a potential JIT bug?
44 views
Skip to first unread message
chang2008
Nov 3, 2010, 3:32:37 AM11/3/10
to android-platform
Hi there,
I am a newbie of Android so please forgive me if my question sounds
silly.
When we were testing an app on Froyo, it crashed in the JITed code. We
managed to obtain some log and the crashing point with gdbjithelper.
######## The implementation of check-cast ##########
......
0xb96d ldr r0, [pc, #48]
0xb96f: ldr r3, [r0, #0] <<<<<<<<<<<< this is the crashed
instruction
0xb971: str r1, [r5, #0]
0xb973: ldr r1, [r6, #92]
0xb975: blx r1
It seems that "r1" holds a pointer to "dvmJitToInterpPunt" in "blx r1"
under our configuration. Then I found the following function in
"dalvik/vm/compiler/codegen/arm/CodegenDriver.c", which I believe
generate the above code. But I am having trouble understanding the use
of "loadWordDisp(cUnit, r0, offsetof(Object, clazz), r3);".
1) "r0" should point to a dalvik instruction rather than an object so
this load does not make much sense
2) "r3" is never used in this code section and not even used in
dvmJitToInterpPunt.
Our problem goes away and no new problem has been seen after I
commented out this line. Can somebody shed some light on this issue?
Is this a bug or my misunderstanding?
Thank you for your time
yang
/* Geneate a branch to go back to the interpreter */
static void genPuntToInterp(CompilationUnit *cUnit, unsigned int
offset)
{
/* r0 = dalvik pc */
dvmCompilerFlushAllRegs(cUnit);
loadConstant(cUnit, r0, (int) (cUnit->method->insns + offset));
loadWordDisp(cUnit, r0, offsetof(Object, clazz), r3);
loadWordDisp(cUnit, rGLUE, offsetof(InterpState,
jitToInterpEntries.dvmJitToInterpPunt), r1);
opReg(cUnit, kOpBlx, r1);
}
I am a newbie of Android so please forgive me if my question sounds
silly.
When we were testing an app on Froyo, it crashed in the JITed code. We
managed to obtain some log and the crashing point with gdbjithelper.
######## The implementation of check-cast ##########
......
0xb96d ldr r0, [pc, #48]
0xb96f: ldr r3, [r0, #0] <<<<<<<<<<<< this is the crashed
instruction
0xb971: str r1, [r5, #0]
0xb973: ldr r1, [r6, #92]
0xb975: blx r1
It seems that "r1" holds a pointer to "dvmJitToInterpPunt" in "blx r1"
under our configuration. Then I found the following function in
"dalvik/vm/compiler/codegen/arm/CodegenDriver.c", which I believe
generate the above code. But I am having trouble understanding the use
of "loadWordDisp(cUnit, r0, offsetof(Object, clazz), r3);".
1) "r0" should point to a dalvik instruction rather than an object so
this load does not make much sense
2) "r3" is never used in this code section and not even used in
dvmJitToInterpPunt.
Our problem goes away and no new problem has been seen after I
commented out this line. Can somebody shed some light on this issue?
Is this a bug or my misunderstanding?
Thank you for your time
yang
/* Geneate a branch to go back to the interpreter */
static void genPuntToInterp(CompilationUnit *cUnit, unsigned int
offset)
{
/* r0 = dalvik pc */
dvmCompilerFlushAllRegs(cUnit);
loadConstant(cUnit, r0, (int) (cUnit->method->insns + offset));
loadWordDisp(cUnit, r0, offsetof(Object, clazz), r3);
loadWordDisp(cUnit, rGLUE, offsetof(InterpState,
jitToInterpEntries.dvmJitToInterpPunt), r1);
opReg(cUnit, kOpBlx, r1);
}
Bill Buzbee
Nov 3, 2010, 1:23:39 PM11/3/10
to android-platform
It's a real bug - nice catch. The line "loadWordDisp(cUnit, r0,
offsetof(Object, clazz), r3);" should not be there. It appears to be
the result of a bad merge during a round of code re-organization. The
fix is to delete that line of code.
The situation that caused this failure to show up is pretty rare - we
seldom execute a punt to interpreter, and even then if we do you'll
only get a seg fault half the time (if the Dalvik PC happened to be on
a 2-byte boundary.
Thanks for tracking this one down,
...Bill Buzbee
offsetof(Object, clazz), r3);" should not be there. It appears to be
the result of a bad merge during a round of code re-organization. The
fix is to delete that line of code.
The situation that caused this failure to show up is pretty rare - we
seldom execute a punt to interpreter, and even then if we do you'll
only get a seg fault half the time (if the Dalvik PC happened to be on
a 2-byte boundary.
Thanks for tracking this one down,
...Bill Buzbee
Reply all
Reply to author
Forward
0 new messages