197740 2019-05-09 09:30:17 -0700 REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory 2019-05-09 10:56:52 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=197110 InRadar P2 Normal --- 1 ryanhaddad keith_miller ews-watchlist keith_miller mark.lam msaboff saam webkit-bot-watchers-bugzilla webkit-bug-importer oldest_to_newest 1534747 0 ryanhaddad 2019-05-09 09:30:17 -0700 wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: ASSERTION FAILED: m_ptr wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: /Volumes/Data/slave/highsierra-debug/build/WebKitBuild/Debug/usr/local/include/wtf/CagedPtr.h(53) : T *WTF::CagedPtr<Gigacage::Kind::Primitive, void, true, WTF::DumbPtrTraits<void> >::get(unsigned int) const [passedKind = Gigacage::Kind::Primitive, T = void, shouldTag = true, PtrTraits = WTF::DumbPtrTraits<void>] wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 1 0x1059636c9 WTFCrash wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 2 0x1059666ab WTFCrashWithInfo(int, char const*, char const*, int) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 3 0x106ebf85e WTF::CagedPtr<(Gigacage::Kind)1, void, true, WTF::DumbPtrTraits<void> >::get(unsigned int) const wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 4 0x106ead782 JSC::JSArrayBufferView::ConstructionContext::vector() const wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 5 0x106eadbe7 JSC::JSArrayBufferView::JSArrayBufferView(JSC::VM&, JSC::JSArrayBufferView::ConstructionContext&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 6 0x105f43920 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::JSGenericTypedArrayView(JSC::VM&, JSC::JSArrayBufferView::ConstructionContext&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 7 0x105f436c5 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::JSGenericTypedArrayView(JSC::VM&, JSC::JSArrayBufferView::ConstructionContext&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 8 0x105f41b42 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::create(JSC::ExecState*, JSC::Structure*, WTF::RefPtr<JSC::ArrayBuffer, WTF::DumbPtrTraits<JSC::ArrayBuffer> >&&, unsigned int, unsigned int) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 9 0x106778d5d JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> >(JSC::ExecState*, JSC::Structure*, long long, unsigned int, WTF::Optional<unsigned int>) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 10 0x106778b0a operationNewUint8ArrayWithOneArgument wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 11 0x1572c2cae2d wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 12 0x105e80344 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 13 0x105e80344 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 14 0x105e6d1c3 vmEntryToJavaScript wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 15 0x106aea5ee JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 16 0x106aec524 JSC::Interpreter::executeModuleProgram(JSC::ModuleProgramExecutable*, JSC::ExecState*, JSC::JSModuleEnvironment*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 17 0x106f50caa JSC::JSModuleRecord::evaluate(JSC::ExecState*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 18 0x106d70bae JSC::AbstractModuleRecord::evaluate(JSC::ExecState*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 19 0x106f4d5f5 JSC::JSModuleLoader::evaluateNonVirtual(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 20 0x106f4d548 JSC::JSModuleLoader::evaluate(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 21 0x106f6e331 JSC::moduleLoaderEvaluate(JSC::ExecState*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 22 0x1572c25716b wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 23 0x105e802b3 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 24 0x105e80344 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 25 0x105e80344 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 26 0x105e802b3 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 27 0x1572c263691 wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 28 0x105e6d1c3 vmEntryToJavaScript wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 29 0x106aea5ee JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 30 0x106aeac1f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 31 0x106dbf4ac JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: test_script_51902: line 2: 38013 Segmentation fault: 11 ( "$@" ../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useIntlPluralRules\=true -m --useWebAssemblyFastMemory\=false --useFTLJIT\=true test_Data.js ) https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20(Tests)/builds/2762 1534748 1 ryanhaddad 2019-05-09 09:31:54 -0700 Likely caused by "Remove Gigacage from arm64 and use PAC for arm64e instead" https://trac.webkit.org/changeset/245064/webkit 1534749 2 webkit-bug-importer 2019-05-09 09:32:06 -0700 <rdar://problem/50624630> 1534750 3 webkit-bug-importer 2019-05-09 09:32:19 -0700 <rdar://problem/50624640> 1534755 4 keith_miller 2019-05-09 09:48:06 -0700 Looking now. 1534774 5 369496 keith_miller 2019-05-09 10:35:05 -0700 Created attachment 369496 Patch 1534776 6 369496 saam 2019-05-09 10:39:58 -0700 Comment on attachment 369496 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=369496&action=review > Source/JavaScriptCore/runtime/JSArrayBufferView.h:138 > + void* vector() const { return m_vector.getMayBeNull(m_length); } Worth saying why this can be null now in changelog 1534779 7 369496 keith_miller 2019-05-09 10:52:55 -0700 Comment on attachment 369496 Patch Sure, for reference it's because you can construct a typed array with length 0. 1534781 8 keith_miller 2019-05-09 10:56:52 -0700 Committed r245145: <https://trac.webkit.org/changeset/245145> 369496 2019-05-09 10:35:05 -0700 2019-05-09 10:39:58 -0700 Patch bug-197740-20190509103503.patch text/plain 1868 keith_miller U3VidmVyc2lvbiBSZXZpc2lvbjogMjQ1MDc1CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCAw ZTg2YzU5Mjg0ODM4NTliNWFlOTI3YTlkYzg3YTk0M2JiOTE0NDZjLi5jNjU3ZDJkMGNlZWQxNGM2 NmNkYzM3NGRkMGM2NjlhMDA1ZTIyYzNmIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxMyBAQAorMjAxOS0wNS0wOSAgS2VpdGggTWlsbGVyICA8a2VpdGhfbWlsbGVyQGFwcGxl LmNvbT4KKworICAgICAgICBSRUdSRVNTSU9OIChyMjQ1MDY0KTogQVNTRVJUSU9OIEZBSUxFRDog bV9wdHIgc2VlbiB3aXRoIHdhc20ueWFtbC93YXNtL2pzLWFwaS90ZXN0X0RhdGEuanMud2FzbS1z bG93LW1lbW9yeQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/ aWQ9MTk3NzQwCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAg ICAgKiBydW50aW1lL0pTQXJyYXlCdWZmZXJWaWV3Lmg6CisgICAgICAgIChKU0M6OkpTQXJyYXlC dWZmZXJWaWV3OjpDb25zdHJ1Y3Rpb25Db250ZXh0Ojp2ZWN0b3IgY29uc3QpOgorCiAyMDE5LTA1 LTA4ICBZdXN1a2UgU3V6dWtpICA8eXN1enVraUBhcHBsZS5jb20+CiAKICAgICAgICAgSW52YWxp ZCBERkcgSklUIGdlbmVyZWF0aW9uIGluIGhpZ2ggQ1BVIHVzYWdlIHN0YXRlCmRpZmYgLS1naXQg YS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9KU0FycmF5QnVmZmVyVmlldy5oIGIvU291 cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvSlNBcnJheUJ1ZmZlclZpZXcuaAppbmRleCAzNWNl MzZjNWEzODFlZTA4ZmQ3ZTI3ODRlYTA0NjE5OWQ5ODIzOWU1Li40ZGZkMDhmMjU5M2Y5ZDU0ZGYw MTFiM2M4MTI3OGM1OTRiMWUzZDAzIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUv cnVudGltZS9KU0FycmF5QnVmZmVyVmlldy5oCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9y dW50aW1lL0pTQXJyYXlCdWZmZXJWaWV3LmgKQEAgLTEsNSArMSw1IEBACiAvKgotICogQ29weXJp Z2h0IChDKSAyMDEzLCAyMDE2IEFwcGxlIEluYy4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KKyAqIENv cHlyaWdodCAoQykgMjAxMy0yMDE5IEFwcGxlIEluYy4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KICAq CiAgKiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3 aXRoIG9yIHdpdGhvdXQKICAqIG1vZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0 aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucwpAQCAtMTM1LDcgKzEzNSw3IEBAIHByb3RlY3Rl ZDoKICAgICAgICAgYm9vbCBvcGVyYXRvciEoKSBjb25zdCB7IHJldHVybiAhbV9zdHJ1Y3R1cmU7 IH0KICAgICAgICAgCiAgICAgICAgIFN0cnVjdHVyZSogc3RydWN0dXJlKCkgY29uc3QgeyByZXR1 cm4gbV9zdHJ1Y3R1cmU7IH0KLSAgICAgICAgdm9pZCogdmVjdG9yKCkgY29uc3QgeyByZXR1cm4g bV92ZWN0b3IuZ2V0KG1fbGVuZ3RoKTsgfQorICAgICAgICB2b2lkKiB2ZWN0b3IoKSBjb25zdCB7 IHJldHVybiBtX3ZlY3Rvci5nZXRNYXlCZU51bGwobV9sZW5ndGgpOyB9CiAgICAgICAgIHVpbnQz Ml90IGxlbmd0aCgpIGNvbnN0IHsgcmV0dXJuIG1fbGVuZ3RoOyB9CiAgICAgICAgIFR5cGVkQXJy YXlNb2RlIG1vZGUoKSBjb25zdCB7IHJldHVybiBtX21vZGU7IH0KICAgICAgICAgQnV0dGVyZmx5 KiBidXR0ZXJmbHkoKSBjb25zdCB7IHJldHVybiBtX2J1dHRlcmZseTsgfQo=