152756 2016-01-05 13:28:52 -0800 stress/v8-crypto-strict.js.ftl-eager-no-cjit in FTL B3 fails with an assertion in the callframe shuffler 2016-01-05 15:37:16 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build All All RESOLVED FIXED P2 Normal --- 150279 1 fpizlo fpizlo commit-queue keith_miller mark.lam msaboff saam oldest_to_newest 1152868 0 fpizlo 2016-01-05 13:28:52 -0800 Here's what I see: stress/v8-crypto-strict.js.ftl-eager-no-cjit: 1 0x10bba0d31 WTF::SharedTaskFunctor<void (JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&), JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall()::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)>::run(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 2 0x10b86b9b1 JSC::B3::PatchpointSpecial::generate(JSC::B3::Air::Inst&, JSC::CCallHelpers&, JSC::B3::Air::GenerationContext&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 3 0x10b7dbbcd JSC::B3::Air::generate(JSC::B3::Air::Code&, JSC::CCallHelpers&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 4 0x10bd255f4 JSC::FTL::compile(JSC::FTL::State&, JSC::DFG::Safepoint::Result&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 5 0x10ba7317f JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 6 0x10ba725e5 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 7 0x10b9ccff5 JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 8 0x10ba4c832 JSC::DFG::triggerFTLReplacementCompile(JSC::VM*, JSC::CodeBlock*, JSC::DFG::JITCode*) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 9 0x10ba4bfc9 JSC::DFG::triggerTierUpNowCommon(JSC::ExecState*, bool) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 10 0x31fb2ee4d060 stress/v8-crypto-strict.js.ftl-eager-no-cjit: 11 0x31fb2ee4c200 stress/v8-crypto-strict.js.ftl-eager-no-cjit: 12 0x31fb2ee44594 stress/v8-crypto-strict.js.ftl-eager-no-cjit: 13 0x10bdfa34c llint_entry stress/v8-crypto-strict.js.ftl-eager-no-cjit: 14 0x10bdfa34c llint_entry stress/v8-crypto-strict.js.ftl-eager-no-cjit: 15 0x31fb2ee1bc0b stress/v8-crypto-strict.js.ftl-eager-no-cjit: 16 0x10bdf44dc vmEntryToJavaScript stress/v8-crypto-strict.js.ftl-eager-no-cjit: 17 0x10bc8717e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 18 0x10bc5731b JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 19 0x10b9153f5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 20 0x10b777df3 jscmain(int, char**) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 21 0x10b7773aa main stress/v8-crypto-strict.js.ftl-eager-no-cjit: 22 0x7fff864bb5c9 start stress/v8-crypto-strict.js.ftl-eager-no-cjit: 23 0x11 stress/v8-crypto-strict.js.ftl-eager-no-cjit: test_script_19251: line 2: 4739 Segmentation fault: 11 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateGraph\=true --useFTLJIT\=true --ftlCrashesIfCantInitializeLLVM\=true --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 v8-crypto-strict.js ) stress/v8-crypto-strict.js.ftl-eager-no-cjit: ERROR: Unexpected exit code: 139 And the lldb backtrace is: * frame #0: 0x000000010087802e JavaScriptCore`WTFCrash + 62 at Assertions.cpp:321 frame #1: 0x000000010014c1e2 JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::VectorBufferBase<JSC::CachedRecovery*>::allocateBuffer(newCapacity=<unavailable>) + 1074 at Vector.h:266 frame #2: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::VectorBuffer<JSC::CachedRecovery*, 0ul>::VectorBuffer(capacity=<unavailable>, size=<unavailable>) at Vector.h:372 frame #3: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::Vector<JSC::CachedRecovery*, 0ul, WTF::CrashOnOverflow, 