Bug 152258

Created attachment 267303 [details] Patch

It seems it crashes WebKitWebProcess when running Octane 2.0 JavaScript Benchmark ...

Created attachment 267364 [details] Patch

Well you probably don't want this if it's crashing, right?

I think we can keep this bug open until the crash is fixed.

Backtrace: * thread #1: tid = 0, 0x00000008208fa0af, name = 'WebKitWebProcess', stop reason = signal SIGTRAP * frame #0: 0x00000008208fa0af frame #1: 0x0000000820900c41 frame #2: 0x0000000820850669 frame #3: 0x000000080a87ddc0 libjavascriptcoregtk-4.0.so.18`llint_entry + 26708 frame #4: 0x000000080a87dd46 libjavascriptcoregtk-4.0.so.18`llint_entry + 26586 frame #5: 0x000000080a87ddc0 libjavascriptcoregtk-4.0.so.18`llint_entry + 26708 frame #6: 0x000000080a87ddc0 libjavascriptcoregtk-4.0.so.18`llint_entry + 26708 frame #7: 0x000000080a877356 libjavascriptcoregtk-4.0.so.18`vmEntryToJavaScript + 334 frame #8: 0x000000080a40e50d libjavascriptcoregtk-4.0.so.18`JSC::JITCode::execute(this=0x0000000863fc10c8, vm=0x000000081d4055c0, protoCallFrame=0x00007fffffffda10) + 221 at JITCode.cpp:80 frame #9: 0x000000080a3d4189 libjavascriptcoregtk-4.0.so.18`JSC::Interpreter::executeCall(this=0x000000081d5d5068, callFrame=0x000000081d4bb140, function=0x0000000865633640, callType=CallTypeJS, callData=0x00007fffffffde48, thisValue=JSValue at 0x00007fffffffdab0, args=0x00007fffffffdd78) + 1497 at Interpreter.cpp:1038 frame #10: 0x000000080a5f3d5e libjavascriptcoregtk-4.0.so.18`JSC::call(exec=0x000000081d4bb140, functionObject=JSValue at 0x00007fffffffdb68, callType=CallTypeJS, callData=0x00007fffffffde48, thisValue=JSValue at 0x00007fffffffdb50, args=0x00007fffffffdd78) + 190 at CallData.cpp:39 frame #11: 0x000000080a5f3dc3 libjavascriptcoregtk-4.0.so.18`JSC::call(exec=0x000000081d4bb140, functionObject=JSValue at 0x00007fffffffdbe8, callType=CallTypeJS, callData=0x00007fffffffde48, thisValue=JSValue at 0x00007fffffffdbd0, args=0x00007fffffffdd78, returnedException=0x00007fffffffdd98) + 83 at CallData.cpp:44 frame #12: 0x00000008049f2c6f libwebkit2gtk-4.0.so.37`WebCore::JSMainThreadExecState::call(exec=0x000000081d4bb140, functionObject=JSValue at 0x00007fffffffdc78, callType=CallTypeJS, callData=0x00007fffffffde48, thisValue=JSValue at 0x00007fffffffdc60, args=0x00007fffffffdd78, returnedException=0x00007fffffffdd98) + 111 at JSMainThreadExecState.h:56 frame #13: 0x0000000804ae6b68 libwebkit2gtk-4.0.so.37`WebCore::ScheduledAction::executeFunctionInContext(this=0x00000008649c47a8, globalObject=0x000000081d4bb100, thisValue=JSValue at 0x00007fffffffde68, context=0x000000081d426ae0) + 728 at ScheduledAction.cpp:104 frame #14: 0x0000000804ae6624 libwebkit2gtk-4.0.so.37`WebCore::ScheduledAction::execute(this=0x00000008649c47a8, document=0x000000081d426a40) + 388 at ScheduledAction.cpp:125 frame #15: 0x0000000804ae6473 libwebkit2gtk-4.0.so.37`WebCore::ScheduledAction::execute(this=0x00000008649c47a8, context=0x000000081d426ae0) + 67 at