Bug 119456

Summary: DFG validation can cause assertion failures due to dumping
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ggaren: review+

Mark Hahnenberg
Reported 2013-08-02 13:17:40 PDT
Looks like we're encountering a CodeBlock that hasn't generated a hash() on the main thread, and the compilation thread asserts when trying to dump it.
Attachments
Patch (3.03 KB, patch)
2013-08-02 13:36 PDT, Mark Hahnenberg 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-08-02 13:18:02 PDT
* thread #7: tid = 0x23eab1, 0x000000010068257a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:339, name = 'JSC Compilation Thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x000000010068257a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:339 frame #1: 0x00000001001b0308 JavaScriptCore`JSC::CodeBlock::hash(this=0x000000010c2449b0) const + 104 at CodeBlock.cpp:89 frame #2: 0x00000001001b0532 JavaScriptCore`JSC::CodeBlock::dumpAssumingJITType(this=0x000000010c2449b0, out=0x00000001008493a0, jitType=DFGJIT) const + 66 at CodeBlock.cpp:120 frame #3: 0x0000000100260ee6 JavaScriptCore`JSC::CodeBlockWithJITType::dump(this=0x0000000113960138, out=0x00000001008493a0) const + 38 at CodeBlockWithJITType.h:46 frame #4: 0x0000000100260ead JavaScriptCore`void WTF::printInternal<JSC::CodeBlockWithJITType>(out=0x00000001008493a0, value=0x0000000113960138) + 29 at PrintStream.h:273 frame #5: 0x0000000100260e1d JavaScriptCore`void WTF::PrintStream::print<JSC::CodeBlockWithJITType>(this=0x00000001008493a0, value=0x0000000113960138) + 29 at PrintStream.h:58 frame #6: 0x00000001002d9bd9 JavaScriptCore`void WTF::PrintStream::print<char [9], JSC::CodeBlockWithJITType, char [3]>(this=0x00000001008493a0, value1=0x000000010073ca57, value2=0x0000000113960138, value3=0x000000010072ffb0) [9], JSC::CodeBlockWithJITType const&, char const (&) [3]) + 57 at PrintStream.h:72 frame #7: 0x00000001002d3e6d JavaScriptCore`void WTF::dataLog<char [9], JSC::CodeBlockWithJITType, char [3]>(value1=0x000000010073ca57, value2=0x0000000113960138, value3=0x000000010072ffb0) [9], JSC::CodeBlockWithJITType const&, char const (&) [3]) + 45 at DataLog.h:58 frame #8: 0x00000001002d0fd0 JavaScriptCore`JSC::DFG::Graph::dump(this=0x0000000113960968, out=0x00000001008493a0, context=0x0000000113960148) + 128 at DFGGraph.cpp:364 frame #9: 0x00000001003ac7d8 JavaScriptCore`JSC::DFG::Validate::dumpGraphIfAppropriate(this=0x0000000113960460) + 88 at DFGGraph.h:160 frame #10: 0x00000001003ac0e0 JavaScriptCore`JSC::DFG::Validate::validate(this=0x0000000113960460) + 4096 at DFGValidate.cpp:167 frame #11: 0x00000001003ab09b JavaScriptCore`JSC::DFG::validate(graph=0x0000000113960968, graphDumpMode=DumpGraph) + 43 at DFGValidate.cpp:477 frame #12: 0x000000010031e83e JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x000000010c244e30, longLivedState=0x0000000113960e00) + 574 at DFGPlan.cpp:180 frame #13: 0x000000010031e426 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x000000010c244e30, longLivedState=0x0000000113960e00) + 198 at DFGPlan.cpp:113 frame #14: 0x00000001003be24c JavaScriptCore`JSC::DFG::Worklist::runThread(this=0x000000010c2331a0) + 412 at DFGWorklist.cpp:242 frame #15: 0x00000001003bd345 JavaScriptCore`JSC::DFG::Worklist::threadFunction(argument=0x000000010c2331a0) + 21 at DFGWorklist.cpp:264 frame #16: 0x00000001006c8020 JavaScriptCore`WTF::threadEntryPoint(contextData=0x000000010c2333c0) + 144 at Threading.cpp:69 frame #17: 0x00000001006c89c8 JavaScriptCore`WTF::wtfThreadEntryPoint(param=0x000000010c242550) + 104 at ThreadingPthreads.cpp:195 frame #18: 0x00007fff9513f8a9 libsystem_pthread.dylib`_pthread_body + 138 frame #19: 0x00007fff9513f73a libsystem_pthread.dylib`_pthread_start + 137 frame #20: 0x00007fff95143fd9 libsystem_pthread.dylib`thread_start + 13
Filip Pizlo
Comment 2 2013-08-02 13:23:27 PDT
Boooo! I think that we should have dumpAssumingJITType() just avoid dumping the hash() if it hasn't been computed and we're in the JIT thread.
Mark Hahnenberg
Comment 3 2013-08-02 13:36:17 PDT
Created attachment 208041 [details] Patch
Geoffrey Garen
Comment 4 2013-08-02 14:08:20 PDT
Comment on attachment 208041 [details] Patch r=me Should we pre-compute the has on the mutator thread, when producing our DFG plan, to make dumping work a little better?
Geoffrey Garen
Comment 5 2013-08-02 14:08:26 PDT
*hash
Filip Pizlo
Comment 6 2013-08-02 14:34:07 PDT
(In reply to comment #4) > (From update of attachment 208041 [details]) > r=me > > Should we pre-compute the has on the mutator thread, when producing our DFG plan, to make dumping work a little better? It's expensive! I tried that once and it was a slight regression, I think. Might be worth trying again, though.
Mark Hahnenberg
Comment 7 2013-08-02 14:49:45 PDT
Committed r153671: <http://trac.webkit.org/changeset/153671>
Note You need to log in before you can comment on or make changes to this bug.