Run poppler.js failed by mips64el.debug

90 views
Skip to first unread message

luy...@qq.com

unread,
Aug 19, 2020, 3:16:32 AM8/19/20
to v8-dev
v8 version:8.6.0.0
I run the test:
```
out/mips64el.debug/d8 --test test/mjsunit/mjsunit.js test/mjsunit/asm/poppler/poppler.js --random-seed=-1351191255 --nohard-abort --enable-slow-asserts --verify-heap --testing-d8-test-runner
```

error log:
==== C stack trace ===============================

 [0x7faa32680451]
 [0x7faa326803a3]
 [0x7faa321ea3c0]
 [0x55eb927883ec]
 [0x55eb9278834d]
 [0x55eb927882fd]
 [0x55eb9278826a]
 [0x55eb9278818d]
 [0x7faa347e8c8d]
 [0x7faa347e8c63]
 [0x7faa347e8bd8]
 [0x7faa347e8b30]
 [0x7faa347e8aa7]
 [0x7faa347ec050]
 [0x7faa347e93f7]
 [0x7faa347e93c0]
 [0x7faa347e9364]
 [0x7faa3522646e]
 [0x7faa3592de77]
 [0x7faa35935ff6]
 [0x7faa3593df62]
 [0x7faa35929ade]
 [0x7faa35941de9]
 [0x7faa3594218a]
 [0x7faa35942b8e]
 [0x7faa34bc4f9c]
 [0x7faa34bc4de1]
 [0x7faa34bc48e1]
 [0x7faa34bc21c3]
 [0x7faa34bc1381]
 [0x7faa347fded8]
 [0x55eb9276984c]
 [0x55eb92777a78]
 [0x55eb9277ab93]
 [0x55eb9277c20d]
 [0x55eb9277c6f2]
 [0x7faa31ebb0b3]
 [0x55eb9274fb3a]
[end of stack trace]
Segmentation fault (core dumped)

Zhi An Ng

unread,
Aug 19, 2020, 1:35:32 PM8/19/20
to v8-...@googlegroups.com, 赵家众
+赵家众 for mips help

--
--
v8-dev mailing list
v8-...@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/a3850d24-2d79-470b-95b2-df4b694b71b5n%40googlegroups.com.


--
Best,
Zhi An

zhaojia...@loongson.cn

unread,
Aug 24, 2020, 11:02:02 PM8/24/20
to v8-dev
Sorry for late reply, I reproduced this bug, but may need some time to figure out the reason.
Error log: 

#
# Fatal error in ../../src/objects/heap-object.h, line 220
# Check failed: !v8::internal::FLAG_enable_slow_asserts || (IsHeapObject()).
#
#
#
#FailureMessage Object: 0xfffbd19940
==== C stack trace ===============================

    /home/loongson/workspace/v8/out/mips64el.debug/libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x44) [0xfff2a2eebc]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8_libplatform.so(+0x6ff70) [0xfff2953f70]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x14c) [0xfff2a0437c]
    ./out/mips64el.debug/d8(v8::internal::HeapObject::HeapObject(unsigned long)+0xe8) [0xaaab1f4308]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8.so(v8::internal::JSReceiver::JSReceiver(unsigned long)+0x4c) [0xfff4d59d74]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8.so(v8::internal::TorqueGeneratedJSObject<v8::internal::JSObject, v8::internal::JSReceiver>::TorqueGeneratedJSObject(unsigned long)+0x4c) [0xfff4d4d5bc]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8.so(v8::internal::JSObject::JSObject(unsigned long)+0x40) [0xfff4d4d550]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8.so(v8::internal::WasmInstanceObject::WasmInstanceObject(unsigned long)+0x4c) [0xfff526a7c4]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8.so(v8::internal::WasmInstanceObject::cast(v8::internal::Object)+0x58) [0xfff535ee68]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8.so(v8::internal::WasmCompileLazyFrame::wasm_instance() const+0x74) [0xfff53e31f4]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8.so(+0x39992b8) [0xfff63f52b8]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8.so(v8::internal::Runtime_WasmCompileLazy(int, unsigned long*, v8::internal::Isolate*)+0x1ec) [0xfff63f4b94]
    /home/loongson/workspace/v8/out/mips64el.debug/libv8.so(+0x1ce9844) [0xfff4745844]
Received signal 6
[1]    24375 abort      ./out/mips64el.debug/d8 --test test/mjsunit/mjsunit.js   --nohard-abort 

yuyin QQ

unread,
Aug 27, 2020, 6:07:19 AM8/27/20
to v8-dev
thank you for the bug report, will submit a patch  soon.

see https://source.chromium.org/chromium/chromium/src/+/master:v8/src/builtins/mips64/builtins-mips64.cc;l=2512
the frame will be:
low
   kWasmCompileLazyFuncIndexRegister
   wasm_instance     // a0   TYPED_FRAME_PUSHED_VALUE_OFFSET(14)
   f2
   f4
   ...
   f14
   a0     // TYPED_FRAME_PUSHED_VALUE_OFFSET(6)
   ...
   a6
   a7
   frame type
   fp
   ra
high

so the kWasmInstanceOffset is TYPED_FRAME_PUSHED_VALUE_OFFSET(6) or TYPED_FRAME_PUSHED_VALUE_OFFSET(14) .
NOT TYPED_FRAME_PUSHED_VALUE_OFFSET(7)

x64 is TYPED_FRAME_PUSHED_VALUE_OFFSET(0), because wasm_instance == rsi
arm64 is TYPED_FRAME_PUSHED_VALUE_OFFSET(1) because these is a padding push:

yuyin QQ

unread,
Aug 27, 2020, 6:15:22 AM8/27/20
to v8-dev
this test failed because it is  loading a wasm instance object in a wrong address.
Reply all
Reply to author
Forward
0 new messages