Bug 159930

Summary:

REGRESSION (r203364): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())

Product:

WebKit

Reporter:

Ryan Haddad <ryanhaddad>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, fpizlo, keith_miller, mark.lam, msaboff, ossy, saam

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=159929

Bug Depends on:

Bug Blocks:

159786

Attachments:

Description	Flags
the patch	ggaren: review+

Ryan Haddad

Reported 2016-07-19 11:02:32 PDT

https://build.webkit.org/builders/Apple%20El%20Capitan%2032-bit%20JSC%20%28BuildAndTest%29/builds/2948 jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: /Volumes/Data/slave/elcapitan-32bitJSC-debug/build/Source/JavaScriptCore/runtime/JSCell.h(244) : To JSC::jsCast(JSC::JSValue) [To = JSC::JSScope *] jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 1 0xe5320d WTFCrash jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 2 0xe5322b WTFCrashWithSecurityImplication jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 3 0x2afa50 JSC::JSScope* JSC::jsCast<JSC::JSScope*>(JSC::JSValue) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 4 0x2ac395 JSC::Register::scope() const jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 5 0x8be985 JSC::eval(JSC::ExecState*) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 6 0x9352df operationCallEval jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 7 0x2b013e7 jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 8 0x2adb316 jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 9 0xb2e137 llint_entry jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 10 0xb28bcc vmEntryToJavaScript jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 11 0x91d3e2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 12 0x8c2f41 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 13 0x2b3918 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 14 0x5434f runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul, WTF::CrashOnOverflow, 16ul> const&, WTF::String const&, bool, bool) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 15 0x534c6 runJSC(JSC::VM*, CommandLine) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 16 0x52309 jscmain(int, char**) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 17 0x52176 main jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 18 0x97baf6ad start jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: test_script_23763: line 2: 9583 Segmentation fault: 11 ( "$@" ../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 resources/standalone-pre.js Object-assign.js resources/standalone-post.js ) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: ERROR: Unexpected exit code: 139 FAIL: jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit ** The following JSC stress test failures have been introduced: jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-filter.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-filter.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-functions-non-arrays.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-functions-non-arrays.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-holes.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-holes.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-includes.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-includes.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-type-speculation.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-type-speculation.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/basic-strict-mode.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/basic-strict-mode.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-extends.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-extends.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-name.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-name.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-prototype.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-prototype.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/destructuring-assignment.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/destructuring-assignment.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-ftl jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-ftl jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/keywords-and-reserved_words.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/keywords-and-reserved_words.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/number-constructor.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/number-constructor.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parseInt.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parseInt.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-ftl jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/preventExtensions.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/preventExtensions.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/prototypes.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/prototypes.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/reserved-words-strict.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/reserved-words-strict.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/reserved-words.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/reserved-words.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/statement-list-item-syntax-errors.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/statement-list-item-syntax-errors.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/string-code-point-at.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/string-code-point-at.js.layout-ftl-eager-no-cjit stress/IIFE-function-name-captured.js.always-trigger-copy-phase stress/IIFE-function-name-captured.js.default stress/IIFE-function-name-captured.js.default-ftl stress/IIFE-function-name-captured.js.dfg-eager stress/IIFE-function-name-captured.js.dfg-eager-no-cjit-validate stress/IIFE-function-name-captured.js.dfg-maximal-flush-validate-no-cjit stress/IIFE-function-name-captured.js.ftl-eager stress/IIFE-function-name-captured.js.ftl-eager-no-cjit stress/IIFE-function-name-captured.js.ftl-no-cjit-no-put-stack-validate stress/IIFE-function-name-captured.js.ftl-no-cjit-small-pool stress/IIFE-function-name-captured.js.ftl-no-cjit-validate-sampling-profiler stress/IIFE-function-name-captured.js.no-cjit-validate-phases stress/IIFE-function-name-captured.js.no-llint stress/for-in-array-mode.js.dfg-eager stress/for-in-array-mode.js.dfg-eager-no-cjit-validate stress/for-in-array-mode.js.ftl-eager stress/for-in-array-mode.js.ftl-eager-no-cjit stress/for-in-array-mode.js.no-llint stress/global-lexical-var-injection.js.always-trigger-copy-phase stress/global-lexical-var-injection.js.default stress/global-lexical-var-injection.js.default-ftl stress/global-lexical-var-injection.js.dfg-eager stress/global-lexical-var-injection.js.dfg-eager-no-cjit-validate stress/global-lexical-var-injection.js.dfg-maximal-flush-validate-no-cjit stress/global-lexical-var-injection.js.ftl-eager stress/global-lexical-var-injection.js.ftl-eager-no-cjit stress/global-lexical-var-injection.js.ftl-no-cjit-no-inline-validate stress/global-lexical-var-injection.js.ftl-no-cjit-no-put-stack-validate stress/global-lexical-var-injection.js.ftl-no-cjit-small-pool stress/global-lexical-var-injection.js.ftl-no-cjit-validate-sampling-profiler stress/global-lexical-var-injection.js.no-cjit-validate-phases stress/global-lexical-var-injection.js.no-llint stress/op-push-name-scope-crashes-profiler.js.profiler-simple stress/regress-159779-1.js.ftl-eager-no-cjit stress/regress-159779-2.js.ftl-eager-no-cjit

Attachments
the patch (1.95 KB, patch) 2016-07-19 12:28 PDT, Filip Pizlo	ggaren: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ryan Haddad

Comment 1 2016-07-19 11:04:02 PDT

Probably related to Debug JSC test failures in https://bugs.webkit.org/show_bug.cgi?id=159929

Filip Pizlo

Comment 2 2016-07-19 11:09:35 PDT

Looking at this now. It's OK to roll it out. But it's likely I'll have a fix within an hour.

Filip Pizlo

Comment 3 2016-07-19 11:58:31 PDT

Wow this looks like a long-standing bug with how we read the scope register. We're assuming that it's boxed on 32-bit, which won't be true in the DFG. I believe that we would have gotten this crash in debug 32-bit debugger tests if those tests tried hard enough.

Filip Pizlo

Comment 4 2016-07-19 12:28:26 PDT

Created attachment 284031 [details] the patch

Geoffrey Garen

Comment 5 2016-07-19 12:29:08 PDT

Comment on attachment 284031 [details] the patch r=me

Filip Pizlo

Comment 6 2016-07-19 13:17:08 PDT

Landed in https://trac.webkit.org/changeset/203416

Note You need to log in before you can comment on or make changes to this bug.