159758 2016-07-14 04:28:50 -0700 [ARM] ASSERTION FAILED: (*insn & BlxInstructionMask) == BlxInstruction after r202214 2016-07-14 18:48:48 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified Unspecified NEW P2 Normal --- 159408 1 ossy webkit-unassigned fpizlo ossy saam oldest_to_newest 1210948 0 ossy 2016-07-14 04:28:50 -0700 ASSERTION FAILED: (*insn & BlxInstructionMask) == BlxInstruction ../../Source/JavaScriptCore/assembler/ARMAssembler.h(866) : static JSC::ARMWord* JSC::ARMAssembler::getLdrImmAddress(JSC::ARMWord*) #0 0xb648805c in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323 #1 0xb5851e28 in JSC::ARMAssembler::getLdrImmAddress (insn=0xb27ca808) at ../../Source/JavaScriptCore/assembler/ARMAssembler.h:866 #2 0xb590a10c in JSC::ARMAssembler::patchPointerInternal (from=-1300453368, to=0xb27cab20) at ../../Source/JavaScriptCore/assembler/ARMAssembler.h:892 #3 0xb590a23c in JSC::ARMAssembler::linkJump (code=0xb27ca808, from=..., to=0xb27cab20) at ../../Source/JavaScriptCore/assembler/ARMAssembler.h:956 #4 0xb590bc88 in JSC::AbstractMacroAssembler<JSC::ARMAssembler, JSC::MacroAssemblerARM>::linkJump (code=0xb27ca808, jump=..., target=...) at ../../Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:970 #5 0xb590b33c in JSC::LinkBuffer::link (this=0xbeffe4fc, jump=..., label=...) at ../../Source/JavaScriptCore/assembler/LinkBuffer.h:143 #6 0xb5909208 in JSC::InlineAccess::rewireStubAsJump (vm=..., stubInfo=..., target=...) at ../../Source/JavaScriptCore/bytecode/InlineAccess.cpp:291 #7 0xb5fc0824 in JSC::tryCachePutByID (exec=0xbeffe888, baseValue=..., structure=0xb21a7220, ident=..., slot=..., stubInfo=..., putKind=JSC::NotDirect) at ../../Source/JavaScriptCore/jit/Repatch.cpp:452 #8 0xb5fc0a28 in JSC::repatchPutByID (exec=0xbeffe888, baseValue=..., structure=0xb21a7220, propertyName=..., slot=..., stubInfo=..., putKind=JSC::NotDirect) at ../../Source/JavaScriptCore/jit/Repatch.cpp:463 #9 0xb5f88c50 in JSC::operationPutByIdNonStrictOptimize (exec=0xbeffe888, stubInfo=0xb2590d80, encodedValue=-18486637472, encodedBase=-18486456960, uid=0xb259ac78) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:421 #10 0xb27ca8f0 in ?? () (gdb) disas 0xb27ca808,+20 Dump of assembler code from 0xb27ca808 to 0xb27ca81c: 0xb27ca808: b 0xb27ca8b0 0xb27ca80c: nop ; (mov r0, r0) 0xb27ca810: nop ; (mov r0, r0) 0xb27ca814: nop ; (mov r0, r0) 0xb27ca818: nop ; (mov r0, r0) Generated Baseline JIT code for CallSign#A1TBrX:[0xb21aa4b0->0xb21d92c0, BaselineFunctionConstruct, 25], instruction count = 25 Source: function CallSign(value) { this._value = value; } Code at [0xb27ca5c0, 0xb27cab1c): disassembly not available for range 0xb27ca5c0...0xb27ca63c [ 0] enter disassembly not available for range 0xb27ca63c...0xb27ca700 [ 1] get_scope loc0 disassembly not available for range 0xb27ca700...0xb27ca714 [ 3] mov loc1, loc0 disassembly not available for range 0xb27ca714...0xb27ca724 [ 6] mov loc2, this disassembly not available for range 0xb27ca724...0xb27ca734 [ 9] create_this this, this, 1, 2988382240 disassembly not available for range 0xb27ca734...0xb27ca7ac [ 14] put_by_id this, _value(@id0), arg1, String llint(prev = 0xb21a7220, next = 0xb21a71d0 (offset = 0), chain = 0xb21cbea0: [struct = 0xb21a7900, struct = 0xb21f6d20]) disassembly not available for range 0xb27ca7ac...0xb27ca838 [ 23] ret this disassembly not available for range 0xb27ca838...0xb27ca860 (End Of Main Path) (S) [ 9] create_this this, this, 1, 2988382240 disassembly not available for range 0xb27ca860...0xb27ca8b0 (S) [ 14] put_by_id this, _value(@id0), arg1, String llint(prev = 0xb21a7220, next = 0xb21a71d0 (offset = 0), chain = 0xb21cbea0: [struct = 0xb21a7900, struct = 0xb21f6d20]) disassembly not available for range 0xb27ca8b0...0xb27ca918 (End Of Slow Path) disassembly not available for range 0xb27ca918...0xb27caa1c It seems this branch comes from [14] put_by_id and can't be patched. Of course, a branch can't be patched. The question is why a branch was generated here and not a patchable instruction. Could you give me some hint where is this instruction generated? 1211304 1 saam 2016-07-14 18:48:48 -0700 The whole point of that code inside InlineAccess is to just plat new machine code over the old location. In this case, it's splatting a jump over the old code to jump to and out of line generated code. Why is this a problem?