Bug 122665

Summary: Intermittent Trap 5 (int $3) in get_by_val (or GetByVal) from an Int32 array in sunspider-1.0/math-spectral-norm.js.dfg-eager
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ap, barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Filip Pizlo
Reported 2013-10-11 11:29:57 PDT
Here's the machine code, it looks like it's gotta be a get_by_val int32 load stub in the baseline JIT, or a GetByVal in the DFG. Not sure which it is. 0x3576f7a051dc: movq 8(%rax), %rdx 0x3576f7a051e0: movl -56(%r13), %ecx 0x3576f7a051e4: cmpl -8(%rdx), %ecx 0x3576f7a051e7: jae 0x3576f7a05632 0x3576f7a051ed: movq (%rdx,%rcx,8), %rbx 0x3576f7a051f1: testq %rbx, %rbx 0x3576f7a051f4: je 0x3576f7a05653 0x3576f7a051fa: cmpq %r14, %rbx 0x3576f7a051fd: jae 0x3576f7a05204 0x3576f7a05203: int3 -> 0x3576f7a05204: cvtsi2sdl %ebx, %xmm1 0x3576f7a05208: mulsd %xmm1, %xmm2 The reason why we trap is that we load this garbage from the array: (lldb) register read General Purpose Registers: rax = 0x000000010471fe80 rbx = 0x40657d68d5cbd169 rcx = 0x0000000000000000 rdx = 0x00000001017b2428 rdi = 0x0000000000000006 rsi = 0x00003576f7a0501f rbp = 0x00007fff5fbfdfe0 rsp = 0x00007fff5fbfdf40 r8 = 0x0000000000000040 r9 = 0x00007fff5fbfda00 r10 = 0x00003576f7a04c22 r11 = 0x00000000ffffffff r12 = 0x0000000000000200 r13 = 0x00000001046ffe68 r14 = 0xffff000000000000 r15 = 0xffff000000000002 rip = 0x00003576f7a05204 rflags = 0x0000000000000207 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000004010000 Notice rbx has a ridiculous value.
Attachments
Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-10-11 11:31:22 PDT
It takes hundreds of runs, at least, to get this to reproduce. This is starting to look like a memory corruption bug. The DFG's assertions are exactly what they should be. And we're loading nonsense from an array. That's why we're crashing.
Alexey Proskuryakov
Comment 2 2013-10-11 12:06:52 PDT
Is this the same as bug 122462?
Filip Pizlo
Comment 3 2013-10-11 12:30:25 PDT
(In reply to comment #2) > Is this the same as bug 122462? You're right, I forgot about that one. *** This bug has been marked as a duplicate of bug 122462 ***
Note You need to log in before you can comment on or make changes to this bug.