ScheduledAction.cpp:78 frame #16: 0x000000080563cd0b libwebkit2gtk-4.0.so.37`WebCore::DOMTimer::fired(this=0x00000008795ff130) + 1131 at DOMTimer.cpp:348 frame #17: 0x00000008057dd98c libwebkit2gtk-4.0.so.37`WebCore::ThreadTimers::sharedTimerFiredInternal(this=0x000000081d5ca5c8) + 396 at ThreadTimers.cpp:121 frame #18: 0x00000008057de5f1 libwebkit2gtk-4.0.so.37`(this=0x0000000808cc7a08)::operator()() const + 33 at ThreadTimers.cpp:73 frame #19: 0x00000008057de52c libwebkit2gtk-4.0.so.37`std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()() [inlined] decltype(this=0x0000000808cc7a08, __f=0x0000000808cc7a08)::$_0&>(fp)(std::__1::forward<>(fp0))) std::__1::__invoke<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&) + 60 at __functional_base:413 frame #20: 0x00000008057de51b libwebkit2gtk-4.0.so.37`std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator(this=0x0000000808cc7a00)() + 43 at functional:1370 frame #21: 0x0000000803bdecad libwebkit2gtk-4.0.so.37`std::__1::function<void ()>::operator(this=0x0000000808cc7a00)() const + 141 at functional:1756 frame #22: 0x00000008057baa0e libwebkit2gtk-4.0.so.37`WebCore::MainThreadSharedTimer::fired(this=0x0000000808cc79f0) + 110 at MainThreadSharedTimer.cpp:52 frame #23: 0x000000080612cede libwebkit2gtk-4.0.so.37`WTF::RunLoop::Timer<WebCore::MainThreadSharedTimer>::fired(this=0x0000000808cc7a30) + 110 at RunLoop.h:131 frame #24: 0x000000080aa652ed libjavascriptcoregtk-4.0.so.18`(this=0x0000000000000000, userData=0x0000000808cc7a30)::operator()(gpointer) const + 45 at RunLoopGLib.cpp:131 frame #25: 0x000000080aa652b8 libjavascriptcoregtk-4.0.so.18`(userData=0x0000000808cc7a30)::__invoke(gpointer) + 24 at RunLoopGLib.cpp:129 frame #26: 0x000000080aa653e6 libjavascriptcoregtk-4.0.so.18`WTF::$_0::operator(this=0x0000000000000000, source=0x000000081d3105e0, callback=0x000000080aa652a0, userData=0x0000000808cc7a30)(_GSource*, int (*)(void*), void*) const + 86 at RunLoopGLib.cpp:44 frame #27: 0x000000080aa65388 libjavascriptcoregtk-4.0.so.18`WTF::$_0::__invoke(source=0x000000081d3105e0, callback=0x000000080aa652a0, userData=0x0000000808cc7a30)(void*), void*) + 40 at RunLoopGLib.cpp:39 frame #28: 0x000000080d32c5c8 libglib-2.0.so.0`g_main_context_dispatch + 312 frame #29: 0x000000080d32c8fb libglib-2.0.so.0`??? + 411 frame #30: 0x000000080d32cc0f libglib-2.0.so.0`g_main_loop_run + 207 frame #31: 0x000000080aa6482d libjavascriptcoregtk-4.0.so.18`WTF::RunLoop::run() + 189 at RunLoopGLib.cpp:94 frame #32: 0x00000008044ebb2d libwebkit2gtk-4.0.so.37`int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(argc=2, argv=0x00007fffffffe618) + 253 at ChildProcessMain.h:61 frame #33: 0x00000008044eba1b libwebkit2gtk-4.0.so.37`WebKit::WebProcessMainUnix(argc=2, argv=0x00007fffffffe618) + 27 at WebProcessMainGtk.cpp:77 frame #34: 0x0000000000400bf5 WebKitWebProcess`main(argc=2, argv=0x00007fffffffe618) + 69 at WebProcessMain.cpp:44 frame #35: 0x0000000000400acf WebKitWebProcess`_start + 367

