159709 2016-07-13 03:47:30 -0700 LinkBuffer::linkCode() should put barrier before the constant pool after r202214 2017-06-20 02:15:40 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified Unspecified NEW P2 Normal --- 159408 1 ossy webkit-unassigned commit-queue fpizlo keith_miller mark.lam msaboff ossy saam oldest_to_newest 1210394 0 ossy 2016-07-13 03:47:30 -0700 https://bugs.webkit.org/show_bug.cgi?id=159408#c3 infos about the crash I notice: sunspider-1.0/3d-cube.js.dfg-maximal-flush-validate-no-cjit: [1470] get_by_id loc9, loc8, NumPx(@id22) llint(struct = 0xb29a7ae0 (offset = 103)) predicting Nonboolint32 sunspider-1.0/3d-cube.js.dfg-maximal-flush-validate-no-cjit: disassembly not available for range 0xb2f13da4...0xb2f13e0c (gdb) disas 0xb2f13da4,0xb2f13e0c Dump of assembler code from 0xb2f13da4 to 0xb2f13e0c: 0xb2f13da4: ldr r0, [r11, #-72] ; 0x48 0xb2f13da8: ldr r1, [r11, #-68] ; 0x44 0xb2f13dac: cmn r1, #5 0xb2f13db0: bne 0xb2f18c48 0xb2f13db4: ldr r12, [r0] 0xb2f13db8: movw r6, #31456 ; 0x7ae0 0xb2f13dbc: movt r6, #45722 ; 0xb29a 0xb2f13dc0: cmp r12, r6 0xb2f13dc4: ldrne r12, [pc, #16] ; 0xb2f13ddc 0xb2f13dc8: bxne r12 0xb2f13dcc: ldr r0, [r0, #8] 0xb2f13dd0: ldr r1, [r0, #-36] ; 0x24 0xb2f13dd4: ldr r0, [r0, #-40] ; 0x28 ----------------------------------------------------------- constant pool, we need a jump here => 0xb2f13dd8: bkpt 0xffff 0xb2f13ddc: rscslt r8, r1, #72, 24 ; 0x4800 0xb2f13de0: nop ; (mov r0, r0) 0xb2f13de4: nop ; (mov r0, r0) 0xb2f13de8: nop ; (mov r0, r0) 0xb2f13dec: nop ; (mov r0, r0) 0xb2f13df0: nop ; (mov r0, r0) 0xb2f13df4: ldr r6, [pc, #1848] ; 0xb2f14534 0xb2f13df8: str r0, [r6] 0xb2f13dfc: ldr r6, [pc, #1844] ; 0xb2f14538 0xb2f13e00: str r1, [r6] 0xb2f13e04: str r0, [r11, #-80] ; 0x50 0xb2f13e08: str r1, [r11, #-76] ; 0x4c End of assembler dump. (gdb) info registers r0 0x168 360 r1 0xffffffff 4294967295 r2 0x0 0 r3 0xbed44828 3201583144 r4 0xffffffff 4294967295 r5 0x0 0 r6 0xb29a7ae0 2996468448 r7 0x0 0 r8 0xb29c71e0 2996597216 r9 0xfffffffb 4294967291 r10 0x1 1 r11 0xbed44968 3201583464 r12 0xb29a7ae0 2996468448 sp 0xbed448a0 0xbed448a0 lr 0xb2f13d1c -1292813028 pc 0xb2f13dd8 0xb2f13dd8 cpsr 0x600f0010 1611595792 1210395 1 283507 ossy 2016-07-13 03:49:39 -0700 Created attachment 283507 Patch 1228042 2 283507 mcatanzaro 2016-09-08 20:52:25 -0700 Comment on attachment 283507 Patch Looks like this has been broken for several months, so a few more days makes no difference: please wait a bit for any JSC folks to object before landing. I have no clue what this patch does, except that it looks like something we shouldn't leave sitting in Bugzilla. 1228690 3 saam 2016-09-11 23:38:26 -0700 Csaba, can you explain what this patch does and why it's necessary? 