Bug 152756

Summary:

stress/v8-crypto-strict.js.ftl-eager-no-cjit in FTL B3 fails with an assertion in the callframe shuffler

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, keith_miller, mark.lam, msaboff, saam

Priority:

Version:

WebKit Nightly Build

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

150279

Attachments:

Description	Flags
the patch	saam: review+

Filip Pizlo

Reported 2016-01-05 13:28:52 PST

Here's what I see: stress/v8-crypto-strict.js.ftl-eager-no-cjit: 1 0x10bba0d31 WTF::SharedTaskFunctor<void (JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&), JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall()::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)>::run(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 2 0x10b86b9b1 JSC::B3::PatchpointSpecial::generate(JSC::B3::Air::Inst&, JSC::CCallHelpers&, JSC::B3::Air::GenerationContext&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 3 0x10b7dbbcd JSC::B3::Air::generate(JSC::B3::Air::Code&, JSC::CCallHelpers&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 4 0x10bd255f4 JSC::FTL::compile(JSC::FTL::State&, JSC::DFG::Safepoint::Result&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 5 0x10ba7317f JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 6 0x10ba725e5 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 7 0x10b9ccff5 JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 8 0x10ba4c832 JSC::DFG::triggerFTLReplacementCompile(JSC::VM*, JSC::CodeBlock*, JSC::DFG::JITCode*) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 9 0x10ba4bfc9 JSC::DFG::triggerTierUpNowCommon(JSC::ExecState*, bool) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 10 0x31fb2ee4d060 stress/v8-crypto-strict.js.ftl-eager-no-cjit: 11 0x31fb2ee4c200 stress/v8-crypto-strict.js.ftl-eager-no-cjit: 12 0x31fb2ee44594 stress/v8-crypto-strict.js.ftl-eager-no-cjit: 13 0x10bdfa34c llint_entry stress/v8-crypto-strict.js.ftl-eager-no-cjit: 14 0x10bdfa34c llint_entry stress/v8-crypto-strict.js.ftl-eager-no-cjit: 15 0x31fb2ee1bc0b stress/v8-crypto-strict.js.ftl-eager-no-cjit: 16 0x10bdf44dc vmEntryToJavaScript stress/v8-crypto-strict.js.ftl-eager-no-cjit: 17 0x10bc8717e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 18 0x10bc5731b JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 19 0x10b9153f5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 20 0x10b777df3 jscmain(int, char**) stress/v8-crypto-strict.js.ftl-eager-no-cjit: 21 0x10b7773aa main stress/v8-crypto-strict.js.ftl-eager-no-cjit: 22 0x7fff864bb5c9 start stress/v8-crypto-strict.js.ftl-eager-no-cjit: 23 0x11 stress/v8-crypto-strict.js.ftl-eager-no-cjit: test_script_19251: line 2: 4739 Segmentation fault: 11 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateGraph\=true --useFTLJIT\=true --ftlCrashesIfCantInitializeLLVM\=true --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 v8-crypto-strict.js ) stress/v8-crypto-strict.js.ftl-eager-no-cjit: ERROR: Unexpected exit code: 139 And the lldb backtrace is: * frame #0: 0x000000010087802e JavaScriptCore`WTFCrash + 62 at Assertions.cpp:321 frame #1: 0x000000010014c1e2 JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::VectorBufferBase<JSC::CachedRecovery*>::allocateBuffer(newCapacity=<unavailable>) + 1074 at Vector.h:266 frame #2: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::VectorBuffer<JSC::CachedRecovery*, 0ul>::VectorBuffer(capacity=<unavailable>, size=<unavailable>) at Vector.h:372 frame #3: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::Vector<JSC::CachedRecovery*, 0ul, WTF::CrashOnOverflow, 16ul>::Vector(size=<unavailable>) at Vector.h:615 frame #4: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::Bag<JSC::CachedRecovery>::Bag(size=<unavailable>) at Vector.h:620 frame #5: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(this=<unavailable>, jit=<unavailable>, data=<unavailable>) + 1069 at CallFrameShuffler.cpp:47 frame #6: 0x000000010042bd31 JavaScriptCore`WTF::SharedTaskFunctor<void (JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&), JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall()::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)>::run(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&) [inlined] JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall(jit=0x00007fff5fbfd050)::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)::operator()(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&) const + 615 at FTLLowerDFGToLLVM.cpp:5144 frame #7: 0x000000010042baca JavaScriptCore`WTF::SharedTaskFunctor<void (JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&), JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall()::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)>::run(this=0x0000000104dde5f0, arguments=0x00007fff5fbfd050, arguments=<unavailable>) + 26 at SharedTask.h:90 frame #8: 0x00000001000f69b1 JavaScriptCore`JSC::B3::PatchpointSpecial::generate(this=<unavailable>, inst=<unavailable>, jit=0x00007fff5fbfd050, context=<unavailable>) + 817 at B3PatchpointSpecial.cpp:143 frame #9: 0x0000000100066bcd JavaScriptCore`JSC::B3::Air::generate(code=0x0000000104dda880, jit=0x00007fff5fbfd050) + 813 at AirGenerate.cpp:147 frame #10: 0x00000001005b05f4 JavaScriptCore`JSC::FTL::compile(state=0x00007fff5fbfd120, safepointResult=<unavailable>) + 1444 at FTLB3Compile.cpp:113 frame #11: 0x00000001002fe17f JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=<unavailable>, longLivedState=<unavailable>) + 2175 at DFGPlan.cpp:487 frame #12: 0x00000001002fd5e5 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x0000000104b76000, longLivedState=0x00000001019eba00, threadData=<unavailable>) + 565 at DFGPlan.cpp:186 frame #13: 0x0000000100257ff5 JavaScriptCore`JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) [inlined] WTF::PassRefPtr<JSC::DeferredCompilationCallback>::PassRefPtr<JSC::DeferredCompilationCallback>(profiledDFGCodeBlock=0x00000001018f4a00, osrEntryBytecodeIndex=<unavailable>, mustHandleValues=<unavailable>) + 1050 at DFGDriver.cpp:102 frame #14: 0x0000000100257bdb JavaScriptCore`JSC::DFG::compile(vm=0x0000000101801000, codeBlock=0x00000001018f4400, profiledDFGCodeBlock=0x00000001018f4a00, mode=<unavailable>, osrEntryBytecodeIndex=<unavailable>, mustHandleValues=<unavailable>, passedCallback=PassRefPtr<JSC::DeferredCompilationCallback> at 0x00007fff5fbfdb30) + 43 at DFGDriver.cpp:120 frame #15: 0x00000001002d7832 JavaScriptCore`JSC::DFG::triggerFTLReplacementCompile(vm=0x0000000101801000, codeBlock=0x00000001018f4a00, jitCode=<unavailable>) + 546 at DFGOperations.cpp:1468 frame #16: 0x00000001002d6fc9 JavaScriptCore`JSC::DFG::triggerTierUpNowCommon(exec=<unavailable>, inLoop=<unavailable>) + 281 at DFGOperations.cpp:1495 frame #17: 0x000045458204d060 frame #18: 0x000045458204c1ff frame #19: 0x0000454582044594 frame #20: 0x000000010068534c JavaScriptCore`llint_entry + 23693 frame #21: 0x000000010068534c JavaScriptCore`llint_entry + 23693 frame #22: 0x000045458201bc08 frame #23: 0x000000010067f4dc JavaScriptCore`vmEntryToJavaScript + 299 frame #24: 0x000000010051217e JavaScriptCore`JSC::JITCode::execute(this=<unavailable>, vm=0xffff000000000000, protoCallFrame=0x00007fff5fbfe0e0) + 158 at JITCode.cpp:80 frame #25: 0x00000001004e231b JavaScriptCore`JSC::Interpreter::execute(this=<unavailable>, program=0x00000001018d3388, callFrame=0x0000000101843740, thisObj=<unavailable>) + 11339 at Interpreter.cpp:973 frame #26: 0x00000001001a03f5 JavaScriptCore`JSC::evaluate(exec=0x0000000101843740, source=<unavailable>, thisValue=JSValue at 0x00007fff5fbff370, returnedException=0x00007fff5fbff4c0) + 469 at Completion.cpp:105 frame #27: 0x0000000100002df3 jsc`jscmain(int, char**) [inlined] runWithScripts(globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700) + 1906 at jsc.cpp:1774 frame #28: 0x0000000100002681 jsc`jscmain(argc=<unavailable>, argv=<unavailable>) + 529 at jsc.cpp:2000 frame #29: 0x00000001000023aa jsc`main(argc=17, argv=0x00007fff5fbff6f0) + 154 at jsc.cpp:1699 frame #30: 0x00007fff864bb5c9 libdyld.dylib`start + 1

Attachments
the patch (1.82 KB, patch) 2016-01-05 15:02 PST, Filip Pizlo	saam: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2016-01-05 15:02:01 PST

Created attachment 268327 [details] the patch

Saam Barati

Comment 2 2016-01-05 15:02:58 PST

Comment on attachment 268327 [details] the patch r=me

Filip Pizlo

Comment 3 2016-01-05 15:37:16 PST

Landed in http://trac.webkit.org/changeset/194614

Note You need to log in before you can comment on or make changes to this bug.