119456 2013-08-02 13:17:40 -0700 DFG validation can cause assertion failures due to dumping 2013-08-02 14:49:45 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 mhahnenberg mhahnenberg fpizlo ggaren oldest_to_newest 914247 0 mhahnenberg 2013-08-02 13:17:40 -0700 Looks like we're encountering a CodeBlock that hasn't generated a hash() on the main thread, and the compilation thread asserts when trying to dump it. 914249 1 mhahnenberg 2013-08-02 13:18:02 -0700 * thread #7: tid = 0x23eab1, 0x000000010068257a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:339, name = 'JSC Compilation Thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x000000010068257a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:339 frame #1: 0x00000001001b0308 JavaScriptCore`JSC::CodeBlock::hash(this=0x000000010c2449b0) const + 104 at CodeBlock.cpp:89 frame #2: 0x00000001001b0532 JavaScriptCore`JSC::CodeBlock::dumpAssumingJITType(this=0x000000010c2449b0, out=0x00000001008493a0, jitType=DFGJIT) const + 66 at CodeBlock.cpp:120 frame #3: 0x0000000100260ee6 JavaScriptCore`JSC::CodeBlockWithJITType::dump(this=0x0000000113960138, out=0x00000001008493a0) const + 38 at CodeBlockWithJITType.h:46 frame #4: 0x0000000100260ead JavaScriptCore`void WTF::printInternal<JSC::CodeBlockWithJITType>(out=0x00000001008493a0, value=0x0000000113960138) + 29 at PrintStream.h:273 frame #5: 0x0000000100260e1d JavaScriptCore`void WTF::PrintStream::print<JSC::CodeBlockWithJITType>(this=0x00000001008493a0, value=0x0000000113960138) + 29 at PrintStream.h:58 frame #6: 0x00000001002d9bd9 JavaScriptCore`void WTF::PrintStream::print<char [9], JSC::CodeBlockWithJITType, char [3]>(this=0x00000001008493a0, value1=0x000000010073ca57, value2=0x0000000113960138, value3=0x000000010072ffb0) [9], JSC::CodeBlockWithJITType const&, char const (&) [3]) + 57 at PrintStream.h:72 frame #7: 0x00000001002d3e6d JavaScriptCore`void WTF::dataLog<char [9], JSC::CodeBlockWithJITType, char [3]>(value1=0x000000010073ca57, value2=0x0000000113960138, value3=0x000000010072ffb0) [9], JSC::CodeBlockWithJITType const&, char const (&) [3]) + 45 at DataLog.h:58 frame #8: 0x00000001002d0fd0 JavaScriptCore`JSC::DFG::Graph::dump(this=0x0000000113960968, out=0x00000001008493a0, context=0x0000000113960148) + 128 at DFGGraph.cpp:364 frame #9: 0x00000001003ac7d8 JavaScriptCore`JSC::DFG::Validate::dumpGraphIfAppropriate(this=0x0000000113960460) + 88 at DFGGraph.h:160 frame #10: 0x00000001003ac0e0 JavaScriptCore`JSC::DFG::Validate::validate(this=0x0000000113960460) + 4096 at DFGValidate.cpp:167 frame #11: 0x00000001003ab09b JavaScriptCore`JSC::DFG::validate(graph=0x0000000113960968, graphDumpMode=DumpGraph) + 43 at DFGValidate.cpp:477 frame #12: 0x000000010031e83e JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x000000010c244e30, longLivedState=0x0000000113960e00) + 574 at DFGPlan.cpp:180 frame #13: 0x000000010031e426 