1228706 4 ossy 2016-09-12 02:17:26 -0700 (In reply to comment #3) > Csaba, can you explain what this patch does and why it's necessary? Before the IC refactoring/optimization work we didn't need to add jump before this constant pool, because the control flow didn't run to the constant pool. But after r202214, we got the crashes can be found in the description of this bug, because instructions should be executed after ldrs. There are only nops on platforms which don't have constant pool. But platforms which have constant pool, should jump over it instead of trying to execute non valid instructions. 283507 2016-07-13 03:49:39 -0700 2016-09-08 20:52:25 -0700 Patch bug-159709-20160713124854.patch text/plain 1591 ossy U3VidmVyc2lvbiBSZXZpc2lvbjogMjAzMTU1CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCA0 OWRkOWI5ZTZmZjdjOGVjOTNiZDEzMGI2ZTEzYWFkNjU4OWRkZDI1Li43NjVlYTAyODI4M2RiZjNl NzJhY2ZhYzc2MmNkZjY2NzFlZjk0NjkyIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxMyBAQAorMjAxNi0wNy0xMyAgQ3NhYmEgT3N6dHJvZ29uw6FjICA8b3NzeUB3ZWJraXQu b3JnPgorCisgICAgICAgIExpbmtCdWZmZXI6OmxpbmtDb2RlKCkgc2hvdWxkIHB1dCBiYXJyaWVy IGJlZm9yZSB0aGUgY29uc3RhbnQgcG9vbCBhZnRlciByMjAyMjE0CisgICAgICAgIGh0dHBzOi8v YnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNTk3MDkKKworICAgICAgICBSZXZpZXdl ZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIGFzc2VtYmxlci9MaW5rQnVmZmVyLmNw cDoKKyAgICAgICAgKEpTQzo6TGlua0J1ZmZlcjo6bGlua0NvZGUpOgorCiAyMDE2LTA3LTEyICBC ZW5qYW1pbiBQb3VsYWluICA8YnBvdWxhaW5AYXBwbGUuY29tPgogCiAgICAgICAgIFtKU0NdIEFy cmF5LnByb3RvdHlwZS5qb2luKCkgZmFpbHMgc29tZSBjb25mb3JtYW5jZSB0ZXN0cwpkaWZmIC0t Z2l0IGEvU291cmNlL0phdmFTY3JpcHRDb3JlL2Fzc2VtYmxlci9MaW5rQnVmZmVyLmNwcCBiL1Nv dXJjZS9KYXZhU2NyaXB0Q29yZS9hc3NlbWJsZXIvTGlua0J1ZmZlci5jcHAKaW5kZXggMzI2ZDIw ZDQ0NzdiYjIwM2U1YWEwOTY3NTdjZjZjZTQwNGFjMWMyNy4uOTAyMjhiMjcyNjk4MWEwZmRmNjg5 ZWNlODFjZmYwYmEwZGZkYmQ4OSAxMDA2NDQKLS0tIGEvU291cmNlL0phdmFTY3JpcHRDb3JlL2Fz c2VtYmxlci9MaW5rQnVmZmVyLmNwcAorKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvYXNzZW1i bGVyL0xpbmtCdWZmZXIuY3BwCkBAIC0xOTgsNyArMTk4LDcgQEAgdm9pZCBMaW5rQnVmZmVyOjps aW5rQ29kZShNYWNyb0Fzc2VtYmxlciYgbWFjcm9Bc3NlbWJsZXIsIHZvaWQqIG93bmVyVUlELCBK SVRDb20KIHsKICNpZiAhRU5BQkxFKEJSQU5DSF9DT01QQUNUSU9OKQogI2lmIGRlZmluZWQoQVNT RU1CTEVSX0hBU19DT05TVEFOVF9QT09MKSAmJiBBU1NFTUJMRVJfSEFTX0NPTlNUQU5UX1BPT0wK LSAgICBtYWNyb0Fzc2VtYmxlci5tX2Fzc2VtYmxlci5idWZmZXIoKS5mbHVzaENvbnN0YW50UG9v bChmYWxzZSk7CisgICAgbWFjcm9Bc3NlbWJsZXIubV9hc3NlbWJsZXIuYnVmZmVyKCkuZmx1c2hD b25zdGFudFBvb2woKTsKICNlbmRpZgogICAgIGFsbG9jYXRlKG1hY3JvQXNzZW1ibGVyLCBvd25l clVJRCwgZWZmb3J0KTsKICAgICBpZiAoIW1fZGlkQWxsb2NhdGUpCkBAIC0zMjUsNSArMzI1LDMg QEAgdm9pZCBMaW5rQnVmZmVyOjpkdW1wQ29kZSh2b2lkKiBjb2RlLCBzaXplX3Qgc2l6ZSkKIH0g Ly8gbmFtZXNwYWNlIEpTQwogCiAjZW5kaWYgLy8gRU5BQkxFKEFTU0VNQkxFUikKLQotCg==