Might test to see if it's still broken in 2.11.5 (with B3 instead of LLVM).

Comment on attachment 267364 [details] Patch This patch is no longer needed because FTL JIT uses B3 now although another patch is required to get it build.

Created attachment 270987 [details] The patch I used to build WebKit on FreeBSD This is the patch I used to make WebKit build on FreeBSD. I didn't add a ChangeLog entry because it is probably not ready for review. I hope that my modifications are correct, so my test result can be useful for debugging. ARM, ARM64, MIPS are untested because I don't have these hardware devices running FreeBSD, and I currently don't have time to setup QEMU to test them.

FreeBSD 10.3-BETA1 x86_64, WebKit trunk r196364. testb3 always passes, but running Octane benchmark seldom succeeds. WebKitWebProcess usually crashes with the following message. ASSERTION FAILED: value.isUndefinedOrNull() ../../Source/JavaScriptCore/bytecode/SpeculatedType.cpp(394) : SpeculatedType JSC::speculationFromValue(JSC::JSValue) [Backtrace provided by GDB] Core was generated by `WebKitWebProcess'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000000080b36d06a in WTFCrash () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #1 0x000000080a7c9617 in JSC::speculationFromValue(JSC::JSValue) () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #2 0x000000080a75be34 in JSC::ValueProfileBase<1u>::computeUpdatedPrediction(JSC::ConcurrentJITLocker const&) () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #3 0x000000080a74d0f2 in JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&) () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #4 0x000000080a74d1bd in JSC::CodeBlock::updateAllValueProfilePredictions() () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #5 0x000000080a74ac29 in JSC::CodeBlock::updateAllPredictions() () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #6 0x000000080ad670e8 in operationOptimize () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #7 0x0000000822cd5731 in ?? () #8 0x000000081e42ff80 in ?? () #9 0x000000081e4055d8 in ?? () #10 0x000000087fc3f4f0 in ?? () #11 0x000000081e4055d8 in ?? () #12 0x00007fffffffa450 in ?? () #13 0x0000000803d808ca in JSC::CopyBarrierBase::set(JSC::VM&, JSC::JSCell const*, void*) () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37 #14 0x000000082364a781 in ?? () #15 0x000000087347ba60 in ?? () #16 0x00000008648cb580 in ?? () #17 0x0000000100000008 in ?? () #18 0x00000008652fbd90 in ?? () #19 0xffff00007fe0fc6a in ?? () #20 0x00000008994c3a60 in ?? () #21 0x0000000000000007 in ?? () #22 0x0000000800000006 in ?? () #23 0xffff000000000000 in ?? () #24 0xffff0000000a3943 in ?? () #25 0xffff0000000a394c in ?? () #26 0x0000000803d7f9fd in JSC::JSNonFinalObject::finishCreation(JSC::VM&) () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37 #27 0x0000000822f99167 in ?? () #28 0x0000000885a51a80 in ?? () #29 0x00000008648cb610 in ?? () #30 0x0000000000000005 in ?? () #31 0x00000008652fbd90 in ?? () #32 0xffff00007fe0fc6a in ?? () #33 0x0000000000000007 in ?? () #34 0xffff000000000000 in ?? () #35 0x0000000000000006 in ?? () #36 0x000000087b035870 in ?? () #37 0x00000008678bfd00 in ?? () #38 0x0000000864692900 in ?? () #39 0x000000081e4055c0 in ?? () #40 0x000000087b035870 in ?? () #41 0x00000008678bfd00 in ?? () #42 0x00007fffffffa7b0 in ?? () #43 0x000000000000000a in ?? () #44 0x00007fffffffa7b0 in ?? () #45 0x000000082285ef51 in ?? () #46 0x00000008786b2fc0 in ?? () #47 0x00000008648f27d0 in ?? () #48 0x0000000800000003 in ?? () #49 0x000000087fc3f510 in ?? () #50 0x00000008652fbd90 in ?? () #51 0x0000000000000006 in ?? () #52 0x00007fffffffa870 in ?? () #53 0x000000082364a781 in ?? () #54 0x00000008634a3040 in ?? () #55 0x00000008648cb580 in ?? () #56 0x0000000e00000008 in ?? () #57 0x000000087fc3f4e0 in ?? () #58 0x0000000800000000 in ?? () #59 0x000000086349f580 in ?? () #60 0x0000000000000007 in ?? () #61 0x0000000800000006 in ?? () #62 0x00000008652fbd90 in ?? () #63 0x000000087fc3f510 in ?? () #64 0xffff0000000a393f in ?? () #65 0x000000087fc3f4e0 in ?? () #66 0x00000008652fbd90 in ?? () #67 0xffff000000000002 in ?? () #68 0xffff000000000000 in ?? () #69 0xffff000000000002 in ?? () #70 0x00007fffffffa870 in ?? () #71 0x00000008229bfecc in ?? () #72 0x00000008786b4320 in ?? () #73 0x00000008648c9f00 in ?? () #74 0x000000086349e3b0 in ?? () #75 0x0000000000000002 in ?? () #76 0x000000086484b140 in ?? () #77 0x00000008702e2900 in ?? () #78 0x000000000000000a in ?? () #79 0x00000000000a3943 in ?? () #80 0x000000000000000a in ?? () #81 0x000000087fc3f4e0 in ?? () #82 0x000000000000000a in ?? () #83 0x000000000000000a in ?? () #84 0x000000000000000a in ?? () #85 0x000000000000000a in ?? () #86 0x0000000000000006 in ?? () #87 0x0000000000000007 in ?? () #88 0x000000086349f580 in ?? () #89 0x0000000000000001 in ?? () #90 0x00000008652fbd90 in ?? () #91 0xffff000000000002 in ?? () #92 0xffff000000000000 in ?? () #93 0xffff000000000002 in ?? () #94 0x00007fffffffaa90 in ?? () #95 0x0000000822f9c641 in ?? () #96 0x00000008786bd860 in ?? () #97 0x00000008648cb5b0 in ?? () #98 0x0000000d00000006 in ?? () #99 0x00000008652fbd90 in ?? () #100 0xffff00007fe0fc6a in ?? () #101 0xffff000000000009 in ?? () #102 0x0000000000000007 in ?? () #103 0xffff000000000000 in ?? () #104 0x0000000000000007 in ?? () #105 0x00000008678bfd00 in ?? () #106 0x0000000864692900 in ?? () #107 0x000000081e4055c0 in ?? () #108 0x000000087b0358a0 in ?? () #109 0x00000008678bfd00 in ?? () #110 0x00007fffffffa9d0 in ?? () #111 0x000000000000000a in ?? () #112 0x00007fffffffa9d0 in ?? () #113 0xffff000000000030 in ?? () #114 0x00000008994c3a90 in ?? () #115 0x00000008648f27d0 in ?? () #116 0x0000000800000003 in ?? () #117 0x000000087fc3f530 in ?? () #118 0x00000008652fbd90 in ?? () #119 0x0000000000000006 in ?? () #120 0x0000000000000001 in ?? () #121 0x000000081e405668 in ?? () #122 0x00000008634a3040 in ?? () #123 0x000000081e405668 in ?? () #124 0x00007fffffffa980 in ?? () #125 0x000000087fc3f500 in ?? () #126 0x0000000800000000 in ?? () #127 0x000000086349f580 in ?? () #128 0x00007fffffffa9b0 in ?? () #129 0x0000000803d8099f in JSC::Heap::writeBarrier(JSC::JSCell const*) () from /home/lantw44/gnome/source/webkit-trunk/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37 Backtrace stopped: previous frame inner to this frame (corrupt stack?) [Backtrace provided by LLDB] * thread #1: tid = 0, 0x000000080b36d06a libjavascriptcoregtk-4.0.so.18`::WTFCrash() + 42 at Assertions.cpp:321, name = 'WebKitWebProcess', stop reason = signal SIGSEGV * frame #0: 0x000000080b36d06a libjavascriptcoregtk-4.0.so.18`::WTFCrash() + 42 at Assertions.cpp:321 frame #1: 0x000000080a7c9617 libjavascriptcoregtk-4.0.so.18`JSC::speculationFromValue(value=JSValue at 0x00007fffffff9dd0) + 375 at SpeculatedType.cpp:394 frame #2: 0x000000080a75be34 libjavascriptcoregtk-4.0.so.18`JSC::ValueProfileBase<1u>::computeUpdatedPrediction(this=0x000000088a7713a0, (null)=0x00007fffffff9ea8) + 132 at ValueProfile.h:145 frame #3: 0x000000080a74d0f2 libjavascriptcoregtk-4.0.so.18`JSC::CodeBlock::updateAllPredictionsAndCountLiveness(this=0x000000087347ba60, numberOfLiveNonArgumentValueProfiles=0x00007fffffff9ee4, numberOfSamplesInProfiles=0x00007fffffff9ee0) + 258 at CodeBlock.cpp:3847 frame #4: 0x000000080a74d1bd libjavascriptcoregtk-4.0.so.18`JSC::CodeBlock::updateAllValueProfilePredictions(this=0x000000087347ba60) + 