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x000000010c244e30, longLivedState=0x0000000113960e00) + 198 at DFGPlan.cpp:113 frame #14: 0x00000001003be24c JavaScriptCore`JSC::DFG::Worklist::runThread(this=0x000000010c2331a0) + 412 at DFGWorklist.cpp:242 frame #15: 0x00000001003bd345 JavaScriptCore`JSC::DFG::Worklist::threadFunction(argument=0x000000010c2331a0) + 21 at DFGWorklist.cpp:264 frame #16: 0x00000001006c8020 JavaScriptCore`WTF::threadEntryPoint(contextData=0x000000010c2333c0) + 144 at Threading.cpp:69 frame #17: 0x00000001006c89c8 JavaScriptCore`WTF::wtfThreadEntryPoint(param=0x000000010c242550) + 104 at ThreadingPthreads.cpp:195 frame #18: 0x00007fff9513f8a9 libsystem_pthread.dylib`_pthread_body + 138 frame #19: 0x00007fff9513f73a libsystem_pthread.dylib`_pthread_start + 137 frame #20: 0x00007fff95143fd9 libsystem_pthread.dylib`thread_start + 13 914250 2 fpizlo 2013-08-02 13:23:27 -0700 Boooo! I think that we should have dumpAssumingJITType() just avoid dumping the hash() if it hasn't been computed and we're in the JIT thread. 914255 3 208041 mhahnenberg 2013-08-02 13:36:17 -0700 Created attachment 208041 Patch 914268 4 208041 ggaren 2013-08-02 14:08:20 -0700 Comment on attachment 208041 Patch r=me Should we pre-compute the has on the mutator thread, when producing our DFG plan, to make dumping work a little better? 914269 5 ggaren 2013-08-02 14:08:26 -0700 *hash 914284 6 fpizlo 2013-08-02 14:34:07 -0700 (In reply to comment #4) > (From update of attachment 208041 [details]) > r=me > > Should we pre-compute the has on the mutator thread, when producing our DFG plan, to make dumping work a little better? It's expensive! I tried that once and it was a slight regression, I think. Might be worth trying again, though. 914289 7 mhahnenberg 2013-08-02 14:49:45 -0700 Committed r153671: <http://trac.webkit.org/changeset/153671> 208041 2013-08-02 13:36:17 -0700 2013-08-02 14:08:19 -0700 Patch bug-119456-20130802134024.patch text/plain 3107 mhahnenberg SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTUzNjY1KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBA CisyMDEzLTA4LTAyICBNYXJrIEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBsZS5jb20+CisK KyAgICAgICAgREZHIHZhbGlkYXRpb24gY2FuIGNhdXNlIGFzc2VydGlvbiBmYWlsdXJlcyBkdWUg dG8gZHVtcGluZworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/ aWQ9MTE5NDU2CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAg ICAgKiBieXRlY29kZS9Db2RlQmxvY2suY3BwOgorICAgICAgICAoSlNDOjpDb2RlQmxvY2s6Omhh c0hhc2gpOgorICAgICAgICAoSlNDOjpDb2RlQmxvY2s6OmlzU2FmZVRvQ29tcHV0ZUhhc2gpOgor ICAgICAgICAoSlNDOjpDb2RlQmxvY2s6Omhhc2gpOgorICAgICAgICAoSlNDOjpDb2RlQmxvY2s6 OmR1bXBBc3N1bWluZ0pJVFR5cGUpOgorICAgICAgICAqIGJ5dGVjb2RlL0NvZGVCbG9jay5oOgor CiAyMDEzLTA4LTAyICBKdWxpZW4gQnJpYW5jZWF1ICA8amJyaWFuY2VhdUBuZHMuY29tPgogCiAg ICAgICAgIFJFR1JFU1NJT04oRlRMKTogRml4IG1pcHMgaW1wbGVtZW50YXRpb24gb2YgY3RpVk1U aHJvd1RyYW1wb2xpbmVTbG93cGF0aC4KSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRl