WebKit Bugzilla
Attachment 362276 Details for
Bug 194772
: [ARM] Fix crash with sampling profiler
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-194772-20190218112231.patch (text/plain), 3.83 KB, created by
Dominik Inführ
on 2019-02-18 02:22:32 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Dominik Inführ
Created:
2019-02-18 02:22:32 PST
Size:
3.83 KB
patch
obsolete
>Subversion Revision: 241659 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 13f1d17d290f781a0f252eb496b6448f177f474e..3d12a1379572edfca36919e38a24731f73828886 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,21 @@ >+2019-02-18 Dominik Infuehr <dinfuehr@igalia.com> >+ >+ [ARM] Fix crash with sampling profiler >+ https://bugs.webkit.org/show_bug.cgi?id=194772 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ sampling-profiler-richards.js was crashing with an enabled sampling profiler. add32 >+ did not update the stack pointer in a single instruction. The src register was first >+ moved into the stack pointer, the immediate imm was added in a subsequent instruction. >+ >+ This was problematic when a signal handler was invoked before applying the immediate, >+ when the stack pointer is still set to the temporary value. Avoid this by calculating src+imm in >+ a temporary register and then move it in one go into the stack pointer. >+ >+ * assembler/MacroAssemblerARMv7.h: >+ (JSC::MacroAssemblerARMv7::add32): >+ > 2019-02-17 Saam Barati <sbarati@apple.com> > > WasmB3IRGenerator models some effects incorrectly >diff --git a/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h b/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h >index c1fbb4706c57148161b572cdea5e41c6cc1ad3cc..ea112f42c79234e5af62c044aca040efb0cff3b5 100644 >--- a/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h >+++ b/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h >@@ -177,15 +177,15 @@ public: > > void add32(TrustedImm32 imm, RegisterID src, RegisterID dest) > { >- ARMThumbImmediate armImm = ARMThumbImmediate::makeUInt12OrEncodedImm(imm.m_value); >- >- // For adds with stack pointer destination, moving the src first to sp is >- // needed to avoid unpredictable instruction >- if (dest == ARMRegisters::sp && src != dest) { >- move(src, ARMRegisters::sp); >- src = ARMRegisters::sp; >+ // For adds with stack pointer destination avoid unpredictable instruction >+ if (dest == ARMRegisters::sp) { >+ add32(imm, src, dataTempRegister); >+ move(dataTempRegister, dest); >+ return; > } > >+ ARMThumbImmediate armImm = ARMThumbImmediate::makeUInt12OrEncodedImm(imm.m_value); >+ > if (armImm.isValid()) > m_assembler.add(dest, src, armImm); > else { >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 02da459707cb5b029c1a0463191fe897edb55054..3861967afcd5f46e31a4267b35b60fb3d761fc61 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,14 @@ >+2019-02-18 Dominik Infuehr <dinfuehr@igalia.com> >+ >+ [ARM] Fix crash with sampling profiler >+ https://bugs.webkit.org/show_bug.cgi?id=194772 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Do not skip test since crash with sampling profiler is now fixed. >+ >+ * stress/sampling-profiler-richards.js: >+ > 2019-02-17 Saam Barati <sbarati@apple.com> > > Deadlock when adding a Structure property transition and then doing incremental marking >diff --git a/JSTests/stress/sampling-profiler-richards.js b/JSTests/stress/sampling-profiler-richards.js >index 5ea41bd71496a336447de9b66c66f5f3d2302865..7cf82b302a7db3f3decd2f41dc4855760959ed0b 100644 >--- a/JSTests/stress/sampling-profiler-richards.js >+++ b/JSTests/stress/sampling-profiler-richards.js >@@ -1,6 +1,4 @@ >-// [JSC] [Armv7] stress/sampling-profiler-richards.js crashes >-// https://bugs.webkit.org/show_bug.cgi?id=190426 >-//@ skip if ["arm", "mips"].include?($architecture) and $hostOS == "linux" >+//@ skip if $architecture == "mips" and $hostOS == "linux" > //@ skip if $architecture == "x86" > //@ runDefault("--collectContinuously=1", "--useSamplingProfiler=1", "--collectSamplingProfilerDataForJSCShell=1") >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=362276">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194772
:
362275
|
362276
|
362327