98722 2012-10-08 22:35:02 -0700 REGRESSION (r130359): Assertion failure in JSC::checkOffset caused by removal of fixed inline slots count assumption 2013-01-11 14:39:24 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar, Regression P1 Critical --- 1 mark.lam ggaren barraclough cdumez dimitris.apostolou d-r fpizlo ggaren jussi.kukkonen koivisto mhahnenberg rniwa simon.fraser slewis webkit-bug-importer zan oldest_to_newest 737424 0 mark.lam 2012-10-08 22:35:02 -0700 Change set <http://trac.webkit.org/changeset/130359> (https://bugs.webkit.org/show_bug.cgi?id=98332 Removed the assumption that "final" objects have a fixed number of inline slots) caused some mozilla tests in run-javascriptcore-tests to fail intermittently when jsc is built with COLLECT_ON_EVERY_ALLOCATION enabled in heap/MarkedAllocator.cpp. This issue does not manifest in r130344 which is the revision immediately before r130359 (as far as JavaScriptCore changes are concern). I reproduced the issues by simply running the GC only one in 5 times in MarkedAllocator::allocateSlowCase() as follows (which runs a lot faster): #if 1 // COLLECT_ON_EVERY_ALLOCATION // mlam static int count = 0; count = (count + 1) % 5; if (count == 0) { m_heap->collectAllGarbage(); ASSERT(m_heap->m_operationInProgress == NoOperation); } #endif When I tried running an affected test in gdb, the test does not fail every time. But if I re-run the test over and over again in gdb, it eventually fails with an assertion failure. Here is an example backtrace from running the following (on a more recent build, r130716): $ cd Source/JavaScriptCore/tests/mozilla Source/JavaScriptCore/tests/mozilla$ DYLD_FRAMEWORK_PATH=/Volumes/Source/ws2/OpenSource/WebKitBuild/Debug/ gdb /Volumes/Source/ws2/OpenSource/WebKitBuild/Debug/jsc ... (gdb) r -s -f ./js1_6/shell.js -f ./js1_6/Array/shell.js -f ./js1_6/Array/regress-304828.js Starting program: /Volumes/Source/ws2/OpenSource/WebKitBuild/Debug/jsc -s -f ./js1_6/shell.js -f ./js1_6/Array/shell.js -f ./js1_6/Array/regress-304828.js BUGNUMBER: 304828 STATUS: Array Generic Methods ASSERTION FAILED: offset == invalidOffset || offset < inlineCapacity || isOutOfLineOffset(offset) ... (gdb) bt #0 0x00000001002433e7 in JSC::checkOffset (offset=37, inlineCapacity=13) at PropertyOffset.h:71 #1 0x00000001002b7209 in JSC::validateOffset (offset=37, inlineCapacity=13) at PropertyOffset.h:84 #2 0x00000001002b6f6e in JSC::JSObject::offsetForLocation (this=0x101dcffe0, location=0x101dd0118) at JSObject.h:468 #3 0x000000010032869d in JSC::setUpStaticFunctionSlot (exec=0x104800058, entry=0x102802060, thisObj=0x101dcffe0, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/Lookup.cpp:87 #4 0x000000010035729a in JSC::getStaticFunctionSlot<JSC::JSNonFinalObject> (exec=0x104800058, table=0x101901680, thisObj=0x101dcffe0, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at Lookup.h:294 #5 0x0000000100356089 in JSC::ObjectPrototype::getOwnPropertySlot (cell=0x101dcffe0, exec=0x104800058, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/ObjectPrototype.cpp:82 #6 0x000000010008c2e6 in JSC::JSCell::fastGetOwnPropertySlot (this=0x101dcffe0, exec=0x104800058, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at JSObject.h:905 #7 0x000000010008c0b0 in JSC::JSObject::getPropertySlot (this=0x101dcfe20, exec=0x104800058, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at JSObject.h:930 #8 0x0000000100085518 in JSC::JSObject::get (this=0x101dcfe20, exec=0x104800058, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}) at JSObject.h:955 #9 0x00000001002db1a0 in callDefaultValueFunction (exec=0x104800058, object=0x101dcfe20, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/JSObject.cpp:736 #10 0x00000001002d833d in JSC::JSObject::defaultValue (object=0x101dcfe20, exec=0x104800058, hint=JSC::NoPreference) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/JSObject.cpp:775 #11 0x00000001002a9dd4 in JSC::JSObject::toPrimitive (this=0x101dcfe20, exec=0x104800058, preferredType=JSC::NoPreference) at JSObject.h:1142 #12 0x00000001002a971f in JSC::JSCell::toPrimitive (this=0x101dcfe20, exec=0x104800058, preferredType=JSC::NoPreference) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/JSCell.cpp:140 #13 0x000000010012c038 in JSC::JSValue::toPrimitive (this=0x7fff5fbfdef8, exec=0x104800058, preferredType=JSC::NoPreference) at JSCell.h:264 #14 0x000000010035796b in JSC::jsAddSlowCase (callFrame=0x104800058, v1={u = {asInt64 = 4326227488, ptr = 0x101dcfe20, asBits = {payload = 31260192, tag = 1}}}, v2={u = {asInt64 = 4321181664, ptr = 0x1018fffe0, asBits = {payload = 26214368, tag = 1}}}) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/Operations.cpp:54 #15 0x000000010042b467 