Skip to content

[wpe-2.46] crash in DFG JITed code #1592

New issue
New issue
Open
Open
[wpe-2.46] crash in DFG JITed code#1592
Assignees
modeveci
Labels
wpe-2.46
@emutavchi

Description

@emutavchi
emutavchi
opened on Dec 29, 2025

Reproducible with the attached tail_call_test.html. In the release build, it crashes somewhere in JITed code; in a build with assertions enabled, it crashes in CallFrameShuffler::emitLoad with the following assertion failed:

ASSERTION FAILED: payloadGPR != InvalidGPRReg && tagGPR != InvalidGPRReg && tagGPR != payloadGPR
.../WPEWebKit/Source/JavaScriptCore/jit/CallFrameShuffler32_64.cpp(147) : void JSC::CallFrameShuffler::emitLoad(CachedRecovery &)

(gdb) bt
#0  __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
#1  0xeed4e13c in __pthread_kill_implementation (threadid=<optimized out>, signo=6, no_tid=<optimized out>) at pthread_kill.c:43
#2  0xeed1fb86 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0xeed115d4 in __GI_abort () at abort.c:79
#4  0xf18eee0a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:931
#5  0xf2b8c96c in JSC::CallFrameShuffler::emitLoad(JSC::CachedRecovery&) [clone .cold.10] () at .../WPEWebKit/Source/JavaScriptCore/jit/CallFrameShuffler32_64.cpp:147
#6  0xf2b89888 in JSC::CallFrameShuffler::emitLoad (this=0xffae2280, location=...) at .../WPEWebKit/Source/JavaScriptCore/jit/CallFrameShuffler32_64.cpp:147
#7  0xf2b784ce in JSC::CallFrameShuffler::prepareAny (this=0xffae2280) at .../WPEWebKit/Source/JavaScriptCore/jit/CallFrameShuffler.cpp:658
#8  0xf2b78a18 in JSC::CallFrameShuffler::prepareForTailCall (this=0x0) at .../WPEWebKit/Source/JavaScriptCore/jit/CallFrameShuffler.cpp:489
#9  0xf293d1ca in JSC::DFG::SpeculativeJIT::emitCall(JSC::DFG::Node*)::$_4::operator()() const (this=<optimized out>) at .../WPEWebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:966
#10 WTF::ScopedLambdaFunctor<void(), JSC::DFG::SpeculativeJIT::emitCall(JSC::DFG::Node*)::$_4>::implFunction (argument=<optimized out>) at WTF/Headers/wtf/ScopedLambda.h:106
#11 0xf23877e6 in WTF::ScopedLambda<void ()>::operator()<>() const (this=0xffae25c8) at WTF/Headers/wtf/ScopedLambda.h:58
#12 JSC::CallLinkInfo::emitFastPathImpl (callLinkInfo=<optimized out>, jit=..., isTailCall=true, prepareForTailCall=...) at .../WPEWebKit/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp:358
#13 0xf23879a0 in JSC::OptimizingCallLinkInfo::emitTailCallFastPath (this=0x0, jit=..., prepareForTailCall=...) at .../WPEWebKit/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp:403
#14 0xf238796a in JSC::CallLinkInfo::emitTailCallFastPath (jit=..., callLinkInfo=Python Exception <class 'gdb.error'>: value has been optimized out
..., prepareForTailCall=...) at .../WPEWebKit/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp:389
#15 0xf2930972 in JSC::DFG::SpeculativeJIT::emitCall (this=<optimized out>, node=0xb52cbe40) at .../WPEWebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:962
#16 0xf29359c6 in JSC::DFG::SpeculativeJIT::compile (this=0xffae2b98, node=0xb52cbe40) at .../WPEWebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:3953
#17 0xf281295a in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=<optimized out>) at .../WPEWebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2146
#18 0xf280b45e in JSC::DFG::SpeculativeJIT::compileBody (this=0xffae2b98) at .../WPEWebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2256
#19 0xf280baa6 in JSC::DFG::SpeculativeJIT::compileFunction (this=0xffae2b98) at .../WPEWebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:222
#20 0xf27e8b68 in JSC::DFG::Plan::compileInThreadImpl (this=0xe7afdba0) at .../WPEWebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:353
#21 0xf2c73a4c in JSC::JITPlan::compileInThread (this=0xe7afdba0, thread=<optimized out>) at .../WPEWebKit/Source/JavaScriptCore/jit/JITPlan.cpp:207
#22 0xf2d1cec6 in JSC::JITWorklist::enqueue (this=0xe7a61000, plan=...) at .../WPEWebKit/Source/JavaScriptCore/jit/JITWorklist.cpp:87
#23 0xf2638f28 in JSC::DFG::compileImpl (vm=..., codeBlock=0xe5489940, profiledDFGCodeBlock=<optimized out>, mode=JSC::JITCompilationMode::DFG, mustHandleValues=..., callback=..., osrEntryBytecodeIndex=...)
    at .../WPEWebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:99
#24 JSC::DFG::compile (vm=..., codeBlock=0xe5489940, profiledDFGCodeBlock=<optimized out>, mode=<optimized out>, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...)
    at .../WPEWebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:115
#25 0xf2c04dea in operationOptimize (vmPointer=0xe5200000, bytecodeIndexBits=<optimized out>) at .../WPEWebKit/Source/JavaScriptCore/jit/JITOperations.cpp:3084
#26 0xe6864b06 in ?? ()

Disabling tail call optimization (export JSC_useTailCalls=0) helps to workaround the crash.

tail_call_test.html

Metadata

Metadata

Assignees

Labels

wpe-2.46

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions