path_call_eval (exec=0x7fffb06e40a0, pc=0x1026fc8) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1109 #7 0x0000000000ab5737 in llint_op_call_eval () #8 0x00007fffffffca80 in ?? () #9 0x000000000068efcb in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #10 0x00000000006a0682 in JSC::JITCode::execute (this=0x101c760, stack=0xff2668, callFrame=0x7fffb06e4058, vm=0xfe1730) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46 #11 0x000000000068af4f in JSC::Interpreter::execute (this=0xff2650, program=0x7ffff7e3fe70, callFrame=0x7ffff7f7f8e0, thisObj=0x7ffff7e7feb0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:856 #12 0x00000000007728fd in JSC::evaluate (exec=0x7ffff7f7f8e0, source=..., thisValue=..., returnedException=0x7fffffffe080) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:83 #13 0x000000000040ff8c in runWithScripts (globalObject=0x7ffff7f7f870, scripts=..., dump=false) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jsc.cpp:596 #14 0x0000000000410c97 in jscmain (argc=6, argv=0x7fffffffe348) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jsc.cpp:812 #15 0x000000000040fd68 in main (argc=6, argv=0x7fffffffe348) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jsc.cpp:554 (gdb)
Attachments
Patch (3.70 KB, patch)
2013-08-02 06:38 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Csaba Osztrogonác
Comment 2 2013-08-02 05:47:53 PDT
+info: - pass with disabled JIT - fail with enabled JIT + enabled DFG JIT - fail with enabled JIT + disabled DFG JIT
Csaba Osztrogonác
Comment 3 2013-08-02 06:01:32 PDT
Some related disassembly: 00000000006c4023 <cti_vm_throw_slowpath>: 6c4023: 55 push %rbp 6c4024: 48 89 e5 mov %rsp,%rbp 6c4027: 48 83 ec 40 sub $0x40,%rsp 6c402b: 48 89 7d d8 mov %rdi,-0x28(%rbp) 6c402f: 48 8b 45 d8 mov -0x28(%rbp),%rax 6c4033: 48 89 c7 mov %rax,%rdi 6c4036: e8 63 2a d9 ff callq 456a9e <JSC::ExecState::codeBlock() const> 6c403b: 48 89 c7 mov %rax,%rdi 6c403e: e8 ab 02 dc ff callq 4842ee <JSC::CodeBlock::vm()> 6c4043: 48 89 45 f8 mov %rax,-0x8(%rbp) 6c4047: 48 8b 45 f8 mov -0x8(%rbp),%rax 6c404b: 48 8b 55 d8 mov -0x28(%rbp),%rdx 6c404f: 48 89 90 80 90 00 00 mov %rdx,0x9080(%rax) 6c4056: 48 8b 45 f8 mov -0x8(%rbp),%rax 6c405a: 48 8b 90 50 aa 00 00 mov 0xaa50(%rax),%rdx 6c4061: 48 8b 4d d8 mov -0x28(%rbp),%rcx 6c4065: 48 8b 45 f8 mov -0x8(%rbp),%rax 6c4069: 48 89 ce mov %rcx,%rsi 6c406c: 48 89 c7 mov %rax,%rdi 6c406f: e8 4b 5b fe ff callq 6a9bbf <JSC::jitThrowNew(JSC::VM*, JSC::ExecState*, JSC::JSValue)> 6c4074: 48 89 c1 mov %rax,%rcx 6c4077: 48 89 d0 mov %rdx,%rax 6c407a: 48 89 4d c0 mov %rcx,-0x40(%rbp) 6c407e: 48 89 45 c8 mov %rax,-0x38(%rbp) 6c4082: 48 8b 45 c0 mov -0x40(%rbp),%rax 6c4086: 48 89 45 e0 mov %rax,-0x20(%rbp) 6c408a: 48 8b 45 c8 mov -0x38(%rbp),%rax 6c408e: 48 89 45 e8 mov %rax,-0x18(%rbp) 6c4092: 48 8b 55 e0 mov -0x20(%rbp),%rdx 6c4096: 48 8b 45 e8 mov -0x18(%rbp),%rax 6c409a: 48 89 d7 mov %rdx,%rdi 6c409d: 48 89 c6 mov %rax,%rsi 6c40a0: e8 33 59 fe ff callq 6a99d8 <JSC::encode(JSC::ExceptionHandler)> 6c40a5: c9 leaveq 6c40a6: c3 retq 00000000006a99d8 <JSC::encode(JSC::ExceptionHandler)>: 6a99d8: 55 push %rbp 6a99d9: 48 89 e5 mov %rsp,%rbp 6a99dc: 48 89 fa mov %rdi,%rdx 6a99df: 48 89 f0 mov %rsi,%rax 6a99e2: 48 89 55 e0 mov %rdx,-0x20(%rbp) 6a99e6: 48 89 45 e8 mov %rax,-0x18(%rbp) 6a99ea: 48 8b 45 e0 mov -0x20(%rbp),%rax 6a99ee: 48 89 45 f0 mov %rax,-0x10(%rbp) 6a99f2: 48 8b 45 e8 mov -0x18(%rbp),%rax 6a99f6: 48 89 45 f8 mov %rax,-0x8(%rbp) 6a99fa: 48 8b 45 f0 mov -0x10(%rbp),%rax 6a99fe: 5d pop %rbp 6a99ff: c3 retq 00000000006bc3fa <ctiVMThrowTrampolineSlowpath>: 6bc3fa: 4c 89 ef mov %r13,%rdi 6bc3fd: e8 21 7c 00 00 callq 6c4023 <cti_vm_throw_slowpath> 6bc402: ff e2 jmpq *%rdx
Michael Saboff
Comment 4 2013-08-02 06:36:59 PDT
*** Bug 119441 has been marked as a duplicate of this bug. ***
Michael Saboff
Comment 5 2013-08-02 06:38:33 PDT
Created attachment 208008 [details] Patch
Julien Brianceau
Comment 6 2013-08-02 06:48:47 PDT
LGTM: - run-javascriptcore-tests is OK on X86 64-bit release build - run-javascriptcore-tests is OK on X86 64-bit debug build - run-javascriptcore-tests is OK on X86 32-bit release build - run-javascriptcore-tests is OK on X86 32-bit debug build
Csaba Osztrogonác
Comment 7 2013-08-02 06:50:13 PDT
Comment on attachment 208008 [details] Patch LGTM, r=me.
WebKit Commit Bot
Comment 8 2013-08-02 07:44:55 PDT
Comment on attachment 208008 [details] Patch Clearing flags on attachment: 208008 Committed r153646: <http://trac.webkit.org/changeset/153646>
WebKit Commit Bot
Comment 9 2013-08-02 07:44:58 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.