Summary: | REGRESSION: Flaky crash in JSC::speculationFromValue(JSC::JSValue) | ||
---|---|---|---|
Product: | WebKit | Reporter: | Truitt Savell <tsavell> |
Component: | Tools / Tests | Assignee: | Tadeu Zagallo <tzagallo> |
Status: | RESOLVED FIXED | ||
Severity: | Normal | CC: | ap, bboldrey3, cdumez, commit-queue, ggaren, jlewis3, keith_miller, lforschler, mark.lam, mcatanzaro, ryanhaddad, saam, simon.fraser, tzagallo, webkit-bug-importer |
Priority: | P2 | Keywords: | InRadar |
Version: | WebKit Nightly Build | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=171985 | ||
Attachments: |
Description
Truitt Savell
2018-11-27 16:11:45 PST
This test began crashing with r238525. Running the previous command using a spade of 238525 yields a crash eventually. Running this on 238524 yields no crashes. Crashed Thread: 39 WebCore: Worker Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000159325 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Thread 39 Crashed:: WebCore: Worker 0 com.apple.JavaScriptCore 0x0000000110d59b65 JSC::speculationFromValue(JSC::JSValue) + 213 (SpeculatedType.cpp:477) 1 com.apple.JavaScriptCore 0x0000000110d2c356 JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&) + 4950 (CodeBlock.cpp:2577) 2 com.apple.JavaScriptCore 0x0000000110d26386 JSC::CodeBlock::updateAllPredictions() + 22 (CodeBlock.cpp:2624) 3 com.apple.JavaScriptCore 0x000000011112869c operationOptimize + 348 (JITOperations.cpp:1422) 4 ??? 0x000003fdbb2baff5 0 + 4388301811701 5 com.apple.JavaScriptCore 0x0000000110b382c8 llint_entry + 62053 6 com.apple.JavaScriptCore 0x0000000110b28ea9 vmEntryToJavaScript + 200 7 com.apple.JavaScriptCore 0x00000001110ba4e4 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 11172 (Interpreter.cpp:832) 8 com.apple.JavaScriptCore 0x00000001112f28a3 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 307 (Completion.cpp:106) 9 com.apple.WebCore 0x000000010cf853c4 WebCore::JSExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 84 (JSExecState.h:80) 10 com.apple.WebCore 0x000000010cfcc19c WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::NakedPtr<JSC::Exception>&, WTF::String*) + 156 (WorkerScriptController.cpp:148) 11 com.apple.WebCore 0x000000010cfcc09c WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::String*) + 44 (WorkerScriptController.cpp:131) 12 com.apple.WebCore 0x000000010dba40ac WebCore::WorkerThread::workerThread() + 556 (RefPtr.h:69) 13 com.apple.JavaScriptCore 0x000000011096ac34 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 212 (Threading.cpp:137) 14 com.apple.JavaScriptCore 0x000000011096c7d9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:203) 15 libsystem_pthread.dylib 0x00007fff9e2db93b _pthread_body + 180 16 libsystem_pthread.dylib 0x00007fff9e2db887 _pthread_start + 286 17 libsystem_pthread.dylib 0x00007fff9e2db08d thread_start + 13 Definitely does not look related to https://trac.webkit.org/changeset/238525/webkit. Adding a few JSC people in cc given where it crashes. This test has been flaky for a while, but something definitely made it crash more frequently in the past 2-3 days. (In reply to Ryan Haddad from comment #4) > This test has been flaky for a while, but something definitely made it crash > more frequently in the past 2-3 days. My patch may impact the how fast you get a new process (by disabling process-prewarming for some clients) but it should not matter here since this test does not create new processes, just dedicated workers. This crash is being hit very frequently by the commit queue with workers/bomb.html as well as various inspector and webGL tests. *** Bug 192269 has been marked as a duplicate of this bug. *** *** Bug 192245 has been marked as a duplicate of this bug. *** *** Bug 192244 has been marked as a duplicate of this bug. *** *** Bug 192243 has been marked as a duplicate of this bug. *** *** Bug 192239 has been marked as a duplicate of this bug. *** *** Bug 192238 has been marked as a duplicate of this bug. *** *** Bug 192237 has been marked as a duplicate of this bug. *** *** Bug 192235 has been marked as a duplicate of this bug. *** *** Bug 192225 has been marked as a duplicate of this bug. *** *** Bug 192221 has been marked as a duplicate of this bug. *** *** Bug 192220 has been marked as a duplicate of this bug. *** *** Bug 192219 has been marked as a duplicate of this bug. *** *** Bug 192218 has been marked as a duplicate of this bug. *** *** Bug 192202 has been marked as a duplicate of this bug. *** *** Bug 192199 has been marked as a duplicate of this bug. *** *** Bug 192196 has been marked as a duplicate of this bug. *** *** Bug 192195 has been marked as a duplicate of this bug. *** *** Bug 192194 has been marked as a duplicate of this bug. *** *** Bug 192188 has been marked as a duplicate of this bug. *** *** Bug 192187 has been marked as a duplicate of this bug. *** *** Bug 192186 has been marked as a duplicate of this bug. *** *** Bug 192177 has been marked as a duplicate of this bug. *** *** Bug 192176 has been marked as a duplicate of this bug. *** *** Bug 192146 has been marked as a duplicate of this bug. *** *** Bug 192145 has been marked as a duplicate of this bug. *** *** Bug 192144 has been marked as a duplicate of this bug. *** *** Bug 192142 has been marked as a duplicate of this bug. *** *** Bug 192141 has been marked as a duplicate of this bug. *** *** Bug 192140 has been marked as a duplicate of this bug. *** *** Bug 192139 has been marked as a duplicate of this bug. *** *** Bug 192125 has been marked as a duplicate of this bug. *** *** Bug 192104 has been marked as a duplicate of this bug. *** *** Bug 192098 has been marked as a duplicate of this bug. *** *** Bug 192103 has been marked as a duplicate