search

bitwiseworks / qtwebengine-chromium-os2

Port of Chromium and related tools to OS/2
9 stars 2 forks source link

Crashes in JIT assembly generated for JS #21

Closed dmik closed 3 years ago

dmik commented 4 years ago

As mentioned in https://github.com/bitwiseworks/qtwebengine-os2/issues/6#issuecomment-683184661, when visiting some sites with some special JS (e.g. https://youtube.com), the renderer process crashes in some assembly that must be JIT code generated for some JS.

______________________________________________________________________

 Exception C000009F - Breakpoint
______________________________________________________________________

 Process:  D:\CODING\QT5\QT5-DEV-BUILD\QTWEBENGINE\EXAMPLES\WEBENGINEWIDGETS\SIMPLEBROWSER\RELEASE\SIMPLEBROWSER.EXE (08/26/2020 15:15:00 1,837,431)
 PID:      4DA0 (19872)
 TID:      0D (13)
 Priority: 200

 Filename: C:\USR\LOCAL\LIB\LIBCN0.DLL (07/29/2020 19:19:26 3,622,560)
 Address:  005B:2DE83519 (0000:FFFFFFFF)
 Code:     failing instruction can not be disassembled

______________________________________________________________________

 Registers
______________________________________________________________________

 EAX : 00000000   EBX  : 2070B860   ECX : 00000002   EDX  : 45500289
 ESI : 44D02EFD   EDI  : 045FEB3C
 ESP : 045FEB14   EBP  : 045FEB20   EIP : 2DE83519   EFLG : 00200202
 CS  : 005B       CSLIM: FFFFFFFF   SS  : 0053       SSLIM: FFFFFFFF

 EAX : not a valid address
 EBX : read/write memory allocated by LIBCN0
 ECX : not a valid address
 EDX : read/write memory allocated by LIBCN0
 ESI : read/write memory allocated by LIBCN0
 EDI : read/write memory on this thread's stack

______________________________________________________________________

 Stack Info for Thread 0D
______________________________________________________________________

   Size       Base        ESP         Max         Top
 00200000   04600000 -> 045FEB14 -> 045EA000 -> 04400000

______________________________________________________________________

 Call Stack
______________________________________________________________________

   EBP     Address    Module     Obj:Offset    Nearest Public Symbol
 --------  ---------  --------  -------------  -----------------------
 Trap  ->  2DE83519   *Unknown*

 045FEB20  B8BBD869   QT5WEBC   0001:01F5D869   _v8_Default_embedded_blob_size_ - F9E87 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEB3C  B8BC3524   QT5WEBC   0001:01F63524   _v8_Default_embedded_blob_size_ - F41CC 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEBAC  B8BC3524   QT5WEBC   0001:01F63524   _v8_Default_embedded_blob_size_ - F41CC 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEBF8  B8BBD869   QT5WEBC   0001:01F5D869   _v8_Default_embedded_blob_size_ - F9E87 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEC14  B8BC3524   QT5WEBC   0001:01F63524   _v8_Default_embedded_blob_size_ - F41CC 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEC70  B8BC3524   QT5WEBC   0001:01F63524   _v8_Default_embedded_blob_size_ - F41CC 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FECAC  B8BBD869   QT5WEBC   0001:01F5D869   _v8_Default_embedded_blob_size_ - F9E87 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FECD0  B8BC3524   QT5WEBC   0001:01F63524   _v8_Default_embedded_blob_size_ - F41CC 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FED28  B8BC3524   QT5WEBC   0001:01F63524   _v8_Default_embedded_blob_size_ - F41CC 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FED74  B8BBD869   QT5WEBC   0001:01F5D869   _v8_Default_embedded_blob_size_ - F9E87 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEDA0  B8BC3524   QT5WEBC   0001:01F63524   _v8_Default_embedded_blob_size_ - F41CC 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEDD4  B8BBD869   QT5WEBC   0001:01F5D869   _v8_Default_embedded_blob_size_ - F9E87 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEDF0  B8BC3524   QT5WEBC   0001:01F63524   _v8_Default_embedded_blob_size_ - F41CC 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEE50  B8BC3524   QT5WEBC   0001:01F63524   _v8_Default_embedded_blob_size_ - F41CC 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEE84  B8BC1351   QT5WEBC   0001:01F61351   _v8_Default_embedded_blob_size_ - F639F 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEE9C  B8BC1119   QT5WEBC   0001:01F61119   _v8_Default_embedded_blob_size_ - F65D7 0001:020576F0 (ldconv_embedded_o_4d4e5f4964a7199908.obj)

 045FEEC8  B86525CB   QT5WEBC   0001:019F25CB   __ZN2v88internal12StringSearchIttE12LinearSearchEPS2_NS0_6VectorIKtEEi$w$ZJ7dXFNIGM7ty3tT0 + 3CB 0001:019F2200 (v8_base_jumbo_26.o)

 045FEF78  B8654D1C   QT5WEBC   0001:019F4D1C   __ZN2v88internal9Execution4CallEPNS0_7IsolateENS0_6HandleINS0_6ObjectEEES6_iPS6_ + 6C 0001:019F4CB0 (v8_base_jumbo_26.o)

 045FF084  BBF1CBDF   QT5WEBC   0001:052BCBDF   __ZN5blink14V8ScriptRunner12CallFunctionEN2v85LocalINS1_8FunctionEEEPNS_16ExecutionContextENS2_INS1_5ValueEEEiPS8_PNS1_7IsolateE + 1FF 0001:052BC9E0 (core_generated_jumbo_11.o)

This happens in the release build. In the debug build I can't trigger that crash yet due to various other assertions here and there happening earlier.

dmik commented 4 years ago

While debugging JS crashes I found this failed assertion in V8 (JS engine) code:

#
# Fatal error in D:/Coding/qt5/qt5/qtwebengine/src/3rdparty/chromium/v8/src/compiler/types.h, line 337
# Debug check failed: IsInteger(lim.min) && IsInteger(lim.max).
#
#
#

Further debugging showed that this fails for doubles -128.000 and 127.000 respectively. For some reason, std::nearbyint always returns nan for any value on OS/2. Will create a GCC ticket for that.

dmik commented 4 years ago

With the nearbyint problem fixed, I don't get the above error and/or JS crashes any more. I will leave it open for a while to see if any crash in generated assembly pops up again.

dmik commented 3 years ago

No crashes so far, closing.