Bug 156292

Summary: 32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, keith_miller, mark.lam, msaboff, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch benjamin: review+

Ryan Haddad
Reported 2016-04-06 09:31:02 PDT
JSC stress/multi-put-by-offset-multiple-transitions.js failing <https://build.webkit.org/builders/Apple%20El%20Capitan%2032-bit%20JSC%20%28BuildAndTest%29/builds/2006/steps/webkit-32bit-jsc-test/logs/stdio> ** The following JSC stress test failures have been introduced: stress/multi-put-by-offset-multiple-transitions.js.always-trigger-copy-phase stress/multi-put-by-offset-multiple-transitions.js.default stress/multi-put-by-offset-multiple-transitions.js.default-ftl stress/multi-put-by-offset-multiple-transitions.js.dfg-eager stress/multi-put-by-offset-multiple-transitions.js.dfg-eager-no-cjit-validate stress/multi-put-by-offset-multiple-transitions.js.dfg-maximal-flush-validate-no-cjit stress/multi-put-by-offset-multiple-transitions.js.ftl-eager stress/multi-put-by-offset-multiple-transitions.js.ftl-eager-no-cjit stress/multi-put-by-offset-multiple-transitions.js.ftl-no-cjit-no-put-stack-validate stress/multi-put-by-offset-multiple-transitions.js.ftl-no-cjit-small-pool stress/multi-put-by-offset-multiple-transitions.js.ftl-no-cjit-validate-sampling-profiler stress/multi-put-by-offset-multiple-transitions.js.no-cjit-validate-phases stress/multi-put-by-offset-multiple-transitions.js.no-llint stress/multi-put-by-offset-multiple-transitions.js.default: ASSERTION FAILED: codeBlock->canGetCodeOrigin(index) stress/multi-put-by-offset-multiple-transitions.js.default: /Volumes/Data/slave/elcapitan-32bitJSC-debug/build/Source/JavaScriptCore/interpreter/StackVisitor.cpp(114) : void JSC::StackVisitor::readFrame(CallFrame *) stress/multi-put-by-offset-multiple-transitions.js.default: 1 0xe4707d WTFCrash stress/multi-put-by-offset-multiple-transitions.js.default: 2 0xd4f180 JSC::StackVisitor::readFrame(JSC::ExecState*) stress/multi-put-by-offset-multiple-transitions.js.default: 3 0xd4effd JSC::StackVisitor::StackVisitor(JSC::ExecState*) stress/multi-put-by-offset-multiple-transitions.js.default: 4 0xd4f364 JSC::StackVisitor::StackVisitor(JSC::ExecState*) stress/multi-put-by-offset-multiple-transitions.js.default: 5 0xa7c014 void JSC::StackVisitor::visit<JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*)::$_1>(JSC::ExecState*, JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*)::$_1 const&) stress/multi-put-by-offset-multiple-transitions.js.default: 6 0xa7bc83 JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*) stress/multi-put-by-offset-multiple-transitions.js.default: 7 0x7ef056 JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [18]) stress/multi-put-by-offset-multiple-transitions.js.default: 8 0x7eee2e JSC::Heap::collect(JSC::HeapOperation) stress/multi-put-by-offset-multiple-transitions.js.default: 9 0x16de76 JSC::Heap::collectIfNecessaryOrDefer() stress/multi-put-by-offset-multiple-transitions.js.default: 10 0x16dd95 JSC::Heap::decrementDeferralDepthAndGCIfNeeded() stress/multi-put-by-offset-multiple-transitions.js.default: 11 0x16dd69 JSC::DeferGC::~DeferGC() stress/multi-put-by-offset-multiple-transitions.js.default: 12 0x16c267 JSC::DeferGC::~DeferGC() stress/multi-put-by-offset-multiple-transitions.js.default: 13 0x184fbe JSC::JSObject::setStructureAndReallocateStorageIfNecessary(JSC::VM&, unsigned int, JSC::Structure*) stress/multi-put-by-offset-multiple-transitions.js.default: 14 0x18491b JSC::JSObject::setStructureAndReallocateStorageIfNecessary(JSC::VM&, JSC::Structure*) stress/multi-put-by-offset-multiple-transitions.js.default: 15 0x93ea3e operationReallocateStorageAndFinishPut stress/multi-put-by-offset-multiple-transitions.js.default: 16 0x295d567 stress/multi-put-by-offset-multiple-transitions.js.default: 17 0x2960436 stress/multi-put-by-offset-multiple-transitions.js.default: 18 0xb2185c vmEntryToJavaScript stress/multi-put-by-offset-multiple-transitions.js.default: 19 0x928e82 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) stress/multi-put-by-offset-multiple-transitions.js.default: 20 0x8db0c9 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) stress/multi-put-by-offset-multiple-transitions.js.default: 21 0x2f8c48 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) stress/multi-put-by-offset-multiple-transitions.js.default: 22 0xc3cdc runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool, bool) stress/multi-put-by-offset-multiple-transitions.js.default: 23 0xc30ef runJSC(JSC::VM*, CommandLine) stress/multi-put-by-offset-multiple-transitions.js.default: 24 0xc246a jscmain(int, char**) stress/multi-put-by-offset-multiple-transitions.js.default: 25 0xc22f6 main stress/multi-put-by-offset-multiple-transitions.js.default: 26 0x9633d6ad start stress/multi-put-by-offset-multiple-transitions.js.default: test_script_15870: line 2: 43021 Segmentation fault: 11 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true multi-put-by-offset-multiple-transitions.js )
Attachments
the patch (1.56 KB, patch)
2016-04-06 18:34 PDT, Filip Pizlo 		benjamin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryan Haddad
Comment 1 2016-04-06 09:32:39 PDT
The two JSC changes in the first failing run were <https://trac.webkit.org/changeset/199073> and <https://trac.webkit.org/changeset/199075>. r199073 was rolled out in r199084 for an unrelated reason, but the tests are still failing.
Ryan Haddad
Comment 2 2016-04-06 17:11:47 PDT
Filip, is this something you can look at soon or should we go ahead and roll out r199075?
Filip Pizlo
Comment 3 2016-04-06 18:15:43 PDT
This is going to be an easy fix. The code leading up to the call to operationReallocateStorageAndFinishPut doesn't stash the callsite index.
Filip Pizlo
Comment 4 2016-04-06 18:15:58 PDT
(I have a fix, testing locally.)
Filip Pizlo
Comment 5 2016-04-06 18:34:46 PDT
Created attachment 275843 [details] the patch
Filip Pizlo
Comment 6 2016-04-06 18:44:44 PDT
Landed in http://trac.webkit.org/changeset/199132
Note You need to log in before you can comment on or make changes to this bug.