Bug 244952 - [JSC] Crash on ARMv7 due to DFG OSR exit code
Summary: [JSC] Crash on ARMv7 due to DFG OSR exit code
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-09-08 16:37 PDT by Asumu Takikawa
Modified: 2022-09-12 10:06 PDT (History)
1 user (show)

See Also:

Attachments
Crash reproduction file (72.19 KB, application/x-javascript)
2022-09-08 16:37 PDT, Asumu Takikawa 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Asumu Takikawa 2022-09-08 16:37:09 PDT 
Created attachment 462214 [details]
Crash reproduction file

It's possible to trigger a segfault while running the attached JS file (minimized from a much larger example contained in the Wasm GC tests, thanks to Mikhail Gadelha) on ARMv7 JSC:

```
# example of how to run the crashing test
$ ~/WebKit/WebKitBuild/Debug/bin/jsc --thresholdForJITAfterWarmUp=45 --thresholdForOptimizeAfterWarmUp=21 -m crash.js
Segmentation fault
```

This bug appears to be triggered by a storeCell instruction used in the DFG OSR exit code for reifying inlined call frames. The store itself is reasonable, but the macroassembler on ARMv7 seems to create a register conflict when the memory address for the store takes a particular form, as it triggers a less used codepath in the macroassembler.
Comment 1 Asumu Takikawa 2022-09-08 18:49:56 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/4148
Comment 2 EWS 2022-09-12 10:05:19 PDT 
Committed 254390@main (31e6bf54bd0f): <https://commits.webkit.org/254390@main>

Reviewed commits have been landed. Closing PR #4148 and removing active labels.
Comment 3 Radar WebKit Bug Importer 2022-09-12 10:06:18 PDT 
<rdar://problem/99826962>