Bug 126174

Summary: jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit is failing in cStack
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 126172    
Attachments:
Description Flags
the patch.
none
the patch. ggaren: review+

Filip Pizlo
Reported 2013-12-23 12:42:55 PST
Probably a varargs issue.
Attachments
the patch. (4.24 KB, patch)
2013-12-25 23:04 PST, Mark Lam 		no flags
DetailsFormatted DiffDiff
the patch. (4.24 KB, patch)
2013-12-25 23:12 PST, Mark Lam 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-12-23 16:14:08 PST
It looks like this fails even in the LLInt. Still investigating...
Filip Pizlo
Comment 2 2013-12-23 16:32:49 PST
This looks like an exception throwing, unwinding, and stack overflow bug. All engines crash on the tests for stack overflow, where you apply with a ridiculous argument count.
Mark Lam
Comment 3 2013-12-23 18:24:23 PST
Here's a reduced test case that reproduces this issue (or likely the root cause of this issue): function foo() { try { foo(); } catch (e) { throw e; } } foo();
Mark Lam
Comment 4 2013-12-25 23:04:33 PST
Created attachment 220024 [details] the patch.
Mark Lam
Comment 5 2013-12-25 23:12:09 PST
Created attachment 220025 [details] the patch.
Mark Lam
Comment 6 2013-12-25 23:15:06 PST
When we do a stack check in a function prologue, the activation object in the frame hasn't been set yet. The test failures came from the stack unwinding code trying to tear off the frame to a non-existant activation object. Since we haven't entered the function yet and the frame is technically not fully "pushed" yet, we can throw i.e. start the unwinding from the caller frame instead. This fixes the issue. Landed in r161084 on the jsCStack branch: <http://trac.webkit.org/r161084>.
Michael Saboff
Comment 7 2013-12-26 08:15:33 PST
With the span size ASSERT disabled in ConservativeRoots.cpp, function-apply-aliased.js.layout-no-cjit (and the other instances of function-apply-aliased.js) fail after timing out: jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: Timed out after 169.000000 seconds! jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 1 0x10188adc0 WTFCrash jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 2 0x1011be960 jscmain(int, char**) jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 3 0x1018da288 WTF::threadEntryPoint(void*) jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 4 0x1018db038 WTF::wtfThreadEntryPoint(void*) jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 5 0x7fff8c879899 _pthread_body jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 6 0x7fff8c87972a _pthread_struct_init jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 7 0x7fff8c87dfc9 thread_start jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: test_script_6882: line 2: 57151 Segmentation fault: 11 "$@" ../../../../.vm/JavaScriptCore.framework/Resources/jsc --enableConcurrentJIT\=false resources/standalone-pre.js function-apply-aliased.js resources/standalone-post.js jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: ERROR: Unexpected exit code: 139
Mark Lam
Comment 8 2013-12-26 08:17:37 PST
(In reply to comment #7) > With the span size ASSERT disabled in ConservativeRoots.cpp, function-apply-aliased.js.layout-no-cjit (and the other instances of function-apply-aliased.js) fail after timing out: That is because the JSStack size used to be 512K. Now it is is 63M. I’m now working on adding a VM option to cap the C stack size, and we’ll cap the stack size to 4M for jsc and tests. With that, the tests won’t time out.
Filip Pizlo
Comment 9 2013-12-26 08:26:53 PST
(In reply to comment #8) > (In reply to comment #7) > > With the span size ASSERT disabled in ConservativeRoots.cpp, function-apply-aliased.js.layout-no-cjit (and the other instances of function-apply-aliased.js) fail after timing out: > > That is because the JSStack size used to be 512K. Now it is is 63M. I’m now working on adding a VM option to cap the C stack size, and we’ll cap the stack size to 4M for jsc and tests. With that, the tests won’t time out. OK - we need to have an *actual* story for this. We can't have a WebKit user getting a spin every time that some program overflows stack. Maybe you should have limits on how much stack JS is allowed to use? As we talked previously, you'll have to have a story for how this will work in case of VM reentry.
Mark Lam
Comment 10 2013-12-30 22:37:23 PST
(In reply to comment #9) > Maybe you should have limits on how much stack JS is allowed to use? As we talked previously, you'll have to have a story for how this will work in case of VM reentry. The work to use a separate limit for the JS stack is at https://bugs.webkit.org/show_bug.cgi?id=126320.
Geoffrey Garen
Comment 11 2014-01-14 14:47:26 PST
Comment on attachment 220025 [details] the patch. r=me
Mark Lam
Comment 12 2014-01-15 08:27:42 PST
Review status updated in r162014: <http://trac.webkit.org/r162014>.
Note You need to log in before you can comment on or make changes to this bug.