Bug 107257

Summary: [GTK] fast/js/toString-stack-overflow.html is crashing
Product: WebKit Reporter: Zan Dobersek <zan>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bugs-noreply, spenap
Priority: P2 Keywords: Gtk, LayoutTestFailure
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 113168    
Bug Blocks:    

Description Zan Dobersek 2013-01-18 04:19:27 PST 
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&showAllRuns=true&tests=fast%2Fjs%2FtoString-stack-overflow.html
No specific regression range ... yet.

Crash log for DumpRenderTree (pid 25347):

...
[New LWP 25357]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'.
Program terminated with signal 11, Segmentation fault.
#0  0x00002b795b2e10ac in JSC::ConservativeRoots::genericAddSpan<JSC::DummyMarkHook> (this=0x7ffff6938160, begin=0x7ffff6938e20, end=0x7ffff7fd7000, markHook=...) at ../../Source/JavaScriptCore/heap/ConservativeRoots.cpp:97
97	    ASSERT((static_cast<char*>(end) - static_cast<char*>(begin)) < 0x1000000);

...

Thread 1 (Thread 0x2b796a139680 (LWP 25347)):
#0  0x00002b795b2e10ac in JSC::ConservativeRoots::genericAddSpan<JSC::DummyMarkHook> (this=0x7ffff6938160, begin=0x7ffff6938e20, end=0x7ffff7fd7000, markHook=...) at ../../Source/JavaScriptCore/heap/ConservativeRoots.cpp:97
#1  0x00002b795b2e0702 in JSC::ConservativeRoots::add (this=0x7ffff6938160, begin=0x7ffff6938e20, end=0x7ffff7fd7000) at ../../Source/JavaScriptCore/heap/ConservativeRoots.cpp:114
#2  0x00002b795b2f8e37 in JSC::MachineThreads::gatherFromCurrentThread (this=0x28860b8, conservativeRoots=..., stackCurrent=0x7ffff6938e20) at ../../Source/JavaScriptCore/heap/MachineStackMarker.cpp:263
#3  0x00002b795b2f9025 in JSC::MachineThreads::gatherConservativeRoots (this=0x28860b8, conservativeRoots=..., stackCurrent=0x7ffff6938e20) at ../../Source/JavaScriptCore/heap/MachineStackMarker.cpp:475
#4  0x00002b795b2eb810 in JSC::Heap::markRoots (this=0x2882fc8, fullGC=true) at ../../Source/JavaScriptCore/heap/Heap.cpp:440
#5  0x00002b795b2ec2e0 in JSC::Heap::collect (this=0x2882fc8, sweepToggle=JSC::Heap::DoNotSweep) at ../../Source/JavaScriptCore/heap/Heap.cpp:748
#6  0x00002b795b2eaffe in JSC::Heap::reportExtraMemoryCostSlowCase (this=0x2882fc8, cost=17784) at ../../Source/JavaScriptCore/heap/Heap.cpp:309
#7  0x00002b795b1167d5 in JSC::Heap::reportExtraMemoryCost (this=0x2882fc8, cost=17784) at ../../Source/JavaScriptCore/heap/Heap.h:380
#8  0x00002b795b133383 in JSC::JSString::finishCreation (this=0x2b79b088cea0, globalData=..., length=17784, cost=17784) at ../../Source/JavaScriptCore/runtime/JSString.h:107
#9  0x00002b795b1334a2 in JSC::JSString::create (globalData=..., value=...) at ../../Source/JavaScriptCore/runtime/JSString.h:127
#10 0x00002b795b133603 in JSC::jsString (globalData=0x2882f70, s="0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,"...) at ../../Source/JavaScriptCore/runtime/JSString.h:395
#11 0x00002b795b133647 in JSC::jsString (exec=0x2b79b0085c48, s="0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,"...) at ../../Source/JavaScriptCore/runtime/JSString.h:458
#12 0x00002b795b3ea07d in JSC::arrayProtoFuncToString (exec=0x2b79b0085c48) at ../../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:348
#13 0x00002b795b3114c5 in JSC::Interpreter::executeCall (this=0x2b79ac0067f0, callFrame=0x2b79b0085bf0, function=0x2b79b064d500, callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1058
#14 0x00002b795b3f5c71 in JSC::call (exec=0x2b79b0085bf0, functionObject=..., callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:40
#15 0x00002b795b44bb59 in JSC::callDefaultValueFunction (exec=0x2b79b0085bf0, object=0x2b79b0c21940, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1362
