Bug 143087

Summary: 2 new test introcuced in r181993 crashes on Linux with enabled FTL JIT
Product: WebKit Reporter: Csaba Osztrogonác <ossy>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: cgarcia, fpizlo, ggaren, mark.lam, msaboff, oliver, ossy, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 108645, 141174, 143605, 143822    

Description Csaba Osztrogonác 2015-03-26 02:47:49 PDT
stress/varargs-closure-inlined-exit-strict-mode.js and stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager
introduced in the gigantic https://trac.webkit.org/changeset/181993 and fail on AArch64 Linux, maybe on iOS too,
but I have no information about it, because there is no public iOS tester bot.

stress/varargs-closure-inlined-exit-strict-mode.js fails only in default-ftl mode:
-----------------------------------------------------------------------------------
stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble.
stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: Segmentation fault
stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: ERROR: Unexpected exit code: 139

stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager fails only in ftl-eager mode:
-------------------------------------------------------------------------------------------
stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble.
stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: Segmentation fault
stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: ERROR: Unexpected exit code: 139
Comment 1 Michael Saboff 2015-03-26 13:37:17 PDT
(In reply to comment #0)
> stress/varargs-closure-inlined-exit-strict-mode.js and
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager
> introduced in the gigantic https://trac.webkit.org/changeset/181993 and fail
> on AArch64 Linux, maybe on iOS too,
> but I have no information about it, because there is no public iOS tester
> bot.
> 
> stress/varargs-closure-inlined-exit-strict-mode.js fails only in default-ftl
> mode:
> -----------------------------------------------------------------------------
> ------
> stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: Abstract
> value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type
> outside SpecFullDouble.
> stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: Segmentation
> fault
> stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl: ERROR:
> Unexpected exit code: 139
> 
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager fails only in
> ftl-eager mode:
> -----------------------------------------------------------------------------
> --------------
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: Abstract value
> (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside
> SpecFullDouble.
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: Segmentation
> fault
> stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager: ERROR:
> Unexpected exit code: 139

These are the new failures we saw on iOS AArch64 after r181993:
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias.js.layout-ftl 
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias.js.layout-ftl-eager-no-cjit   
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias.js.layout-ftl-no-cjit 
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-mixed-alias.js.layout-ftl   
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-mixed-alias.js.layout-ftl-no-cjit   
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js.layout-ftl  
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js.layout-ftl-eager-no-cjit    
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js.layout-ftl-no-cjit  
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js.layout-ftl      
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js.layout-ftl-eager-no-cjit        
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js.layout-ftl-no-cjit      
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit.js.layout-ftl      
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit.js.layout-ftl-eager-no-cjit        
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-osr-exit.js.layout-ftl-no-cjit      
jsc-layout-tests.yaml/js/script-tests/dfg-arguments-unexpected-escape.js.layout-ftl-eager-no-cjit       
regress/script-tests/deltablue-varargs.js.default-ftl   
regress/script-tests/deltablue-varargs.js.ftl-eager     
regress/script-tests/deltablue-varargs.js.ftl-eager-no-cjit     
regress/script-tests/deltablue-varargs.js.ftl-no-cjit-validate

This have since been fixed.
Comment 2 Csaba Osztrogonác 2015-04-10 08:15:52 PDT
release crash log on Linux X86_64 with LLVM 3.6:

stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble.
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 1   0x2b9e7554f7d7 WTFCrash
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 2   0x2b9e75069e6b JSC::DFG::AbstractValue::fixTypeForRepresentation(unsigned int)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 3   0x2b9e7509d573 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 4   0x2b9e750a0175 bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 5   0x2b9e75144588 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 6   0x2b9e75144cf6 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 7   0x2b9e751bec65 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 8   0x2b9e7555d525
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 9   0x2b9e75583dda
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 10  0x2b9e7592d182
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: 11  0x2b9e75f4147d clone
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: Segmentation fault (core dumped)
stress/varargs-varargs-inlined-exit-strict-mode.js.default-ftl: ERROR: Unexpected exit code: 139
Comment 3 Csaba Osztrogonác 2015-04-10 09:21:15 PDT
Unfortunately it is impossible to reproduce these crashes
in debug mode, so we won't be able to get better backtrace.
Comment 4 Csaba Osztrogonác 2015-10-27 10:51:17 PDT
stress/varargs-closure-inlined-exit-strict-mode.js.default-ftl passes now,
but FTL isn't triggered anymore for this test, so the bug can be still
valid.

stress/varargs-varargs-inlined-exit-strict-mode.js.ftl-eager passes too,
but FTL isn't triggered ... It's strange, I thought FTL is always
triggered in "ftl-eager" cases.
Comment 5 Zan Dobersek 2017-10-18 01:40:16 PDT
These failures aren't exhibited anymore.