Bug 152756

Summary: stress/v8-crypto-strict.js.ftl-eager-no-cjit in FTL B3 fails with an assertion in the callframe shuffler
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, keith_miller, mark.lam, msaboff, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 150279    
Attachments:
Description Flags
the patch saam: review+

Description Filip Pizlo 2016-01-05 13:28:52 PST 
Here's what I see:

stress/v8-crypto-strict.js.ftl-eager-no-cjit: 1   0x10bba0d31 WTF::SharedTaskFunctor<void (JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&), JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall()::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)>::run(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 2   0x10b86b9b1 JSC::B3::PatchpointSpecial::generate(JSC::B3::Air::Inst&, JSC::CCallHelpers&, JSC::B3::Air::GenerationContext&)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 3   0x10b7dbbcd JSC::B3::Air::generate(JSC::B3::Air::Code&, JSC::CCallHelpers&)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 4   0x10bd255f4 JSC::FTL::compile(JSC::FTL::State&, JSC::DFG::Safepoint::Result&)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 5   0x10ba7317f JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 6   0x10ba725e5 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 7   0x10b9ccff5 JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 8   0x10ba4c832 JSC::DFG::triggerFTLReplacementCompile(JSC::VM*, JSC::CodeBlock*, JSC::DFG::JITCode*)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 9   0x10ba4bfc9 JSC::DFG::triggerTierUpNowCommon(JSC::ExecState*, bool)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 10  0x31fb2ee4d060
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 11  0x31fb2ee4c200
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 12  0x31fb2ee44594
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 13  0x10bdfa34c llint_entry
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 14  0x10bdfa34c llint_entry
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 15  0x31fb2ee1bc0b
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 16  0x10bdf44dc vmEntryToJavaScript
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 17  0x10bc8717e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 18  0x10bc5731b JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 19  0x10b9153f5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 20  0x10b777df3 jscmain(int, char**)
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 21  0x10b7773aa main
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 22  0x7fff864bb5c9 start
stress/v8-crypto-strict.js.ftl-eager-no-cjit: 23  0x11
stress/v8-crypto-strict.js.ftl-eager-no-cjit: test_script_19251: line 2:  4739 Segmentation fault: 11  ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateGraph\=true --useFTLJIT\=true --ftlCrashesIfCantInitializeLLVM\=true --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 v8-crypto-strict.js )
stress/v8-crypto-strict.js.ftl-eager-no-cjit: ERROR: Unexpected exit code: 139

And the lldb backtrace is:

