RESOLVED DUPLICATE of bug 157045 157340
REGRESSION(r200383): It made all JSC stress tests crash on ARMv7 Thumb2 
https://bugs.webkit.org/show_bug.cgi?id=157340
Summary REGRESSION(r200383): It made all JSC stress tests crash on ARMv7 Thumb2
Attachments
Patch (1.52 KB, patch)
2016-05-04 05:24 PDT, Csaba Osztrogonác 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Csaba Osztrogonác
Comment 1 2016-05-04 03:14:21 PDT
Here is a relase backtrace: $ ./jsc Illegal instruction (core dumped) linaro@linaro-alip:/ramdisk/thumb2/jsc-stress-results/.vm/JavaScriptCore.framework/Resources$ gdb ./jsc core GNU gdb (Ubuntu 7.7-0ubuntu3) 7.7 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "arm-linux-gnueabihf". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./jsc...(no debugging symbols found)...done. [New LWP 23648] [New LWP 23655] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1". Core was generated by `./jsc'. Program terminated with signal SIGILL, Illegal instruction. #0 0xb6cd1b7c in JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&) () from /home/webkitbuildbot/slaves/jsconly-thumb2/buildslave/jsconly-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libJavaScriptCore.so.1 (gdb) bt #0 0xb6cd1b7c in JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&) () from /home/webkitbuildbot/slaves/jsconly-thumb2/buildslave/jsconly-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #1 0xb6c5080e in JSC::ArrayPrototype::finishCreation(JSC::VM&, JSC::JSGlobalObject*) () from /home/webkitbuildbot/slaves/jsconly-thumb2/buildslave/jsconly-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #2 0x7e78c0b6 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) disassembly: ... 0xb6cd1b70 <JSC::getTemplateObject(JSC::ExecState*)+28>: mvnne.w r1, #4 0xb6cd1b74 <JSC::getTemplateObject(JSC::ExecState*)+32>: mvneq.w r1, #5 0xb6cd1b78 <JSC::getTemplateObject(JSC::ExecState*)+36>: pop {r3, pc} 0xb6cd1b7a: nop => 0xb6cd1b7c <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+0>: str.w r4, [sp, #-20]! 0xb6cd1b80 <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+4>: strd r5, r6, [sp, #4] 0xb6cd1b84 <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+8>: ldr r5, [pc, #132] ; (0xb6cd1c0c <JSC::JSFunction* JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::callFunc<JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)#5}>(JSC::LazyProperty<JSC::JSGlobalObject, JSC::JSFunction>::Initializer const&)+144>) ...
Csaba Osztrogonác
Comment 2 2016-05-04 03:24:38 PDT
What do you think, is it a bug in r200383 or a GCC bug?
Carlos Garcia Campos
Comment 4 2016-05-04 03:32:54 PDT
(In reply to comment #2) > What do you think, is it a bug in r200383 or a GCC bug? Looks like a GCC bug in the case of GTK+ debug bot.
Csaba Osztrogonác
Comment 5 2016-05-04 04:05:44 PDT
(In reply to comment #2) > What do you think, is it a bug in r200383 or a GCC bug? It is definitely caused by r200383, not a GCC bug, see https://bugs.webkit.org/show_bug.cgi?id=157045#c61
Csaba Osztrogonác
Comment 6 2016-05-04 05:24:30 PDT
Created attachment 278081 [details] Patch
Filip Pizlo
Comment 7 2016-05-04 13:03:58 PDT
Comment on attachment 278081 [details] Patch I think this would have almost worked, but I believe that it's too crazy to rely on the alignment of function pointers. I'm going to land a version that doesn't rely on the alignment or bit arrangement of function pointers at all.
Filip Pizlo
Comment 8 2016-05-04 13:04:10 PDT
*** This bug has been marked as a duplicate of bug 157045 ***
Note You need to log in before you can comment on or make changes to this bug.