16ul>::Vector(size=<unavailable>) at Vector.h:615 frame #4: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::Bag<JSC::CachedRecovery>::Bag(size=<unavailable>) at Vector.h:620 frame #5: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(this=<unavailable>, jit=<unavailable>, data=<unavailable>) + 1069 at CallFrameShuffler.cpp:47 frame #6: 0x000000010042bd31 JavaScriptCore`WTF::SharedTaskFunctor<void (JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&), JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall()::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)>::run(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&) [inlined] JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall(jit=0x00007fff5fbfd050)::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)::operator()(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&) const + 615 at FTLLowerDFGToLLVM.cpp:5144 frame #7: 0x000000010042baca JavaScriptCore`WTF::SharedTaskFunctor<void (JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&), JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall()::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)>::run(this=0x0000000104dde5f0, arguments=0x00007fff5fbfd050, arguments=<unavailable>) + 26 at SharedTask.h:90 frame #8: 0x00000001000f69b1 JavaScriptCore`JSC::B3::PatchpointSpecial::generate(this=<unavailable>, inst=<unavailable>, jit=0x00007fff5fbfd050, context=<unavailable>) + 817 at B3PatchpointSpecial.cpp:143 frame #9: 0x0000000100066bcd JavaScriptCore`JSC::B3::Air::generate(code=0x0000000104dda880, jit=0x00007fff5fbfd050) + 813 at AirGenerate.cpp:147 frame #10: 0x00000001005b05f4 JavaScriptCore`JSC::FTL::compile(state=0x00007fff5fbfd120, safepointResult=<unavailable>) + 1444 at FTLB3Compile.cpp:113 frame #11: 0x00000001002fe17f JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=<unavailable>, longLivedState=<unavailable>) + 2175 at DFGPlan.cpp:487 frame #12: 0x00000001002fd5e5 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x0000000104b76000, longLivedState=0x00000001019eba00, threadData=<unavailable>) + 565 at DFGPlan.cpp:186 frame #13: 0x0000000100257ff5 JavaScriptCore`JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) [inlined] WTF::PassRefPtr<JSC::DeferredCompilationCallback>::PassRefPtr<JSC::DeferredCompilationCallback>(profiledDFGCodeBlock=0x00000001018f4a00, osrEntryBytecodeIndex=<unavailable>, mustHandleValues=<unavailable>) + 1050 at DFGDriver.cpp:102 frame #14: 0x0000000100257bdb JavaScriptCore`JSC::DFG::compile(vm=0x0000000101801000, codeBlock=0x00000001018f4400, profiledDFGCodeBlock=0x00000001018f4a00, mode=<unavailable>, osrEntryBytecodeIndex=<unavailable>, mustHandleValues=<unavailable>, passedCallback=PassRefPtr<JSC::DeferredCompilationCallback> at 0x00007fff5fbfdb30) + 43 at DFGDriver.cpp:120 frame #15: 0x00000001002d7832 JavaScriptCore`JSC::DFG::triggerFTLReplacementCompile(vm=0x0000000101801000, codeBlock=0x00000001018f4a00, jitCode=<unavailable>) + 546 at DFGOperations.cpp:1468 frame #16: 0x00000001002d6fc9 JavaScriptCore`JSC::DFG::triggerTierUpNowCommon(exec=<unavailable>, inLoop=<unavailable>) + 281 at DFGOperations.cpp:1495 frame #17: 0x000045458204d060 frame #18: 0x000045458204c1ff frame #19: 0x0000454582044594 frame #20: 0x000000010068534c JavaScriptCore`llint_entry + 23693 frame #21: 0x000000010068534c JavaScriptCore`llint_entry + 23693 frame #22: 0x000045458201bc08 frame #23: 0x000000010067f4dc JavaScriptCore`vmEntryToJavaScript + 299 frame #24: 0x000000010051217e