Bug 155411

Summary: REGRESSION: ASSERTION FAILED: !m_lastActiveBlock on js/function-apply.html
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Joseph Pecoraro <joepeck>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, ggaren, joepeck, keith_miller, mark.lam, msaboff, oliver, ryanhaddad, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar, Regression
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
[PATCH] Proposed Fix
mark.lam: review-, ap: commit-queue-
[PATCH] Proposed Fix none

Description Alexey Proskuryakov 2016-03-13 14:14:29 PDT 
js/function-apply.html has started to sometimes assert around March 9. It's not frequent enough to pinpoint the exact revision, but it seems to be frequent enough to confuse EWS (see bug 155388).

Perhaps bug 155178?

ASSERTION FAILED: !m_lastActiveBlock
/Volumes/Data/slave/yosemite-debug/build/Source/JavaScriptCore/heap/MarkedAllocator.h(131) : void JSC::MarkedAllocator::stopAllocating()
1   0x108805030 WTFCrash
2   0x108446e1a JSC::MarkedAllocator::stopAllocating()
3   0x108446dc9 JSC::StopAllocatingFunctor::operator()(JSC::MarkedAllocator&)
4   0x108446d86 void JSC::MarkedSpace::forEachAllocator<JSC::StopAllocatingFunctor>(JSC::StopAllocatingFunctor&)
5   0x108445bd9 void JSC::MarkedSpace::forEachAllocator<JSC::StopAllocatingFunctor>()
6   0x108444c8c JSC::MarkedSpace::stopAllocating()
7   0x10844558c JSC::MarkedSpace::willStartIterating()
8   0x108107a6c JSC::Heap::willStartIterating()
9   0x107bef0d3 JSC::HeapIterationScope::HeapIterationScope(JSC::Heap&)
10  0x107bdf40d JSC::HeapIterationScope::HeapIterationScope(JSC::Heap&)
11  0x108109085 JSC::Heap::removeDeadHeapSnapshotNodes(JSC::HeapProfiler&)
12  0x10810a279 JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [37])
13  0x108109c4d JSC::Heap::collect(JSC::HeapOperation)
14  0x107fe0805 JSC::EdenGCActivityCallback::doCollection()
15  0x1080f8620 JSC::GCActivityCallback::doWork()
16  0x1081248cf JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*)
17  0x7fff8ade12e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__
Comment 1 Radar WebKit Bug Importer 2016-03-13 14:14:52 PDT 
<rdar://problem/25134537>
Comment 2 Geoffrey Garen 2016-03-14 15:39:30 PDT 
Joe, is this you?

Are you sure it's OK for removeDeadHeapSnapshotNodes to iterate the heap during GC? Maybe you can move this to after GC instead?
Comment 3 Ryan Haddad 2016-03-14 15:39:52 PDT 
Marked this test as flaky to unblock EWS <http://trac.webkit.org/projects/webkit/changeset/198165>
Comment 4 Joseph Pecoraro 2016-03-14 16:04:13 PDT 
(In reply to comment #2)
> Joe, is this you?

Seems likely!

> Are you sure it's OK for removeDeadHeapSnapshotNodes to iterate the heap
> during GC? Maybe you can move this to after GC instead?

Yes, I think the problem is that both Heap::gatherExtraHeapSnapshotData and Heap::removeDeadHeapSnapshotNodes take a HeapIterationScope (which does a stopAllocating/resumeAllocating) but Heap::collectImpl has already done a stopAllocating and will do a resetAllocators. Duplicate stopAllocating calls looks like it would cause this ASSERT. 

I will see if it makes sense to just drop the HeapIterationScopes here given the Heap is already stopped. It looks like it would be perfectly fine to move these snapshot operations after resetAllocators where they won't mess with the state of the allocator between the normal stop/reset of collection.

Given this test is encountering the removeDeadHeapSnapshotNodes path at all, it means imply that this VM had previously run a test that created a HeapProfiler. So that would mean the bot ran an LayoutTests/inspector/heap test and then ran this LayoutTests/js/function-apply.html, so I'll try to reproduce locally with this in mind. While the HeapProfiler will still exist for the VM, the HeapSnapshots should have been cleared when the page changed so there should essentially be no work.
Comment 5 Joseph Pecoraro 2016-03-14 16:48:26 PDT 
(In reply to comment #4)
> I will see if it makes sense to just drop the HeapIterationScopes here given
> the Heap is already stopped. It looks like it would be perfectly fine to
> move these snapshot operations after resetAllocators where they won't mess
> with the state of the allocator between the normal stop/reset of collection.

Bah, MarkedSpace::forEachLiveCell/DeadCell expects a HeapIterationScope& in its API to ensure callers have stopped allocation. So just moving the HeapProfiler work to the end of GC (after allocators are resumed) seems easiest/safest.
Comment 6 Joseph Pecoraro 2016-03-14 16:49:12 PDT 
Created attachment 274053 [details]
[PATCH] Proposed Fix
Comment 7 Joseph Pecoraro 2016-03-14 16:51:22 PDT 
(In reply to comment #4)
> So that would mean the bot ran an LayoutTests/inspector/heap
> test and then ran this LayoutTests/js/function-apply.html, so I'll try to
> reproduce locally with this in mind.

I was unable to reproduce this locally running lots of iterations of these kind of combinations.
Comment 8 Alexey Proskuryakov 2016-03-14 23:53:54 PDT 
Comment on attachment 274053 [details]
[PATCH] Proposed Fix

Please also unmark the test in TestExpectations when landing this.

FWIW, js/function-call-aliased.html is another affected test.
Comment 9 Ryan Haddad 2016-03-15 12:48:37 PDT 
Can we update the patch and land this soon? js/function-call-aliased.html is wreaking havoc on Mac EWS results.
Comment 10 Mark Lam 2016-03-15 13:29:16 PDT 
Comment on attachment 274053 [details]
[PATCH] Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=274053&action=review

> Source/JavaScriptCore/heap/Heap.cpp:1201
> +    if (HeapProfiler* heapProfiler = m_vm->heapProfiler()) {
> +        gatherExtraHeapSnapshotData(*heapProfiler);
> +        removeDeadHeapSnapshotNodes(*heapProfiler);
> +    }
> +

Let's put this in didFinishCollection() (at the bottom) instead.  We do many heap iterations in there and collect statistics.  That would be the proper place for this.
Comment 11 Joseph Pecoraro 2016-03-15 13:43:49 PDT 
Created attachment 274121 [details]
[PATCH] Proposed Fix
Comment 12 Mark Lam 2016-03-15 13:56:49 PDT 
Comment on attachment 274121 [details]
[PATCH] Proposed Fix

r=me
Comment 13 WebKit Commit Bot 2016-03-15 14:48:02 PDT 
Comment on attachment 274121 [details]
[PATCH] Proposed Fix

Clearing flags on attachment: 274121

Committed r198229: <http://trac.webkit.org/changeset/198229>
Comment 14 WebKit Commit Bot 2016-03-15 14:48:08 PDT 
All reviewed patches have been landed.  Closing bug.