Bug 156406

Summary: Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, keith_miller, mark.lam, msaboff, ryanhaddad, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch saam: review+

Ryan Haddad
Reported 2016-04-08 10:25:51 PDT
Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool <https://build.webkit.org/builders/Apple%20El%20Capitan%20Debug%20JSC%20%28Tests%29/builds/2401> <https://build.webkit.org/builders/Apple%20Yosemite%20Debug%20JSC%20%28Tests%29/builds/5530> stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: ASSERTION FAILED: structureID && structureID < m_capacity stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: /Volumes/Data/slave/elcapitan-debug/build/Source/JavaScriptCore/runtime/StructureIDTable.h(85) : JSC::Structure *JSC::StructureIDTable::get(StructureID) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 1 0x10bf4bcb0 WTFCrash stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 2 0x10bf4bcd9 WTFCrashWithSecurityImplication stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 3 0x10afc087b JSC::StructureIDTable::get(unsigned int) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 4 0x10afc643f JSC::JSCell::structure() const stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 5 0x10b9e3c26 JSC::slowValidateCell(JSC::JSCell*) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 6 0x10afc4835 void JSC::validateCell<JSC::JSCell*>(JSC::JSCell*) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 7 0x10b0b284e JSC::WriteBarrierBase<JSC::PropertyTable>::get() const stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 8 0x10b0b2245 JSC::Structure::checkOffsetConsistency() const stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 9 0x10b0b1dfd JSC::Structure::outOfLineCapacity() const stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 10 0x10b99ab41 bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 11 0x10b99a3b9 JSC::JSObject::putInline(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 12 0x10b997f94 JSC::JSValue::putInline(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 13 0x10b98ff7f operationPutByIdNonStrictOptimize stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 14 0x3e9bbd806cc6 stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 15 0x10bb76367 llint_entry stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 16 0x10bb6f82e vmEntryToJavaScript stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 17 0x10b98135a JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 18 0x10b91811a JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 19 0x10b2bd040 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 20 0x10ae09d83 runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool, bool) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 21 0x10ae092a4 runJSC(JSC::VM*, CommandLine) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 22 0x10ae086ea jscmain(int, char**) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 23 0x10ae085ab main stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 24 0x7fff85f995ad start stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: 25 0x8 stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: test_script_15896: line 2: 62057 Segmentation fault: 11 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --jitMemoryReservationSize\=50000 --useFTLJIT\=true --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 multi-put-by-offset-reallocation-butterfly-cse.js ) stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool: ERROR: Unexpected exit code: 139 FAIL: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
Attachments
the patch (12.69 KB, patch)
2016-04-09 12:18 PDT, Filip Pizlo 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryan Haddad
Comment 1 2016-04-08 10:27:49 PDT
The JSC change in the failing test run was <https://trac.webkit.org/changeset/199209>
Filip Pizlo
Comment 2 2016-04-08 14:29:56 PDT
I will look.
Filip Pizlo
Comment 3 2016-04-08 16:23:41 PDT
Hey it repros!
Filip Pizlo
Comment 4 2016-04-09 11:43:34 PDT
Heh. That's awesome. The bug here is that we are doing a GC from the butterfly allocation call, but we forgot to make the stub be GC-aware. So, the GC may delete the stub while we're running it. Here's the stack during the GC moments before we crash: Requested GC with stack: 1 0x100a339ff JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [37]) 2 0x100a3396d JSC::Heap::collect(JSC::HeapOperation) 3 0x1002aa548 JSC::Heap::collectIfNecessaryOrDefer() 4 0x1002aa492 JSC::Heap::decrementDeferralDepthAndGCIfNeeded() 5 0x1002aa468 JSC::DeferGC::~DeferGC() 6 0x1002a8b75 JSC::DeferGC::~DeferGC() 7 0x100b8d55f operationReallocateButterflyToHavePropertyStorageWithInitialCapacity 8 0x22c95a6020c8 9 0x100d6c69d llint_entry 10 0x100d65bde vmEntryToJavaScript 11 0x100b7755a JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 12 0x100b0e31a JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 13 0x1004b37a0 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 14 0x100003ed3 runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool, bool) 15 0x1000033f4 runJSC(JSC::VM*, CommandLine) 16 0x10000283a jscmain(int, char**) 17 0x1000026fb main 18 0x7fff9662b5ad start Notice operationReallocateButterflyToHavePropertyStorageWithInitialCapacity. My put_by_id transition work added a call to that in the IC.
Filip Pizlo
Comment 5 2016-04-09 12:18:33 PDT
Created attachment 276088 [details] the patch
WebKit Commit Bot
Comment 6 2016-04-09 12:19:27 PDT
Attachment 276088 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp:86: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] ERROR: Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp:106: Wrong number of spaces before statement. (expected: 8) [whitespace/indent] [4] Total errors found: 2 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.
Saam Barati
Comment 7 2016-04-09 12:32:25 PDT
Comment on attachment 276088 [details] the patch r=me
Filip Pizlo
Comment 8 2016-04-09 13:41:15 PDT
Landed in http://trac.webkit.org/changeset/199275
Note You need to log in before you can comment on or make changes to this bug.