Bug 121661

Summary: Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: dino, fpizlo, ggaren, oliver, webkit-bug-importer
Priority: P2 Keywords: InRadar, MakingBotsRed
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch
none
the patch mhahnenberg: review+

Alexey Proskuryakov
Reported 2013-09-20 00:26:57 PDT
All these tests are quite crashy, particularly on leaks tester for whatever reason: <http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=swizzlers> RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize()); Thread 12 Crashed:: JSC Compilation Thread 0 com.apple.JavaScriptCore 0x000000010d91280a WTFCrash + 42 (Assertions.cpp:342) 1 com.apple.JavaScriptCore 0x000000010d395a9f JSC::Structure::checkOffsetConsistency() const + 207 (StructureInlines.h:233) 2 com.apple.JavaScriptCore 0x000000010d394c89 JSC::Structure::outOfLineCapacity() const + 25 (Structure.h:182) 3 com.apple.JavaScriptCore 0x000000010d49ee2f JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 16639 (DFGByteCodeParser.cpp:2518) 4 com.apple.JavaScriptCore 0x000000010d499ab2 JSC::DFG::ByteCodeParser::parseCodeBlock() + 2002 (DFGByteCodeParser.cpp:3589) 5 com.apple.JavaScriptCore 0x000000010d4a50fa JSC::DFG::ByteCodeParser::parse() + 250 (DFGByteCodeParser.cpp:3626) 6 com.apple.JavaScriptCore 0x000000010d4a53de JSC::DFG::parse(JSC::DFG::Graph&) + 62 (DFGByteCodeParser.cpp:3666) 7 com.apple.JavaScriptCore 0x000000010d59446e JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 190 (DFGPlan.cpp:155) 8 com.apple.JavaScriptCore 0x000000010d5941a2 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) + 242 (DFGPlan.cpp:116) 9 com.apple.JavaScriptCore 0x000000010d634cc4 JSC::DFG::Worklist::runThread() + 468 (DFGWorklist.cpp:239) 10 com.apple.JavaScriptCore 0x000000010d633d95 JSC::DFG::Worklist::threadFunction(void*) + 21 (DFGWorklist.cpp:261) 11 com.apple.JavaScriptCore 0x000000010d959400 WTF::threadEntryPoint(void*) + 144 (Threading.cpp:70) 12 com.apple.JavaScriptCore 0x000000010d959dd8 WTF::wtfThreadEntryPoint(void*) + 104 (ThreadingPthreads.cpp:195) 13 libsystem_c.dylib 0x00007fff96e23772 _pthread_start + 327 14 libsystem_c.dylib 0x00007fff96e101a1 thread_start + 13
Attachments
the patch (5.01 KB, patch)
2013-10-18 10:59 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (5.31 KB, patch)
2013-10-18 11:01 PDT, Filip Pizlo 		mhahnenberg: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2013-09-20 00:39:33 PDT
<rdar://problem/15038349>
Filip Pizlo
Comment 2 2013-10-18 10:59:01 PDT
Created attachment 214586 [details] the patch
Filip Pizlo
Comment 3 2013-10-18 11:01:26 PDT
Created attachment 214587 [details] the patch
Mark Hahnenberg
Comment 4 2013-10-18 11:08:47 PDT
Comment on attachment 214587 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=214587&action=review r=me > Source/JavaScriptCore/ChangeLog:21 > + keeping in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be it in sync > Source/JavaScriptCore/ChangeLog:39 > + outOfLineCapacity(), and is right to do wo without holding any locks (since in all cases where do so > Source/JavaScriptCore/ChangeLog:44 > + property table modified - instead what happens is that so downstream structure steals the some downstream
Filip Pizlo
Comment 5 2013-10-18 13:20:05 PDT
Landed in http://trac.webkit.org/changeset/157645
Note You need to log in before you can comment on or make changes to this bug.