#16 0x00002b795b44bd26 in JSC::JSObject::defaultValue (object=0x2b79b0c21940, exec=0x2b79b0085bf0, hint=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1383
#17 0x00002b795b427aad in JSC::JSObject::toPrimitive (this=0x2b79b0c21940, exec=0x2b79b0085bf0, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.h:1400
#18 0x00002b795b427481 in JSC::JSCell::toPrimitive (this=0x2b79b0c21940, exec=0x2b79b0085bf0, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSCell.cpp:145
#19 0x00002b795b46dd44 in JSC::JSValue::toStringSlowCase (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:308
#20 0x00000000004b71d3 in JSC::JSValue::toString (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSString.h:511
#21 0x00002b795b3efed3 in JSC::inlineJSValueNotStringtoString (value=..., exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSString.h:536
#22 0x00002b795b46ddff in JSC::JSValue::toWTFStringSlowCase (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:317
#23 0x00002b795b3efd1a in JSC::JSValue::toWTFString (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSString.h:518
#24 0x00002b795b3e9d7e in JSC::arrayProtoFuncToString (exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:320
#25 0x00002b795b3114c5 in JSC::Interpreter::executeCall (this=0x2b79ac0067f0, callFrame=0x2b79b0085b98, function=0x2b79b064d500, callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1058
#26 0x00002b795b3f5c71 in JSC::call (exec=0x2b79b0085b98, functionObject=..., callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:40
#27 0x00002b795b44bb59 in JSC::callDefaultValueFunction (exec=0x2b79b0085b98, object=0x2b79b0c21920, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1362
#28 0x00002b795b44bd26 in JSC::JSObject::defaultValue (object=0x2b79b0c21920, exec=0x2b79b0085b98, hint=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1383
#29 0x00002b795b427aad in JSC::JSObject::toPrimitive (this=0x2b79b0c21920, exec=0x2b79b0085b98, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.h:1400
#30 0x00002b795b427481 in JSC::JSCell::toPrimitive (this=0x2b79b0c21920, exec=0x2b79b0085b98, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSCell.cpp:145
#31 0x00002b795b46dd44 in JSC::JSValue::toStringSlowCase (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:308
#32 0x00000000004b71d3 in JSC::JSValue::toString (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSString.h:511
#33 0x00002b795b3efed3 in JSC::inlineJSValueNotStringtoString (value=..., exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSString.h:536
#34 0x00002b795b46ddff in JSC::JSValue::toWTFStringSlowCase (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:317
#35 0x00002b795b3efd1a in JSC::JSValue::toWTFString (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSString.h:518
(The last 12 frames loop.)
Comment 1 Zan Dobersek 2013-01-18 13:18:23 PST 
This test is crashing due to stack size being too large. This was caused by increasing the swap size on the debug builder (I believe from 8GB to 12GB, while the system also has 8GB of RAM).

Two more tests started failing because of the same cause:
fast/dom/Window/window-postmessage-clone-deep-array.html
fast/js/large-expressions.html

On the setup I'm using (8GB of RAM, 18GB of swap), I've ran a simple test in both Chrome and GtkLauncher:
var i = 0;
function rec() {
    i++;
    rec();
}

try {
    rec();
} catch (error) {
    console.log("Got error " + error);
    console.log("Hit the top at " + i);
}

In Chrome, I get 25083 recursions while in GtkLauncher I get 58034 of those.

Debugging the stack size, the stack made available through pthread is (on my setup) 8MB large.
http://trac.webkit.org/browser/trunk/Source/WTF/wtf/StackBounds.cpp#L131
Comment 2 Simon Pena 2013-07-05 09:42:39 PDT 
This test now fails but doesn't crash any more.