29 at CodeBlock.cpp:3863 frame #5: 0x000000080a74ac29 libjavascriptcoregtk-4.0.so.18`JSC::CodeBlock::updateAllPredictions(this=0x000000087347ba60) + 25 at CodeBlock.cpp:3884 frame #6: 0x000000080ad670e8 libjavascriptcoregtk-4.0.so.18`::operationOptimize(exec=0x00007fffffffa500, bytecodeIndex=0) + 616 at JITOperations.cpp:1136 frame #7: 0x0000000822cd5731 frame #8: 0x000000082364a781 frame #9: 0x0000000822f99167 frame #10: 0x0000000822f9c641 frame #11: 0x000000082364bcbf frame #12: 0x0000000822f99167 frame #13: 0x0000000822f9c641 frame #14: 0x00000008239a06a9 frame #15: 0x00000008239e5208 frame #16: 0x0000000822298b7a frame #17: 0x00000008239b0c77 frame #18: 0x00000008239ba093 frame #19: 0x000000082397b0c8 frame #20: 0x000000082326ed56 frame #21: 0x00000008239cb19d frame #22: 0x0000000823994055 frame #23: 0x00000008239e5208 frame #24: 0x000000082325ad5f frame #25: 0x0000000823992d8f frame #26: 0x00000008239e5208 frame #27: 0x000000080b1ee9ef libjavascriptcoregtk-4.0.so.18`llint_entry + 26707 frame #28: 0x000000080b1ee9ef libjavascriptcoregtk-4.0.so.18`llint_entry + 26707 frame #29: 0x000000080b1eea69 libjavascriptcoregtk-4.0.so.18`llint_entry + 26829 frame #30: 0x000000080b1ee9ef libjavascriptcoregtk-4.0.so.18`llint_entry + 26707 frame #31: 0x000000080b1ee9ef libjavascriptcoregtk-4.0.so.18`llint_entry + 26707 frame #32: 0x000000080b1ee9ef libjavascriptcoregtk-4.0.so.18`llint_entry + 26707 frame #33: 0x000000080b1ee9ef libjavascriptcoregtk-4.0.so.18`llint_entry + 26707 frame #34: 0x0000000821c8b9da frame #35: 0x0000000821dbdbe6 frame #36: 0x0000000821c9b7ef frame #37: 0x0000000822849327 frame #38: 0x000000080b1e7f86 libjavascriptcoregtk-4.0.so.18`llintPCRangeStart + 334 frame #39: 0x000000080ad5211d libjavascriptcoregtk-4.0.so.18`JSC::JITCode::execute(this=0x00000008825f41e0, vm=0x000000081e4055c0, protoCallFrame=0x00007fffffffccf0) + 221 at JITCode.cpp:80 frame #40: 0x000000080ad157a9 libjavascriptcoregtk-4.0.so.18`JSC::Interpreter::executeCall(this=0x000000081e5d5068, callFrame=0x000000081e493140, function=0x0000000864af2e30, callType=CallTypeJS, callData=0x00007fffffffd1f8, thisValue=JSValue at 0x00007fffffffcd90, args=0x00007fffffffd128) + 1497 at Interpreter.cpp:1035 frame #41: 0x000000080af3dafe libjavascriptcoregtk-4.0.so.18`JSC::call(exec=0x000000081e493140, functionObject=JSValue at 0x00007fffffffce48, callType=CallTypeJS, callData=0x00007fffffffd1f8, thisValue=JSValue at 0x00007fffffffce30, args=0x00007fffffffd128) + 190 at CallData.cpp:40 frame #42: 0x000000080af3db63 libjavascriptcoregtk-4.0.so.18`JSC::call(exec=0x000000081e493140, functionObject=JSValue at 0x00007fffffffcec8, callType=CallTypeJS, callData=0x00007fffffffd1f8, thisValue=JSValue at 0x00007fffffffceb0, args=0x00007fffffffd128, returnedException=0x00007fffffffd148) + 83 at CallData.cpp:45 frame #43: 0x000000080af3dd51 libjavascriptcoregtk-4.0.so.18`JSC::profiledCall(exec=0x000000081e493140, reason=Other, functionObject=JSValue at 0x00007fffffffcf70, callType=CallTypeJS, callData=0x00007fffffffd1f8, thisValue=JSValue at 0x00007fffffffcf58, args=0x00007fffffffd128, returnedException=0x00007fffffffd148) + 129 at CallData.cpp:64 frame #44: 0x0000000804af40bd libwebkit2gtk-4.0.so.37`WebCore::JSMainThreadExecState::profiledCall(exec=0x000000081e493140, reason=Other, functionObject=JSValue at 0x00007fffffffd010, callType=CallTypeJS, callData=0x00007fffffffd1f8, thisValue=JSValue at 0x00007fffffffcff8, args=0x00007fffffffd128, returnedException=0x00007fffffffd148) + 125 at JSMainThreadExecState.h:74 frame #45: 0x0000000804be95c1 libwebkit2gtk-4.0.so.37`WebCore::ScheduledAction::executeFunctionInContext(this=0x0000000881da7d70, globalObject=0x000000081e493100, thisValue=JSValue