Bug 130203 - JS benchmarks crash with a bus error on 32-bit x86
Summary: JS benchmarks crash with a bus error on 32-bit x86
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2014-03-13 12:20 PDT by Mark Lam
Modified: 2014-03-13 12:48 PDT (History)
6 users (show)

See Also:


Attachments
the patch (2.17 KB, patch)
2014-03-13 12:32 PDT, Mark Lam
ggaren: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2014-03-13 12:20:03 PDT
The following tests crashes when running with a 32-bit x86 debug build of jsc:

JSRegress/get-by-id-self-or-proto
JSRegress/polymorphic-put-by-id
Kraken/audio-beat-detection
Octane/gbemu
Octane/pdfjs
Octane/typescript
V8Spider/raytrace
V8v7/encrypt
V8v7/splay
...
Comment 1 Mark Lam 2014-03-13 12:20:34 PDT
<rdar://problem/16306428>
Comment 2 Mark Lam 2014-03-13 12:30:34 PDT
The issue is that generateGetByIdStub() can potentially use the same register for the JSValue base register and the target tag register.  After loading the tag value into the target tag register, the JSValue base address is lost.  The code then proceeds to load the payload value using the base register, and this results in a crash.

The fix is to check if the base register is the same as the target tag register.  If so, we should make a copy the base register first before loading the tag value, and use the copy to load the payload value instead.
Comment 3 Mark Lam 2014-03-13 12:32:43 PDT
Created attachment 226612 [details]
the patch
Comment 4 Geoffrey Garen 2014-03-13 12:42:30 PDT
Comment on attachment 226612 [details]
the patch

r=me
Comment 5 Mark Lam 2014-03-13 12:48:25 PDT
Thanks for the review.  Landed in r165559: <http://trac.webkit.org/r165559>.