189703 2018-09-18 11:02:55 -0700 CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code 2018-09-19 14:10:34 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 realdawei saam commit-queue ews-watchlist keith_miller mark.lam msaboff ryanhaddad saam tsavell webkit-bug-importer oldest_to_newest 1460651 0 realdawei 2018-09-18 11:02:55 -0700 Debug JSC has an assertion failure on the following test: typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager sample output: https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/1509/steps/jscore-test/logs/stdio ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 270 in jump offset range 270..305 typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: !(low <= m_offset && m_offset <= high) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: /Volumes/Data/slave/highsierra-debug/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(818) : void JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::checkOffsets(unsigned int, unsigned int) [AssemblerType = JSC::X86Assembler] typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 1 0x102db92c9 WTFCrash typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 276 in jump offset range 276..323 typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: !(low <= m_offset && m_offset <= high) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: /Volumes/Data/slave/highsierra-debug/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(818) : void JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::checkOffsets(unsigned int, unsigned int) [AssemblerType = JSC::X86Assembler] typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 2 0x102f60c2d JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::checkOffsets(unsigned int, unsigned int) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 1 0x102db92c9 WTFCrash typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 3 0x102f609cf JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 2 0x102f60c2d JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::checkOffsets(unsigned int, unsigned int) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 4 0x102eb1a2c JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 3 0x102f609cf JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 5 0x1030deea9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 4 0x102eb1a2c JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 6 0x102ec1890 JSC::DFG::SpeculativeJIT::compileCurrentBlock() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 5 0x1030deea9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 7 0x102ec3315 JSC::DFG::SpeculativeJIT::compile() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 6 0x102ec1890 JSC::DFG::SpeculativeJIT::compileCurrentBlock() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 8 0x103a1be57 JSC::DFG::JITCompiler::compileBody() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 7 0x102ec3315 JSC::DFG::SpeculativeJIT::compile() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 9 0x103a207a5 JSC::DFG::JITCompiler::compileFunction() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 8 0x103a1be57 JSC::DFG::JITCompiler::compileBody() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 10 0x103b5225a JSC::DFG::Plan::compileInThreadImpl() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 9 0x103a207a5 JSC::DFG::JITCompiler::compileFunction() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 11 0x103b4f852 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 10 0x103b5225a JSC::DFG::Plan::compileInThreadImpl() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 12 0x103c05436 JSC::DFG::Worklist::ThreadBody::work() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 11 0x103b4f852 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 13 0x102dcee9f WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 12 0x103c05436 JSC::DFG::Worklist::ThreadBody::work() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 14 0x102dcea89 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 13 0x102dcee9f WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 15 0x102de052d WTF::Function<void ()>::operator()() const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 14 0x102dcea89 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 16 0x102e6a9b3 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 15 0x102de052d WTF::Function<void ()>::operator()() const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 17 0x102e709b5 