in llint_slow_path_add (exec=0x104800058, pc=0x1020193f8) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:633 #16 0x00000001004362dc in llint_op_add () #17 0x000000010024bc14 in JSC::JITCode::execute (this=0x100efdd00, stack=0x1036090e0, callFrame=0x104800058, globalData=0x101007e00) at JITCode.h:134 #18 0x000000010024846b in JSC::Interpreter::execute (this=0x1036090c0, program=0x100efdce0, callFrame=0x1018cfb88, thisObj=0x1018efd80) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/interpreter/Interpreter.cpp:878 #19 0x000000010012885f in JSC::evaluate (exec=0x1018cfb88, source=@0x7fff5fbff770, thisValue={u = {asInt64 = 4320983424, ptr = 0x1018cf980, asBits = {payload = 26016128, tag = 1}}}, returnedException=0x7fff5fbff790) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/Completion.cpp:77 #20 0x00000001000087c9 in runWithScripts (globalObject=0x1018cf980, scripts=@0x7fff5fbff880, dump=false) at jsc.cpp:567 #21 0x0000000100008008 in jscmain (argc=8, argv=0x7fff5fbff910) at jsc.cpp:755 #22 0x0000000100007efe in main (argc=8, argv=0x7fff5fbff910) at jsc.cpp:530 (gdb) 740249 1 mark.lam 2012-10-11 14:01:39 -0700 This is also causing a crash in the layout test: inspector/styles/import-pseudoclass-crash.html 740252 2 mark.lam 2012-10-11 14:04:41 -0700 The inspector/styles/import-pseudoclass-crash.html crash seems to be intermittent. I'm not seeing it on the ews bots. 744171 3 d-r 2012-10-17 05:14:32 -0700 *** Bug 99356 has been marked as a duplicate of this bug. *** 744173 4 d-r 2012-10-17 05:14:44 -0700 *** Bug 98596 has been marked as a duplicate of this bug. *** 744361 5 ggaren 2012-10-17 10:19:02 -0700 <rdar://problem/12518688> 745708 6 ggaren 2012-10-18 16:16:18 -0700 I tried reproducing this @r131809, using the COLLECT_ON_EVERY_ALLOCATION change above: - run-javascriptcore-tests --debug: no crash - r -s -f ./js1_6/shell.js -f ./js1_6/Array/shell.js -f ./js1_6/Array/regress-304828.js: no crash - r -s -f ./js1_6/shell.js -f ./js1_6/Array/shell.js -f ./js1_6/Array/regress-304828.js....: no crash 746477 7 ggaren 2012-10-19 11:22:25 -0700 I can reproduce this using run-javascriptcore-tests @r130359, on many sub-tests. 746495 8 simon.fraser 2012-10-19 11:42:11 -0700 Frequently seeing this while debugging facebook. 756568 9 koivisto 2012-11-01 13:24:57 -0700 Seems pretty frequent http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r133207%20(2384)/results.html 758549 10 cdumez 2012-11-05 08:19:19 -0800 This crash still occurs regularly on EFL EWS: http://build.webkit.org/results/EFL%20Linux%2064-bit%20Debug/r133475%20(8160)/results.html http://build.webkit.org/results/EFL%20Linux%2064-bit%20Debug/r133460%20(8156)/results.html It makes it tough to keep the bots green since it affects random tests. 794216 11 simon.fraser 2012-12-18 17:41:15 -0800 Still happens: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r138081%20(3961)/fast/dom/gc-acid3-crash-log.txt 799464 12 rniwa 2013-01-03 10:32:05 -0800 inspector/extensions/extensions-panel.html and inspector/extensions/extensions-api.html crashed on this run: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r138709%20(4272)/results.html fast/dom/gc-acid3.html and inspector/profiler/webgl/webgl-profiler-get-error.html crashed on this run: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r138709%20(5405)/results.html 799877 13 rniwa 2013-01-03 17:38:39 -0800 We’re constantly seeing this failure on bots: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r138762%20(4284)/results.html http://build.webkit.org/results/Apple%20Lion%20Debug%20WK1%20(Tests)/r138761%20(5649)/results.html 799951 14 rniwa 2013-01-03 21:55:14 -0800 Here's another one: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r138776%20(4290)/results.html 800351 15 rniwa 2013-01-04 10:29:22 -0800 Another one: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r138805%20(4304)/results.html This bug is preventing us from making debug bots green. 805515 16 ggaren 2013-01-11 12:20:19 -0800 Bug 106686 should fix most of these reports. A related bug remains in JSObject::offsetForLocation() (coming soon). 805558 17 ggaren 2013-01-11 13:18:09 -0800 Bug 106692 removes JSObject::offsetForLocation(). 805559 18 ggaren 2013-01-11 13:18:34 -0800 I believe this issue is fixed; we'll reopen if more buildbot issues appear. 805560 19 ggaren 2013-01-11 13:19:46 -0800 BTW, Phil is the one who diagnosed this bug. 805627 20 rniwa 2013-01-11 14:39:24 -0800 (In reply to comment #17) > Bug 106692 removes JSObject::offsetForLocation(). Exciting! (In reply to comment #19) > BTW, Phil is the one who diagnosed this bug. Thanks a lot for following up on this bug. I really hope this flaky crash goes away in the next cycle.