Bug 143087
Summary: | 2 new test introcuced in r181993 crashes on Linux with enabled FTL JIT | ||
---|---|---|---|
Product: | WebKit | Reporter: | Csaba Osztrogonác <ossy> |
Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED WORKSFORME | ||
Severity: | Normal | CC: | cgarcia, fpizlo, ggaren, mark.lam, msaboff, oliver, ossy, zan |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Bug Depends on: | |||
Bug Blocks: | 108645, 141174, 143605, 143822 |
Csaba Osztrogonác
stress/varargs-closure-inlined-exit-strict-mode.js and stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager
introduced in the gigantic https://trac.webkit.org/changeset/181993 and fail on AArch64 Linux, maybe on iOS too,
but I have no information about it, because there is no public iOS tester bot.
stress/varargs-closure-inlined-exit-strict-mode.js fails only in default-ftl mode:
-----------------------------------------------------------------------------------
stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble.
stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: Segmentation fault
stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: ERROR: Unexpected exit code: 139
stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager fails only in ftl-eager mode:
-------------------------------------------------------------------------------------------
stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble.
stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: Segmentation fault
stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: ERROR: Unexpected exit code: 139
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Michael Saboff
(In reply to comment #0)
> stress/varargs-closure-inlined-exit-strict-mode.js and
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager
> introduced in the gigantic https://trac.webkit.org/changeset/181993 and fail
> on AArch64 Linux, maybe on iOS too,
> but I have no information about it, because there is no public iOS tester
> bot.
>
> stress/varargs-closure-inlined-exit-strict-mode.js fails only in default-ftl
> mode:
> -----------------------------------------------------------------------------
> ------
> stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: Abstract
> value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type
> outside SpecFullDouble.
> stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: Segmentation
> fault
> stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: ERROR:
> Unexpected exit code: 139
>
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager fails only in
> ftl-eager mode:
> -----------------------------------------------------------------------------
> --------------
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: Abstract value
> (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside
> SpecFullDouble.
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: Segmentation
> fault
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: ERROR:
> Unexpected exit code: 139
These are the new failures we saw on iOS AArch64 after r181993:
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias.js.layout-ftl
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias.js.layout-ftl-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias.js.layout-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-mixed-alias.js.layout-ftl
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-mixed-alias.js.layout-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js.layout-ftl
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js.layout-ftl-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js.layout-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js.layout-ftl
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js.layout-ftl-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js.layout-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit.js.layout-ftl
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit.js.layout-ftl-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit.js.layout-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-unexpected-escape.js.layout-ftl-eager-no-cjit
regress/script-tests/deltablue-varargs.js.default-ftl
regress/script-tests/deltablue-varargs.js.ftl-eager
regress/script-tests/deltablue-varargs.js.ftl-eager-no-cjit
regress/script-tests/deltablue-varargs.js.ftl-no-cjit-validate
This have since been fixed.
Csaba Osztrogonác
release crash log on Linux X86_64 with LLVM 3.6:
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble.
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 1 0x2b9e7554f7d7 WTFCrash
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 2 0x2b9e75069e6b JSC::DFG::AbstractValue::fixTypeForRepresentation(unsigned int)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 3 0x2b9e7509d573 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 4 0x2b9e750a0175 bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 5 0x2b9e75144588 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 6 0x2b9e75144cf6 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 7 0x2b9e751bec65 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 8 0x2b9e7555d525
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 9 0x2b9e75583dda
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 10 0x2b9e7592d182
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 11 0x2b9e75f4147d clone
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: Segmentation fault (core dumped)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: ERROR: Unexpected exit code: 139
Csaba Osztrogonác
Unfortunately it is impossible to reproduce these crashes
in debug mode, so we won't be able to get better backtrace.
Csaba Osztrogonác
stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl passes now,
but FTL isn't triggered anymore for this test, so the bug can be still
valid.
stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager passes too,
but FTL isn't triggered ... It's strange, I thought FTL is always
triggered in "ftl-eager" cases.
Zan Dobersek
These failures aren't exhibited anymore.