WTF::wtfThreadEntryPoint(void*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 16 0x102e6a9b3 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 18 0x7fff6eb48661 _pthread_body typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 17 0x102e709b5 WTF::wtfThreadEntryPoint(void*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 19 0x7fff6eb4850d _pthread_body typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 18 0x7fff6eb48661 _pthread_body typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 20 0x7fff6eb47bf9 thread_start typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 19 0x7fff6eb4850d _pthread_body typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 20 0x7fff6eb47bf9 thread_start typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: test_script_44127: line 2: 80592 Segmentation fault: 11 ( "$@" ../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useIntlPluralRules\=true --useTypeProfiler\=true --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true type-profiler-gc.js ) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: ERROR: Unexpected exit code: 139 1460703 1 ryanhaddad 2018-09-18 13:29:37 -0700 This is the regression range according to the bot history: https://trac.webkit.org/log/webkit/?action=stop_on_copy&mode=stop_on_copy&rev=236096&stop_rev=236077&limit=100&verbose=on This was the only JSC change: https://trac.webkit.org/changeset/236089/webkit 1460708 2 saam 2018-09-18 13:33:11 -0700 Will fix. This is a preexisting bug. 1461065 3 saam 2018-09-19 12:03:59 -0700 Sorry was busy with a different bug, will look into this now. 1461069 4 350140 saam 2018-09-19 12:16:05 -0700 Created attachment 350140 patch 1461102 5 350140 mark.lam 2018-09-19 13:30:17 -0700 Comment on attachment 350140 patch r=me 1461120 6 350140 commit-queue 2018-09-19 14:09:22 -0700 Comment on attachment 350140 patch Clearing flags on attachment: 350140 Committed r236224: <https://trac.webkit.org/changeset/236224> 1461121 7 commit-queue 2018-09-19 14:09:24 -0700 All reviewed patches have been landed. Closing bug. 1461124 8 webkit-bug-importer 2018-09-19 14:10:34 -0700 <rdar://problem/44615988> 350140 2018-09-19 12:16:05 -0700 2018-09-19 14:09:22 -0700 patch c-backup.diff text/plain 1796 saam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjM2MjEzKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBA CisyMDE4LTA5LTE5ICBTYWFtIGJhcmF0aSAgPHNiYXJhdGlAYXBwbGUuY29tPgorCisgICAgICAg IENoZWNrU3RydWN0dXJlT3JFbXB0eSBzaG91bGQgcGFzcyBpbiBhIHRlbXBHUFIgdG8gZW1pdFN0 cnVjdHVyZUNoZWNrIHNpbmNlIGl0IG1heSBqdW1wIG92ZXIgdGhhdCBjb2RlCisgICAgICAgIGh0 dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xODk3MDMKKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUaGlzIGZpeGVzIGEgY3Jhc2gg dGhhdCBhIFR5cGVQcm9maWxlciBjaGFuZ2UgcmV2ZWFsZWQuCisKKyAgICAgICAgKiBkZmcvREZH U3BlY3VsYXRpdmVKSVQ2NC5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6U3BlY3VsYXRpdmVKSVQ6 OmNvbXBpbGUpOgorCiAyMDE4LTA5LTE4ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4K IAogICAgICAgICBFbnN1cmUgdGhhdCBGb3JJbkNvbnRleHRzIGFyZSBpbnZhbGlkYXRlZCBpZiB0 aGVpciBsb29wIGxvY2FsIGlzIG92ZXItd3JpdHRlbi4KSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0 Q29yZS9kZmcvREZHU3BlY3VsYXRpdmVKSVQ2NC5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0ph dmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJVDY0LmNwcAkocmV2aXNpb24gMjM2MjEz KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJVDY0LmNwcAko d29ya2luZyBjb3B5KQpAQCAtMzU1MiwxMSArMzU1MiwxOSBAQCB2b2lkIFNwZWN1bGF0aXZlSklU Ojpjb21waWxlKE5vZGUqIG5vZGUpCiAgICAgY2FzZSBDaGVja1N0cnVjdHVyZU9yRW1wdHk6IHsK ICAgICAgICAgU3BlY3VsYXRlQ2VsbE9wZXJhbmQgY2VsbCh0aGlzLCBub2RlLT5jaGlsZDEoKSk7 CiAgICAgICAgIEdQUlJlZyBjZWxsR1BSID0gY2VsbC5ncHIoKTsKKworICAgICAgICBHUFJSZWcg dGVtcEdQUiA9IEludmFsaWRHUFJSZWc7CisgICAgICAgIHN0ZDo6b3B0aW9uYWw8R1BSVGVtcG9y YXJ5PiB0ZW1wOworICAgICAgICBpZiAobm9kZS0+c3RydWN0dXJlU2V0KCkuc2l6ZSgpID4gMSkg eworICAgICAgICAgICAgdGVtcC5lbXBsYWNlKHRoaXMpOworICAgICAgICAgICAgdGVtcEdQUiA9 IHRlbXAtPmdwcigpOworICAgICAgICB9CisKICAgICAgICAgTWFjcm9Bc3NlbWJsZXI6Okp1bXAg aXNFbXB0eTsKICAgICAgICAgaWYgKG1faW50ZXJwcmV0ZXIuZm9yTm9kZShub2RlLT5jaGlsZDEo KSkubV90eXBlICYgU3BlY0VtcHR5KQogICAgICAgICAgICAgaXNFbXB0eSA9IG1faml0LmJyYW5j aElmRW1wdHkoY2VsbEdQUik7CiAKLSAgICAgICAgZW1pdFN0cnVjdHVyZUNoZWNrKG5vZGUsIGNl bGxHUFIsIEludmFsaWRHUFJSZWcpOworICAgICAgICBlbWl0U3RydWN0dXJlQ2hlY2sobm9kZSwg Y2VsbEdQUiwgdGVtcEdQUik7CiAKICAgICAgICAgaWYgKGlzRW1wdHkuaXNTZXQoKSkKICAgICAg ICAgICAgIGlzRW1wdHkubGluaygmbV9qaXQpOwo=