122665 – Intermittent Trap 5 (int $3) in get_by_val (or GetByVal) from an Int32 array in sunspider-1.0/math-spectral-norm.js.dfg-eager

RESOLVED DUPLICATE of bug 122462 122665

Intermittent Trap 5 (int $3) in get_by_val (or GetByVal) from an Int32 array in sunspider-1.0/math-spectral-norm.js.dfg-eager

https://bugs.webkit.org/show_bug.cgi?id=122665

Summary Intermittent Trap 5 (int $3) in get_by_val (or GetByVal) from an Int32 array ...

Filip Pizlo

Reported 2013-10-11 11:29:57 PDT

Here's the machine code, it looks like it's gotta be a get_by_val int32 load stub in the baseline JIT, or a GetByVal in the DFG. Not sure which it is. 0x3576f7a051dc: movq 8(%rax), %rdx 0x3576f7a051e0: movl -56(%r13), %ecx 0x3576f7a051e4: cmpl -8(%rdx), %ecx 0x3576f7a051e7: jae 0x3576f7a05632 0x3576f7a051ed: movq (%rdx,%rcx,8), %rbx 0x3576f7a051f1: testq %rbx, %rbx 0x3576f7a051f4: je 0x3576f7a05653 0x3576f7a051fa: cmpq %r14, %rbx 0x3576f7a051fd: jae 0x3576f7a05204 0x3576f7a05203: int3 -> 0x3576f7a05204: cvtsi2sdl %ebx, %xmm1 0x3576f7a05208: mulsd %xmm1, %xmm2 The reason why we trap is that we load this garbage from the array: (lldb) register read General Purpose Registers: rax = 0x000000010471fe80 rbx = 0x40657d68d5cbd169 rcx = 0x0000000000000000 rdx = 0x00000001017b2428 rdi = 0x0000000000000006 rsi = 0x00003576f7a0501f rbp = 0x00007fff5fbfdfe0 rsp = 0x00007fff5fbfdf40 r8 = 0x0000000000000040 r9 = 0x00007fff5fbfda00 r10 = 0x00003576f7a04c22 r11 = 0x00000000ffffffff r12 = 0x0000000000000200 r13 = 0x00000001046ffe68 r14 = 0xffff000000000000 r15 = 0xffff000000000002 rip = 0x00003576f7a05204 rflags = 0x0000000000000207 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000004010000 Notice rbx has a ridiculous value.

Attachments
Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2013-10-11 11:31:22 PDT

It takes hundreds of runs, at least, to get this to reproduce. This is starting to look like a memory corruption bug. The DFG's assertions are exactly what they should be. And we're loading nonsense from an array. That's why we're crashing.

Alexey Proskuryakov

Comment 2 2013-10-11 12:06:52 PDT

Is this the same as bug 122462?

Filip Pizlo

Comment 3 2013-10-11 12:30:25 PDT

(In reply to comment #2) > Is this the same as bug 122462? You're right, I forgot about that one. *** This bug has been marked as a duplicate of bug 122462 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 122462

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2013-10-11 11:29 PDT

Modified

2013-10-11 12:30 PDT History

CC List

8 users Show

URL

Keywords

Depends on

Blocks