  * frame #0: 0x000000010087802e JavaScriptCore`WTFCrash + 62 at Assertions.cpp:321
    frame #1: 0x000000010014c1e2 JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::VectorBufferBase<JSC::CachedRecovery*>::allocateBuffer(newCapacity=<unavailable>) + 1074 at Vector.h:266
    frame #2: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::VectorBuffer<JSC::CachedRecovery*, 0ul>::VectorBuffer(capacity=<unavailable>, size=<unavailable>) at Vector.h:372
    frame #3: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::Vector<JSC::CachedRecovery*, 0ul, WTF::CrashOnOverflow, 16ul>::Vector(size=<unavailable>) at Vector.h:615
    frame #4: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(JSC::CCallHelpers&, JSC::CallFrameShuffleData const&) [inlined] WTF::Bag<JSC::CachedRecovery>::Bag(size=<unavailable>) at Vector.h:620
    frame #5: 0x000000010014c1dd JavaScriptCore`JSC::CallFrameShuffler::CallFrameShuffler(this=<unavailable>, jit=<unavailable>, data=<unavailable>) + 1069 at CallFrameShuffler.cpp:47
    frame #6: 0x000000010042bd31 JavaScriptCore`WTF::SharedTaskFunctor<void (JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&), JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall()::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)>::run(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&) [inlined] JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall(jit=0x00007fff5fbfd050)::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)::operator()(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&) const + 615 at FTLLowerDFGToLLVM.cpp:5144
    frame #7: 0x000000010042baca JavaScriptCore`WTF::SharedTaskFunctor<void (JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&), JSC::FTL::(anonymous namespace)::LowerDFGToLLVM::compileTailCall()::'lambda'(JSC::CCallHelpers&, JSC::B3::StackmapGenerationParams const&)>::run(this=0x0000000104dde5f0, arguments=0x00007fff5fbfd050, arguments=<unavailable>) + 26 at SharedTask.h:90
    frame #8: 0x00000001000f69b1 JavaScriptCore`JSC::B3::PatchpointSpecial::generate(this=<unavailable>, inst=<unavailable>, jit=0x00007fff5fbfd050, context=<unavailable>) + 817 at B3PatchpointSpecial.cpp:143
    frame #9: 0x0000000100066bcd JavaScriptCore`JSC::B3::Air::generate(code=0x0000000104dda880, jit=0x00007fff5fbfd050) + 813 at AirGenerate.cpp:147
    frame #10: 0x00000001005b05f4 JavaScriptCore`JSC::FTL::compile(state=0x00007fff5fbfd120, safepointResult=<unavailable>) + 1444 at FTLB3Compile.cpp:113
    frame #11: 0x00000001002fe17f JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=<unavailable>, longLivedState=<unavailable>) + 2175 at DFGPlan.cpp:487
    frame #12: 0x00000001002fd5e5 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x0000000104b76000, longLivedState=0x00000001019eba00, threadData=<unavailable>) + 565 at DFGPlan.cpp:186
    frame #13: 0x0000000100257ff5 JavaScriptCore`JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) [inlined] WTF::PassRefPtr<JSC::DeferredCompilationCallback>::PassRefPtr<JSC::DeferredCompilationCallback>(profiledDFGCodeBlock=0x00000001018f4a00, osrEntryBytecodeIndex=<unavailable>, mustHandleValues=<unavailable>) + 1050 at DFGDriver.cpp:102
    frame #14: 0x0000000100257bdb JavaScriptCore`JSC::DFG::compile(vm=0x0000000101801000, codeBlock=0x00000001018f4400, profiledDFGCodeBlock=0x00000001018f4a00, mode=<unavailable>, osrEntryBytecodeIndex=<unavailable>, mustHandleValues=<unavailable>, passedCallback=PassRefPtr<JSC::DeferredCompilationCallback> at 0x00007fff5fbfdb30) + 43 at DFGDriver.cpp:120
    frame #15: 0x00000001002d7832 JavaScriptCore`JSC::DFG::triggerFTLReplacementCompile(vm=0x0000000101801000, codeBlock=0x00000001018f4a00, jitCode=<unavailable>) + 546 at DFGOperations.cpp:1468
    frame #16: 0x00000001002d6fc9 JavaScriptCore`JSC::DFG::triggerTierUpNowCommon(exec=<unavailable>, inLoop=<unavailable>) + 281 at DFGOperations.cpp:1495
    frame #17: 0x000045458204d060
    frame #18: 0x000045458204c1ff
    frame #19: 0x0000454582044594
    frame #20: 0x000000010068534c JavaScriptCore`llint_entry + 23693
    frame #21: 0x000000010068534c JavaScriptCore`llint_entry + 23693
    frame #22: 0x000045458201bc08
    frame #23: 0x000000010067f4dc JavaScriptCore`vmEntryToJavaScript + 299
    frame #24: 0x000000010051217e JavaScriptCore`JSC::JITCode::execute(this=<unavailable>, vm=0xffff000000000000, protoCallFrame=0x00007fff5fbfe0e0) + 158 at JITCode.cpp:80
    frame #25: 0x00000001004e231b JavaScriptCore`JSC::Interpreter::execute(this=<unavailable>, program=0x00000001018d3388, callFrame=0x0000000101843740, thisObj=<unavailable>) + 11339 at Interpreter.cpp:973
    frame #26: 0x00000001001a03f5 JavaScriptCore`JSC::evaluate(exec=0x0000000101843740, source=<unavailable>, thisValue=JSValue at 0x00007fff5fbff370, returnedException=0x00007fff5fbff4c0) + 469 at Completion.cpp:105
    frame #27: 0x0000000100002df3 jsc`jscmain(int, char**) [inlined] runWithScripts(globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700, globalObject=0x0000000101843700) + 1906 at jsc.cpp:1774
    frame #28: 0x0000000100002681 jsc`jscmain(argc=<unavailable>, argv=<unavailable>) + 529 at jsc.cpp:2000
    frame #29: 0x00000001000023aa jsc`main(argc=17, argv=0x00007fff5fbff6f0) + 154 at jsc.cpp:1699
    frame #30: 0x00007fff864bb5c9 libdyld.dylib`start + 1
Comment 1 Filip Pizlo 2016-01-05 15:02:01 PST 
Created attachment 268327 [details]
the patch
Comment 2 Saam Barati 2016-01-05 15:02:58 PST 
Comment on attachment 268327 [details]
the patch

r=me
Comment 3 Filip Pizlo 2016-01-05 15:37:16 PST 
Landed in http://trac.webkit.org/changeset/194614