of this bug. *** *** Bug 192095 has been marked as a duplicate of this bug. *** *** Bug 192096 has been marked as a duplicate of this bug. *** *** Bug 171985 has been marked as a duplicate of this bug. *** *** Bug 192072 has been marked as a duplicate of this bug. *** *** Bug 192065 has been marked as a duplicate of this bug. *** *** Bug 192064 has been marked as a duplicate of this bug. *** *** Bug 192063 has been marked as a duplicate of this bug. *** *** Bug 192058 has been marked as a duplicate of this bug. *** *** Bug 192057 has been marked as a duplicate of this bug. *** *** Bug 192052 has been marked as a duplicate of this bug. *** *** Bug 192051 has been marked as a duplicate of this bug. *** *** Bug 192048 has been marked as a duplicate of this bug. *** *** Bug 192047 has been marked as a duplicate of this bug. *** *** Bug 192043 has been marked as a duplicate of this bug. *** *** Bug 191992 has been marked as a duplicate of this bug. *** *** Bug 191991 has been marked as a duplicate of this bug. *** *** Bug 192311 has been marked as a duplicate of this bug. *** The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356402 [details] on bug 192091. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6 Created attachment 356414 [details]
Archive of layout-test-results from webkit-cq-02
*** Bug 192339 has been marked as a duplicate of this bug. *** *** Bug 192338 has been marked as a duplicate of this bug. *** *** Bug 192333 has been marked as a duplicate of this bug. *** *** Bug 192332 has been marked as a duplicate of this bug. *** The commit-queue just saw inspector/unit-tests/event-listener.html flake (DumpRenderTree crashed) while processing attachment 356454 [details] on bug 192346. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6 Created attachment 356462 [details]
Archive of layout-test-results from webkit-cq-02
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356502 [details] on bug 192120. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6 Created attachment 356512 [details]
Archive of layout-test-results from webkit-cq-02
*** Bug 192370 has been marked as a duplicate of this bug. *** *** Bug 192368 has been marked as a duplicate of this bug. *** *** Bug 192367 has been marked as a duplicate of this bug. *** *** Bug 192365 has been marked as a duplicate of this bug. *** *** Bug 192364 has been marked as a duplicate of this bug. *** *** Bug 192369 has been marked as a duplicate of this bug. *** *** Bug 192351 has been marked as a duplicate of this bug. *** *** Bug 192350 has been marked as a duplicate of this bug. *** *** Bug 192343 has been marked as a duplicate of this bug. *** *** Bug 192383 has been marked as a duplicate of this bug. *** *** Bug 192382 has been marked as a duplicate of this bug. *** I can hit this crash running https://browserbench.org/Speedometer2.0/?suite=VueJS-TodoMVC&iterationCount=1000 *** Bug 192399 has been marked as a duplicate of this bug. *** *** Bug 192442 has been marked as a duplicate of this bug. *** *** Bug 192440 has been marked as a duplicate of this bug. *** *** Bug 192423 has been marked as a duplicate of this bug. *** *** Bug 192419 has been marked as a duplicate of this bug. *** The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356741 [details] on bug 187554. Bot: webkit-cq-03 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6 Created attachment 356744 [details]
Archive of layout-test-results from webkit-cq-03
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356748 [details] on bug 192409. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6 Created attachment 356758 [details]
Archive of layout-test-results from webkit-cq-02
The commit-queue just saw imported/w3c/web-platform-tests/WebCryptoAPI/generateKey/failures_AES-GCM.https.any.html flake (DumpRenderTree crashed) while processing attachment 356762 [details] on bug 192377. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6 Created attachment 356768 [details]
Archive of layout-test-results from webkit-cq-02
*** Bug 192475 has been marked as a duplicate of this bug. *** *** Bug 192476 has been marked as a duplicate of this bug. *** *** Bug 192477 has been marked as a duplicate of this bug. *** *** Bug 192488 has been marked as a duplicate of this bug. *** *** Bug 192485 has been marked as a duplicate of this bug. *** *** Bug 192484 has been marked as a duplicate of this bug. *** Created attachment 356847 [details]
Patch
Comment on attachment 356847 [details]
Patch
r=me
Comment on attachment 356847 [details] Patch Clearing flags on attachment: 356847 Committed r238997: <https://trac.webkit.org/changeset/238997> All reviewed patches have been landed. Closing bug. Comment on attachment 356847 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=356847&action=review > Source/JavaScriptCore/ChangeLog:9 > + Although certain platforms don't require the metadata to be aligned, a nit on wording here -- I think the point here is actually more of: - Some platforms don't trap on unaligned accesses - However, *all platforms need* this because no platform we support is atomic on unaligned accesses. Otherwise, we may observe tearing which can lead us to crash. - This patch aligns all metadata. > Source/JavaScriptCore/bytecode/Opcode.cpp:-196 > -#if CPU(NEEDS_ALIGNED_ACCESS) Not pertinent to this patch, but we should really rename this #define. "Needs" is a super convoluted word in this context. "Needs" depends on the workload. We should probably have something along the lines of CPU(TRAPS_ON_UNALIGNED_ACCESSES) *** Bug 192506 has been marked as a duplicate of this bug. *** *** Bug 192505 has been marked as a duplicate of this bug. *** *** Bug 192882 has been marked as a duplicate of this bug. *** |