Y29kZS9Db2RlQmxvY2suY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9i eXRlY29kZS9Db2RlQmxvY2suY3BwCShyZXZpc2lvbiAxNTM2MTIpCisrKyBTb3VyY2UvSmF2YVNj cmlwdENvcmUvYnl0ZWNvZGUvQ29kZUJsb2NrLmNwcAkod29ya2luZyBjb3B5KQpAQCAtODMsMTAg KzgzLDIwIEBAIENTdHJpbmcgQ29kZUJsb2NrOjppbmZlcnJlZE5hbWUoKSBjb25zdAogICAgIH0K IH0KIAorYm9vbCBDb2RlQmxvY2s6Omhhc0hhc2goKSBjb25zdAoreworICAgIHJldHVybiAhIW1f aGFzaDsKK30KKworYm9vbCBDb2RlQmxvY2s6OmlzU2FmZVRvQ29tcHV0ZUhhc2goKSBjb25zdAor eworICAgIHJldHVybiAhaXNDb21waWxhdGlvblRocmVhZCgpOworfQorCiBDb2RlQmxvY2tIYXNo IENvZGVCbG9jazo6aGFzaCgpIGNvbnN0CiB7CiAgICAgaWYgKCFtX2hhc2gpIHsKLSAgICAgICAg UkVMRUFTRV9BU1NFUlQoIWlzQ29tcGlsYXRpb25UaHJlYWQoKSk7CisgICAgICAgIFJFTEVBU0Vf QVNTRVJUKGlzU2FmZVRvQ29tcHV0ZUhhc2goKSk7CiAgICAgICAgIG1faGFzaCA9IENvZGVCbG9j a0hhc2gob3duZXJFeGVjdXRhYmxlKCktPnNvdXJjZSgpLCBzcGVjaWFsaXphdGlvbktpbmQoKSk7 CiAgICAgfQogICAgIHJldHVybiBtX2hhc2g7CkBAIC0xMTcsNyArMTI3LDExIEBAIENTdHJpbmcg Q29kZUJsb2NrOjpzb3VyY2VDb2RlT25PbmVMaW5lKCkKIAogdm9pZCBDb2RlQmxvY2s6OmR1bXBB c3N1bWluZ0pJVFR5cGUoUHJpbnRTdHJlYW0mIG91dCwgSklUQ29kZTo6SklUVHlwZSBqaXRUeXBl KSBjb25zdAogewotICAgIG91dC5wcmludChpbmZlcnJlZE5hbWUoKSwgIiMiLCBoYXNoKCksICI6 WyIsIFJhd1BvaW50ZXIodGhpcyksICItPiIsIFJhd1BvaW50ZXIob3duZXJFeGVjdXRhYmxlKCkp LCAiLCAiLCBqaXRUeXBlLCBjb2RlVHlwZSgpKTsKKyAgICBpZiAoaGFzSGFzaCgpIHx8IGlzU2Fm ZVRvQ29tcHV0ZUhhc2goKSkKKyAgICAgICAgb3V0LnByaW50KGluZmVycmVkTmFtZSgpLCAiIyIs IGhhc2goKSwgIjpbIiwgUmF3UG9pbnRlcih0aGlzKSwgIi0+IiwgUmF3UG9pbnRlcihvd25lckV4 ZWN1dGFibGUoKSksICIsICIsIGppdFR5cGUsIGNvZGVUeXBlKCkpOworICAgIGVsc2UKKyAgICAg ICAgb3V0LnByaW50KGluZmVycmVkTmFtZSgpLCAiIzxuby1oYXNoPjpbIiwgUmF3UG9pbnRlcih0 aGlzKSwgIi0+IiwgUmF3UG9pbnRlcihvd25lckV4ZWN1dGFibGUoKSksICIsICIsIGppdFR5cGUs IGNvZGVUeXBlKCkpOworCiAgICAgaWYgKGNvZGVUeXBlKCkgPT0gRnVuY3Rpb25Db2RlKQogICAg ICAgICBvdXQucHJpbnQoc3BlY2lhbGl6YXRpb25LaW5kKCkpOwogICAgIGlmICh0aGlzLT5qaXRU eXBlKCkgPT0gSklUQ29kZTo6QmFzZWxpbmVKSVQgJiYgbV9zaG91bGRBbHdheXNCZUlubGluZWQp CkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYnl0ZWNvZGUvQ29kZUJsb2NrLmgKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2J5dGVjb2RlL0NvZGVCbG9jay5oCShyZXZp c2lvbiAxNTM2MTIpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYnl0ZWNvZGUvQ29kZUJsb2Nr LmgJKHdvcmtpbmcgY29weSkKQEAgLTExMSw2ICsxMTEsOCBAQCBwdWJsaWM6CiAKICAgICBDU3Ry aW5nIGluZmVycmVkTmFtZSgpIGNvbnN0OwogICAgIENvZGVCbG9ja0hhc2ggaGFzaCgpIGNvbnN0 OworICAgIGJvb2wgaGFzSGFzaCgpIGNvbnN0OworICAgIGJvb2wgaXNTYWZlVG9Db21wdXRlSGFz aCgpIGNvbnN0OwogICAgIENTdHJpbmcgc291cmNlQ29kZUZvclRvb2xzKCkgY29uc3Q7IC8vIE5v dCBxdWl0ZSB0aGUgYWN0dWFsIHNvdXJjZSB3ZSBwYXJzZWQ7IHRoaXMgd2lsbCBkbyB0aGluZ3Mg bGlrZSBwcmVmaXggdGhlIHNvdXJjZSBmb3IgYSBmdW5jdGlvbiB3aXRoIGEgcmVpZmllZCBzaWdu YXR1cmUuCiAgICAgQ1N0cmluZyBzb3VyY2VDb2RlT25PbmVMaW5lKCkgY29uc3Q7IC8vIEFzIHNv dXJjZUNvZGVGb3JUb29scygpLCBidXQgcmVwbGFjZXMgYWxsIHdoaXRlc3BhY2UgcnVucyB3aXRo IGEgc2luZ2xlIHNwYWNlLgogICAgIHZvaWQgZHVtcEFzc3VtaW5nSklUVHlwZShQcmludFN0cmVh bSYsIEpJVENvZGU6OkpJVFR5cGUpIGNvbnN0Owo=