Bug 100636

Summary: REGRESSION(r132757): It made 2 jquery tests assert
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: fpizlo, oliver, ossy
Priority: P1 Keywords: InRadar, Qt, QtTriaged
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 79668, 100620    
Attachments:
Description Flags
verbose DRT output 1 on r133134
none
verbose DRT output 2 on r133134
none
GDB backtrace for jquery/manipulation.html none

Chris Dumez
Reported 2012-10-29 00:42:03 PDT
After http://trac.webkit.org/changeset/132757, the 2 following jquery test cases started crashing: jquery/manipulation.html jquery/traversing.html Backtrace: crash log for DumpRenderTree (pid 860): STDOUT: <empty> STDERR: ASSERTION FAILED: ArrayMode(Array::Arguments).alreadyChecked(m_state.forNode(node.child1())) STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(3247) : void JSC::DFG::SpeculativeJIT::compileGetByValOnArguments(JSC::DFG::Node&) STDERR: 1 0x7f56d6262474 JSC::DFG::SpeculativeJIT::compileGetByValOnArguments(JSC::DFG::Node&) STDERR: 2 0x7f56d6285456 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) STDERR: 3 0x7f56d6259602 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) STDERR: 4 0x7f56d6259d87 JSC::DFG::SpeculativeJIT::compile() STDERR: 5 0x7f56d622a1ce JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) STDERR: 6 0x7f56d622b163 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) STDERR: 7 0x7f56d621dfab JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) STDERR: 8 0x7f56d621d900 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) STDERR: 9 0x7f56d63add8f JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) STDERR: 10 0x7f56d63ae08a JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) STDERR: 11 0x7f56d63abf71 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) STDERR: 12 0x7f56d63ab39b JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 13 0x7f56d614ad85 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) STDERR: 14 0x7f56d6146e38 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 15 0x7f56d63177bd STDERR: 16 0x7f56d6313be0 STDERR: 17 0x7f5682780058
Attachments
verbose DRT output 1 on r133134 (308.73 KB, text/plain)
2012-11-05 09:00 PST, Csaba Osztrogonác 		no flags
Details
verbose DRT output 2 on r133134 (1.18 MB, text/plain)
2012-11-05 09:00 PST, Csaba Osztrogonác 		no flags
Details
GDB backtrace for jquery/manipulation.html (7.39 KB, text/plain)
2012-11-05 09:01 PST, Csaba Osztrogonác 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-10-29 09:52:51 PDT
<rdar://problem/12591971>
Csaba Osztrogonác
Comment 2 2012-10-30 10:26:44 PDT
This bug is valid on Qt too, I skipped the asserting tests to paint the bots green - r132923. Please unskip them with the proper fix. And it is P1/critical, because it is an assertion and regression.
Csaba Osztrogonác
Comment 3 2012-11-04 02:20:04 PST
ping?
Csaba Osztrogonác
Comment 4 2012-11-04 02:20:57 PST
I think we should revert the original change if the author is unavailable to fix the regression.
Filip Pizlo
Comment 5 2012-11-04 02:24:04 PST
(In reply to comment #4) > I think we should revert the original change if the author is unavailable to fix the regression. I do not see this crash on Mac.
Csaba Osztrogonác
Comment 6 2012-11-04 02:26:07 PST
(In reply to comment #5) > (In reply to comment #4) > > I think we should revert the original change if the author is unavailable to fix the regression. > > I do not see this crash on Mac. It doesn't mean if the crash is invalid. The crash/assertion occured on EFL debug and on Qt debug buildbots.
Csaba Osztrogonác
Comment 7 2012-11-04 02:27:24 PST
If you have any idea, I willingly check it on Qt to help debugging this bug, but I can't debug it myself, because I don't know anything about your original patch.
Filip Pizlo
Comment 8 2012-11-04 17:19:25 PST
(In reply to comment #7) > If you have any idea, I willingly check it on Qt to help debugging this bug, > but I can't debug it myself, because I don't know anything about your original patch. Does it reproduce to the point where you can catch the assertion in gdb? If so, can you show me what the contents of 'm_state.forNode(node.child1())' is? Also, if you could enable DFG_ENABLE_DEBUG_VERBOSE (in DFGCommon.h) and show me the output dump from that, that would be absolutely fabulous.
Csaba Osztrogonác
Comment 9 2012-11-05 08:11:00 PST
Hm, it seems the assertions disappeared after http://trac.webkit.org/changeset/133160. Is it possible if it was the proper fix for this bug? Or did it make the bug hidden?
Chris Dumez
Comment 10 2012-11-05 08:12:42 PST
For the record, I also tried to reproduce the crashing on EFL port today and could not.
Csaba Osztrogonác
Comment 11 2012-11-05 08:38:45 PST
(In reply to comment #9) > Hm, it seems the assertions disappeared after http://trac.webkit.org/changeset/133160. Is it possible if it was the proper fix for this bug? Or did it make the bug hidden? No, it is impossible. All tests crashed between r133138-r133160, r133135 is the revision fixed this bug.
Csaba Osztrogonác
Comment 12 2012-11-05 09:00:01 PST
Created attachment 172346 [details] verbose DRT output 1 on r133134
Csaba Osztrogonác
Comment 13 2012-11-05 09:00:32 PST
Created attachment 172348 [details] verbose DRT output 2 on r133134
Csaba Osztrogonác
Comment 14 2012-11-05 09:01:04 PST
Created attachment 172349 [details] GDB backtrace for jquery/manipulation.html
Csaba Osztrogonác
Comment 15 2012-11-05 09:04:00 PST
Could you check if http://trac.webkit.org/changeset/133135 fixed this bug properly or only made this bug hidden?
Csaba Osztrogonác
Comment 16 2012-11-05 09:27:19 PST
I unskipped them by r133487, but it would be great if you can confirm if r133135 is the proper fix for this bug or not.
Filip Pizlo
Comment 17 2012-11-05 09:53:40 PST
(In reply to comment #15) > Could you check if http://trac.webkit.org/changeset/133135 fixed this bug properly or only made this bug hidden? It's a real fix.
Csaba Osztrogonác
Comment 18 2012-11-05 09:54:35 PST
Thanks.
Note You need to log in before you can comment on or make changes to this bug.