at 0x00007fffffffd218, context=0x000000081e430f60) + 737 at ScheduledAction.cpp:104 frame #46: 0x0000000804be9074 libwebkit2gtk-4.0.so.37`WebCore::ScheduledAction::execute(this=0x0000000881da7d70, document=0x000000081e430ec0) + 388 at ScheduledAction.cpp:125 frame #47: 0x0000000804be8ec3 libwebkit2gtk-4.0.so.37`WebCore::ScheduledAction::execute(this=0x0000000881da7d70, context=0x000000081e430f60) + 67 at ScheduledAction.cpp:78 frame #48: 0x000000080573defb libwebkit2gtk-4.0.so.37`WebCore::DOMTimer::fired(this=0x000000088bf90688) + 1131 at DOMTimer.cpp:348 frame #49: 0x00000008058feb1c libwebkit2gtk-4.0.so.37`WebCore::ThreadTimers::sharedTimerFiredInternal(this=0x000000081e5c97a8) + 396 at ThreadTimers.cpp:121 frame #50: 0x00000008058ff781 libwebkit2gtk-4.0.so.37`(this=0x0000000808eddf78)::operator()() const + 33 at ThreadTimers.cpp:73 frame #51: 0x00000008058ff6bc libwebkit2gtk-4.0.so.37`std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()() [inlined] decltype(this=0x0000000808eddf78, __f=0x0000000808eddf78)::$_0&>(fp)(std::__1::forward<>(fp0))) std::__1::__invoke<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&) + 60 at __functional_base:413 frame #52: 0x00000008058ff6ab libwebkit2gtk-4.0.so.37`std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator(this=0x0000000808eddf70)() + 43 at functional:1370 frame #53: 0x0000000803c8f2cd libwebkit2gtk-4.0.so.37`std::__1::function<void ()>::operator(this=0x0000000808eddf70)() const + 141 at functional:1756 frame #54: 0x00000008058d79ce libwebkit2gtk-4.0.so.37`WebCore::MainThreadSharedTimer::fired(this=0x0000000808eddf60) + 110 at MainThreadSharedTimer.cpp:52 frame #55: 0x00000008062934ee libwebkit2gtk-4.0.so.37`WTF::RunLoop::Timer<WebCore::MainThreadSharedTimer>::fired(this=0x0000000808eddfa0) + 110 at RunLoop.h:131 frame #56: 0x000000080b3d934d libjavascriptcoregtk-4.0.so.18`(this=0x0000000000000000, userData=0x0000000808eddfa0)::operator()(gpointer) const + 45 at RunLoopGLib.cpp:131 frame #57: 0x000000080b3d9318 libjavascriptcoregtk-4.0.so.18`(userData=0x0000000808eddfa0)::__invoke(gpointer) + 24 at RunLoopGLib.cpp:129 frame #58: 0x000000080b3d9446 libjavascriptcoregtk-4.0.so.18`WTF::$_0::operator(this=0x000000080b3d93c0, source=0x00000008214db200, callback=0x000000080b3d9300, userData=0x0000000808eddfa0)(_GSource*, int (*)(void*), void*) const + 86 at RunLoopGLib.cpp:44 frame #59: 0x000000080b3d93e8 libjavascriptcoregtk-4.0.so.18`WTF::$_0::__invoke(source=0x00000008214db200, callback=0x000000080b3d9300, userData=0x0000000808eddfa0)(void*), void*) + 40 at RunLoopGLib.cpp:39 frame #60: 0x000000080dffdac4 libglib-2.0.so.0`g_main_dispatch(context=0x000000081e053780) + 452 at gmain.c:3154 frame #61: 0x000000080dffd8e3 libglib-2.0.so.0`g_main_context_dispatch(context=0x000000081e053780) + 51 at gmain.c:3769 frame #62: 0x000000080dffdeb7 libglib-2.0.so.0`g_main_context_iterate(context=0x000000081e053780, block=1, dispatch=1, self=0x000000081e021f30) + 471 at gmain.c:3840 frame #63: 0x000000080dffe3ce libglib-2.0.so.0`g_main_loop_run(loop=0x000000081e3ccc80) + 590 at gmain.c:4034 frame #64: 0x000000080b3d888d libjavascriptcoregtk-4.0.so.18`WTF::RunLoop::run() + 189 at RunLoopGLib.cpp:94 frame #65: 0x00000008045a5d6d libwebkit2gtk-4.0.so.37`int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(argc=2, argv=0x00007fffffffda00) + 253 at ChildProcessMain.h:61 frame #66: 0x00000008045a5c5b libwebkit2gtk-4.0.so.37`WebKit::WebProcessMainUnix(argc=2, argv=0x00007fffffffda00) + 27 at WebProcessMainGtk.cpp:77 frame #67: 0x0000000000400bf5 WebKitWebProcess`main(argc=2, argv=0x00007fffffffda00) + 69 at WebProcessMain.cpp:44 frame #68: 0x0000000000400acf WebKitWebProcess`_start + 367

