Bug 119456

Summary:

DFG validation can cause assertion failures due to dumping

Product:

WebKit

Reporter:

Mark Hahnenberg <mhahnenberg>

Component:

JavaScriptCore

Assignee:

Mark Hahnenberg <mhahnenberg>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

fpizlo, ggaren

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	ggaren: review+

Description Mark Hahnenberg 2013-08-02 13:17:40 PDT

Looks like we're encountering a CodeBlock that hasn't generated a hash() on the main thread, and the compilation thread asserts when trying to dump it.

Comment 1 Mark Hahnenberg 2013-08-02 13:18:02 PDT

* thread #7: tid = 0x23eab1, 0x000000010068257a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:339, name = 'JSC Compilation Thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
    frame #0: 0x000000010068257a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:339
    frame #1: 0x00000001001b0308 JavaScriptCore`JSC::CodeBlock::hash(this=0x000000010c2449b0) const + 104 at CodeBlock.cpp:89
    frame #2: 0x00000001001b0532 JavaScriptCore`JSC::CodeBlock::dumpAssumingJITType(this=0x000000010c2449b0, out=0x00000001008493a0, jitType=DFGJIT) const + 66 at CodeBlock.cpp:120
    frame #3: 0x0000000100260ee6 JavaScriptCore`JSC::CodeBlockWithJITType::dump(this=0x0000000113960138, out=0x00000001008493a0) const + 38 at CodeBlockWithJITType.h:46
    frame #4: 0x0000000100260ead JavaScriptCore`void WTF::printInternal<JSC::CodeBlockWithJITType>(out=0x00000001008493a0, value=0x0000000113960138) + 29 at PrintStream.h:273
    frame #5: 0x0000000100260e1d JavaScriptCore`void WTF::PrintStream::print<JSC::CodeBlockWithJITType>(this=0x00000001008493a0, value=0x0000000113960138) + 29 at PrintStream.h:58
    frame #6: 0x00000001002d9bd9 JavaScriptCore`void WTF::PrintStream::print<char [9], JSC::CodeBlockWithJITType, char [3]>(this=0x00000001008493a0, value1=0x000000010073ca57, value2=0x0000000113960138, value3=0x000000010072ffb0) [9], JSC::CodeBlockWithJITType const&, char const (&) [3]) + 57 at PrintStream.h:72
    frame #7: 0x00000001002d3e6d JavaScriptCore`void WTF::dataLog<char [9], JSC::CodeBlockWithJITType, char [3]>(value1=0x000000010073ca57, value2=0x0000000113960138, value3=0x000000010072ffb0) [9], JSC::CodeBlockWithJITType const&, char const (&) [3]) + 45 at DataLog.h:58
    frame #8: 0x00000001002d0fd0 JavaScriptCore`JSC::DFG::Graph::dump(this=0x0000000113960968, out=0x00000001008493a0, context=0x0000000113960148) + 128 at DFGGraph.cpp:364
    frame #9: 0x00000001003ac7d8 JavaScriptCore`JSC::DFG::Validate::dumpGraphIfAppropriate(this=0x0000000113960460) + 88 at DFGGraph.h:160
    frame #10: 0x00000001003ac0e0 JavaScriptCore`JSC::DFG::Validate::validate(this=0x0000000113960460) + 4096 at DFGValidate.cpp:167
    frame #11: 0x00000001003ab09b JavaScriptCore`JSC::DFG::validate(graph=0x0000000113960968, graphDumpMode=DumpGraph) + 43 at DFGValidate.cpp:477
    frame #12: 0x000000010031e83e JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x000000010c244e30, longLivedState=0x0000000113960e00) + 574 at DFGPlan.cpp:180
    frame #13: 0x000000010031e426 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x000000010c244e30, longLivedState=0x0000000113960e00) + 198 at DFGPlan.cpp:113
    frame #14: 0x00000001003be24c JavaScriptCore`JSC::DFG::Worklist::runThread(this=0x000000010c2331a0) + 412 at DFGWorklist.cpp:242
    frame #15: 0x00000001003bd345 JavaScriptCore`JSC::DFG::Worklist::threadFunction(argument=0x000000010c2331a0) + 21 at DFGWorklist.cpp:264
    frame #16: 0x00000001006c8020 JavaScriptCore`WTF::threadEntryPoint(contextData=0x000000010c2333c0) + 144 at Threading.cpp:69
    frame #17: 0x00000001006c89c8 JavaScriptCore`WTF::wtfThreadEntryPoint(param=0x000000010c242550) + 104 at ThreadingPthreads.cpp:195
    frame #18: 0x00007fff9513f8a9 libsystem_pthread.dylib`_pthread_body + 138
    frame #19: 0x00007fff9513f73a libsystem_pthread.dylib`_pthread_start + 137
    frame #20: 0x00007fff95143fd9 libsystem_pthread.dylib`thread_start + 13

Comment 2 Filip Pizlo 2013-08-02 13:23:27 PDT

Boooo!

I think that we should have dumpAssumingJITType() just avoid dumping the hash() if it hasn't been computed and we're in the JIT thread.

Comment 3 Mark Hahnenberg 2013-08-02 13:36:17 PDT

Created attachment 208041 [details]
Patch

Comment 4 Geoffrey Garen 2013-08-02 14:08:20 PDT

Comment on attachment 208041 [details]
Patch

r=me

Should we pre-compute the has on the mutator thread, when producing our DFG plan, to make dumping work a little better?

Comment 5 Geoffrey Garen 2013-08-02 14:08:26 PDT

*hash

Comment 6 Filip Pizlo 2013-08-02 14:34:07 PDT

(In reply to comment #4)
> (From update of attachment 208041 [details])
> r=me
> 
> Should we pre-compute the has on the mutator thread, when producing our DFG plan, to make dumping work a little better?

It's expensive!  I tried that once and it was a slight regression, I think.

Might be worth trying again, though.

Comment 7 Mark Hahnenberg 2013-08-02 14:49:45 PDT

Committed r153671: <http://trac.webkit.org/changeset/153671>