JavaScriptCore`JSC::JITCode::execute(this=<unavailable>, vm=0xffff000000000000, protoCallFrame=0x00007fff5fbfe0e0) + 158 at JITCode.cpp:80 frame #25: 0x00000001004e231b JavaScriptCore`JSC::Interpreter::execute(this=<unavailable>, program=0x00000001018d3388, callFrame=0x0000000101843740, thisObj=<unavailable>) + 11339 at Interpreter.cpp:973 frame #26: 0x00000001001a03f5 JavaScriptCore`JSC::evaluate(exec=0x0000000101843740, source=<unavailable>, thisValue=JSValue at 0x00007fff5fbff370, returnedException=0x00007fff5fbff4c0) + 469 at Completion.cpp:105 frame #27: 0x0000000100002df3 jsc`jscmain(int, char**) [inlined] runWithScripts(globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700) + 1906 at jsc.cpp:1774 frame #28: 0x0000000100002681 jsc`jscmain(argc=<unavailable>, argv=<unavailable>) + 529 at jsc.cpp:2000 frame #29: 0x00000001000023aa jsc`main(argc=17, argv=0x00007fff5fbff6f0) + 154 at jsc.cpp:1699 frame #30: 0x00007fff864bb5c9 libdyld.dylib`start + 1 1152903 1 268327 fpizlo 2016-01-05 15:02:01 -0800 Created attachment 268327 the patch 1152908 2 268327 saam 2016-01-05 15:02:58 -0800 Comment on attachment 268327 the patch r=me 1152923 3 fpizlo 2016-01-05 15:37:16 -0800 Landed in http://trac.webkit.org/changeset/194614 268327 2016-01-05 15:02:01 -0800 2016-01-05 15:02:58 -0800 the patch blah.patch text/plain 1863 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTk0NjEyKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBA CisyMDE2LTAxLTA1ICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg c3RyZXNzL3Y4LWNyeXB0by1zdHJpY3QuanMuZnRsLWVhZ2VyLW5vLWNqaXQgaW4gRlRMIEIzIGZh aWxzIHdpdGggYW4gYXNzZXJ0aW9uIGluIHRoZSBjYWxsZnJhbWUgc2h1ZmZsZXIKKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1Mjc1NgorCisgICAgICAg IFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFRoaXMgZml4ZXMgYSByZWFs bHkgb2J2aW91cyBhbmQgZHVtYiB0YWlsIGNhbGwgYnVnIGluIEZUTCBCMy4gSSB0aGluayB0aGF0 IHRhaWwgY2FsbHMgd29yaworICAgICAgICBmb3IgcmVhbCBub3cuIEkgaGF2ZSBubyBpZGVhIHdo eSBJIGdvdCBhbnkgdGFpbCBjYWxsIHRlc3RzIHRvIHBhc3MgYmVmb3JlIHRoaXMgZml4LgorCisg ICAgICAgICogZnRsL0ZUTExvd2VyREZHVG9MTFZNLmNwcDoKKyAgICAgICAgKEpTQzo6RlRMOjpE Rkc6Okxvd2VyREZHVG9MTFZNOjpjb21waWxlVGFpbENhbGwpOgorCiAyMDE2LTAxLTA1ICBLZWl0 aCBNaWxsZXIgIDxrZWl0aF9taWxsZXJAYXBwbGUuY29tPgogCiAgICAgICAgIFtFUzZdIEFycmF5 cyBzaG91bGQgYmUgc3ViY2xhc3NhYmxlLgpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2Z0 bC9GVExMb3dlckRGR1RvTExWTS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRD b3JlL2Z0bC9GVExMb3dlckRGR1RvTExWTS5jcHAJKHJldmlzaW9uIDE5NDYwNCkKKysrIFNvdXJj ZS9KYXZhU2NyaXB0Q29yZS9mdGwvRlRMTG93ZXJERkdUb0xMVk0uY3BwCSh3b3JraW5nIGNvcHkp CkBAIC01MTMxLDYgKzUxMzEsNyBAQCBwcml2YXRlOgogICAgICAgICAvLyBhbnl3YXkuCiAKICAg ICAgICAgQ29kZU9yaWdpbiBjb2RlT3JpZ2luID0gY29kZU9yaWdpbkRlc2NyaXB0aW9uT2ZDYWxs U2l0ZSgpOworICAgICAgICBTdGF0ZSogc3RhdGUgPSAmbV9mdGxTdGF0ZTsKICAgICAgICAgcGF0 Y2hwb2ludC0+c2V0R2VuZXJhdG9yKAogICAgICAgICAgICAgWz1dIChDQ2FsbEhlbHBlcnMmIGpp dCwgY29uc3QgU3RhY2ttYXBHZW5lcmF0aW9uUGFyYW1zJiBwYXJhbXMpIHsKICAgICAgICAgICAg ICAgICBBbGxvd01hY3JvU2NyYXRjaFJlZ2lzdGVyVXNhZ2UgYWxsb3dTY3JhdGNoKGppdCk7CkBA IC01MTM5LDYgKzUxNDAsNyBAQCBwcml2YXRlOgogICAgICAgICAgICAgICAgIC8vIGh0dHBzOi8v YnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNTE2ODYKIAogICAgICAgICAgICAgICAg IENhbGxGcmFtZVNodWZmbGVEYXRhIHNodWZmbGVEYXRhOworICAgICAgICAgICAgICAgIHNodWZm bGVEYXRhLm51bUxvY2FscyA9IHN0YXRlLT5qaXRDb2RlLT5jb21tb24uZnJhbWVSZWdpc3RlckNv dW50OwogICAgICAgICAgICAgICAgIHNodWZmbGVEYXRhLmNhbGxlZSA9IFZhbHVlUmVjb3Zlcnk6 OmluR1BSKEdQUkluZm86OnJlZ1QwLCBEYXRhRm9ybWF0SlMpOwogCiAgICAgICAgICAgICAgICAg Zm9yICh1bnNpZ25lZCBpID0gMDsgaSA8IG51bUFyZ3M7ICsraSkK