The same crash problem can also be reproduced on GNU/Linux. It crashes when Octane Benchmark runs the TypeScript test. I think the crash is not FreeBSD-specific and I will upload a new patch to make FTL JIT build on FreeBSD. Fedora 23 x86_64, WebKit trunk r196364. ASSERTION FAILED: value.isUndefinedOrNull() ../../Source/JavaScriptCore/bytecode/SpeculatedType.cpp(394) : JSC::SpeculatedType JSC::speculationFromValue(JSC::JSValue) 1 0x7f4e86fc614d <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f4e86fc614d] 2 0x7f4e866939da <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC20speculationFromValueENS_7JSValueE+0x13e) [0x7f4e866939da] 3 0x7f4e8663f6ca <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC16ValueProfileBaseILj1EE24computeUpdatedPredictionERKNS_19ConcurrentJITLockerE+0x6c) [0x7f4e8663f6ca] 4 0x7f4e86635c02 <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock36updateAllPredictionsAndCountLivenessERjS1_+0xc0) [0x7f4e86635c02] 5 0x7f4e86635cc7 <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock32updateAllValueProfilePredictionsEv+0x23) [0x7f4e86635cc7] 6 0x7f4e86635dd8 <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock20updateAllPredictionsEv+0x18) [0x7f4e86635dd8] 7 0x7f4e86b14c24 <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(+0x1ae0c24) [0x7f4e86b14c24] 8 0x7f4e1d0cf2d1 [0x7f4e1d0cf2d1] [Backtrace provided by GDB] Core was generated by `WebKitWebProcess'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f4e86fc6152 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007f4e866939da in JSC::speculationFromValue (value=...) at ../../Source/JavaScriptCore/bytecode/SpeculatedType.cpp:394 #2 0x00007f4e8663f6ca in JSC::ValueProfileBase<1u>::computeUpdatedPrediction (this=0x7f4d91d62ef8) at ../../Source/JavaScriptCore/bytecode/ValueProfile.h:145 #3 0x00007f4e86635c02 in JSC::CodeBlock::updateAllPredictionsAndCountLiveness (this=0x7f4e0280a520, numberOfLiveNonArgumentValueProfiles=@0x7ffe910dcdbc: 0, numberOfSamplesInProfiles=@0x7ffe910dcdb8: 5) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:3847 #4 0x00007f4e86635cc7 in JSC::CodeBlock::updateAllValueProfilePredictions (this=0x7f4e0280a520) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:3863 #5 0x00007f4e86635dd8 in JSC::CodeBlock::updateAllPredictions (this=0x7f4e0280a520) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:3884 #6 0x00007f4e86b14c24 in JSC::operationOptimize (exec=0x7ffe910dd110, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1136 #7 0x00007f4e1d0cf2d1 in ?? () #8 0x00007ffe910dd030 in ?? () #9 0x00007f4e72805600 in ?? () #10 0x00007ffe910dd040 in ?? () #11 0x00007f4e8cf3a8dd in std::__get_helper<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > ( __t=...) at /usr/include/c++/5.3.1/tuple:827 #12 0x00007f4e1d9b7b3e in ?? () #13 0x00007f4e0280a520 in ?? () #14 0x00007f4e0342f850 in ?? () #15 0x0000000100000008 in ?? () #16 0x00007f4e1a2b7c60 in ?? () #17 0xffff00007fe0fd2b in ?? () #18 0x00007f4d72ec3a90 in ?? () #19 0x0000000000000007 in ?? () #20 0x00007f4d00000006 in ?? () #21 0xffff000000000000 in ?? () #22 0xffff0000000faea3 in ?? () #23 0xffff0000000faeab in ?? () #24 0x00007f4d6e2e7e30 in ?? () #25 0x00007ffe910dd1d0 in ?? () #26 0x00007f4e8d7f8792 in JSC::JSArray::createWithButterfly (vm=..., structure=0x7ffe910dd270, butterfly=0xfae8c) at ../../Source/JavaScriptCore/runtime/JSArray.h:279 #27 0x00007f4e1de18d99 in ?? () #28 0x00007f4d91070100 in ?? () #29 0x00007f4e0342f8e0 in ?? () #30 0x0000000000000005 in ?? () #31 0x00007f4e1a2b7c60 in ?? () #32 0xffff00007fe0fd2b in ?? () #33 0x0000000000000007 in ?? () #34 0xffff000000000000 in ?? () #35 0x0000000000000006 in ?? () #36 0x00000001910dd2f0 in ?? () #37 0x00007f4e728055e8 in ?? () #38 0x00007ffe910dd300 in ?? () #39 0x00007f4e8cf39483 in JSC::JSCell::structure (this=0xffff000000000002) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:102 #40 0x00007f4e1cd220ba in ?? () #41 0x00007f4d934620e0 in ?? () #42 0x00007f4e0342f880 in ?? () #43 0x0000001000000005 in ?? () #44 0x00007f4e1a2b7c60 in ?? () #45 0xffff00007fe0fd2b in ?? () #46 0xffff000000000001 in ?? () #47 0x0000000000000007 in ?? () #48 0xffff000000000000 in ?? () #49 0x0000000000000006 in ?? () #50 0x000000000000000a in ?? () #51 0x0000000000000007 in ?? () #52 0x00007f4e8d25b1c4 in JSC::JSValue::isDouble (this=0xffff000000000002) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:420 #53 0x00007f4e1d0cfe9b in ?? () #54 0x00007f4dab8cc100 in ?? () #55 0x00007f4e0342fbe0 in ?? () #56 0x0000000500000002 in ?? () #57 0x00007f4e1a2b7c60 in ?? () #58 0xffff00007fe0fd2a in ?? () #59 0x00007f4e0389d6c0 in ?? () #60 0x00007f4e1aaa3580 in ?? () #61 0x00007f4e028e3e20 in ?? () #62 0xffff00000000001c in ?? () #63 0x00007f4dd5416be0 in ?? () #64 0x00007f4e0342fbe0 in ?? () #65 0x00007f4e030828c0 in ?? () #66 0x00007f4e028e3e20 in ?? () #67 0x00007f4e0389d6c0 in ?? () #68 0x00007f4e1aaa3580 in ?? () #69 0xffff000000000037 in ?? () #70 0x00007f4dd00cb8c0 in ?? () #71 0x000000000000000a in ?? () #72 0x000000000000000a in ?? () #73 0x00007f4d72ec3ac0 in ?? () #74 0x000000000000000a in ?? () #75 0xffff000000000000 in ?? () #76 0xffff0000000fae91 in ?? () #77 0x00007f4e1aaa3580 in ?? () #78 0x00007f4e1aaa3580 in ?? () #79 0xffff000000000002 in ?? () #80 0xffff000000000000 in ?? () #81 0xffff0000000fae8c in ?? () #82 0x00007ffe910dd7e0 in ?? () #83 0x00007f4e1d9b7b3e in ?? () #84 0x00007f4e0280a520 in ?? () #85 0x00007f4e0342f850 in ?? () #86 0x000001a700000008 in ?? () #87 0x00007f4e1a2b7c60 in ?? () #88 0xffff00007fe0fd2a in ?? () #89 0x00007f4dd5416be0 in ?? () #90 0x0000000000000007 in ?? () #91 0x00007f4d00000006 in ?? () #92 0xffff000000000000 in ?? () #93 0xffff0000000fae8c in ?? () #94 0xffff0000000fae90 in ?? () #95 0x00007f4d6e2e7e60 in ?? () #96 0x00007ffe910dd740 in ?? () #97 0x00007f4e8d7f8792 in JSC::JSArray::createWithButterfly (vm=..., structure=0xffff0000000fae91, butterfly=0xffff000000000000) at ../../Source/JavaScriptCore/runtime/JSArray.h:279

Created attachment 271938 [details] Patch

Comment on attachment 271938 [details] Patch This patch is only tested on x86_64. Code for other architectures is neither build-tested nor run-tested because I don't have access to them.

Comment on attachment 271938 [details] Patch Clearing flags on attachment: 271938 Committed r196962: <http://trac.webkit.org/changeset/196962>

All reviewed patches have been landed. Closing bug.