Bug 192050

Summary: REGRESSION: Flaky crash in JSC::speculationFromValue(JSC::JSValue)
Product: WebKit Reporter: Truitt Savell <tsavell>
Component: Tools / TestsAssignee: Tadeu Zagallo <tzagallo>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, cdumez, commit-queue, ggaren, jlewis3, keith_miller, lforschler, mark.lam, mcatanzaro, ryanhaddad, sbarati, simon.fraser, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=171985
Attachments:
Description Flags
Archive of layout-test-results from webkit-cq-02
none
Archive of layout-test-results from webkit-cq-02
none
Archive of layout-test-results from webkit-cq-02
none
Archive of layout-test-results from webkit-cq-03
none
Archive of layout-test-results from webkit-cq-02
none
Archive of layout-test-results from webkit-cq-02
none
Patch none

Description Truitt Savell 2018-11-27 16:11:45 PST
The following layout test is crashing on MacOS

workers/bomb.html

Probable cause:

This test is known to timeout on some platforms but is now crashing recently. I was able to reproduce the crashing on tip of tree using command:

run-webkit-tests --root testbuild-238565 workers/bomb.html --iterations 500 -f --exit-after-n-crashes 1

I am attempting to find the regression point

Flakiness Dashboard:

https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=workers%2Fbomb.html

crash log:
https://build.webkit.org/results/Apple%20Sierra%20Release%20WK2%20(Tests)/r238565%20(13016)/workers/bomb-crash-log.txt
Comment 1 Truitt Savell 2018-11-27 16:54:04 PST
This test began crashing with r238525. Running the previous command using a spade of 238525 yields a crash eventually. Running this on 238524 yields no crashes.
Comment 2 Truitt Savell 2018-11-27 16:54:28 PST
https://trac.webkit.org/changeset/238525/webkit
Comment 3 Chris Dumez 2018-11-27 16:57:56 PST
Crashed Thread:        39  WebCore: Worker

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000159325
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

Thread 39 Crashed:: WebCore: Worker
0   com.apple.JavaScriptCore      	0x0000000110d59b65 JSC::speculationFromValue(JSC::JSValue) + 213 (SpeculatedType.cpp:477)
1   com.apple.JavaScriptCore      	0x0000000110d2c356 JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&) + 4950 (CodeBlock.cpp:2577)
2   com.apple.JavaScriptCore      	0x0000000110d26386 JSC::CodeBlock::updateAllPredictions() + 22 (CodeBlock.cpp:2624)
3   com.apple.JavaScriptCore      	0x000000011112869c operationOptimize + 348 (JITOperations.cpp:1422)
4   ???                           	0x000003fdbb2baff5 0 + 4388301811701
5   com.apple.JavaScriptCore      	0x0000000110b382c8 llint_entry + 62053
6   com.apple.JavaScriptCore      	0x0000000110b28ea9 vmEntryToJavaScript + 200
7   com.apple.JavaScriptCore      	0x00000001110ba4e4 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 11172 (Interpreter.cpp:832)
8   com.apple.JavaScriptCore      	0x00000001112f28a3 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 307 (Completion.cpp:106)
9   com.apple.WebCore             	0x000000010cf853c4 WebCore::JSExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 84 (JSExecState.h:80)
10  com.apple.WebCore             	0x000000010cfcc19c WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::NakedPtr<JSC::Exception>&, WTF::String*) + 156 (WorkerScriptController.cpp:148)
11  com.apple.WebCore             	0x000000010cfcc09c WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::String*) + 44 (WorkerScriptController.cpp:131)
12  com.apple.WebCore             	0x000000010dba40ac WebCore::WorkerThread::workerThread() + 556 (RefPtr.h:69)
13  com.apple.JavaScriptCore      	0x000000011096ac34 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 212 (Threading.cpp:137)
14  com.apple.JavaScriptCore      	0x000000011096c7d9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:203)
15  libsystem_pthread.dylib       	0x00007fff9e2db93b _pthread_body + 180
16  libsystem_pthread.dylib       	0x00007fff9e2db887 _pthread_start + 286
17  libsystem_pthread.dylib       	0x00007fff9e2db08d thread_start + 13

Definitely does not look related to https://trac.webkit.org/changeset/238525/webkit.

Adding a few JSC people in cc given where it crashes.
Comment 4 Ryan Haddad 2018-11-28 09:11:20 PST
This test has been flaky for a while, but something definitely made it crash more frequently in the past 2-3 days.
Comment 5 Chris Dumez 2018-11-28 09:14:14 PST
(In reply to Ryan Haddad from comment #4)
> This test has been flaky for a while, but something definitely made it crash
> more frequently in the past 2-3 days.

My patch may impact the how fast you get a new process (by disabling process-prewarming for some clients) but it should not matter here since this test does not create new processes, just dedicated workers.
Comment 6 Radar WebKit Bug Importer 2018-11-28 09:53:52 PST
<rdar://problem/46312674>
Comment 7 Ryan Haddad 2018-11-30 14:40:51 PST
This crash is being hit very frequently by the commit queue with workers/bomb.html as well as various inspector and webGL tests.
Comment 8 Alexey Proskuryakov 2018-12-01 15:56:32 PST
*** Bug 192269 has been marked as a duplicate of this bug. ***
Comment 9 Alexey Proskuryakov 2018-12-01 15:56:45 PST
*** Bug 192245 has been marked as a duplicate of this bug. ***
Comment 10 Alexey Proskuryakov 2018-12-01 15:56:52 PST
*** Bug 192244 has been marked as a duplicate of this bug. ***
Comment 11 Alexey Proskuryakov 2018-12-01 15:57:04 PST
*** Bug 192243 has been marked as a duplicate of this bug. ***
Comment 12 Alexey Proskuryakov 2018-12-01 15:57:20 PST
*** Bug 192239 has been marked as a duplicate of this bug. ***
Comment 13 Alexey Proskuryakov 2018-12-01 15:57:40 PST
*** Bug 192238 has been marked as a duplicate of this bug. ***
Comment 14 Alexey Proskuryakov 2018-12-01 15:57:44 PST
*** Bug 192237 has been marked as a duplicate of this bug. ***
Comment 15 Alexey Proskuryakov 2018-12-01 15:57:48 PST
*** Bug 192235 has been marked as a duplicate of this bug. ***
Comment 16 Alexey Proskuryakov 2018-12-01 15:57:52 PST
*** Bug 192225 has been marked as a duplicate of this bug. ***
Comment 17 Alexey Proskuryakov 2018-12-01 15:57:56 PST
*** Bug 192221 has been marked as a duplicate of this bug. ***
Comment 18 Alexey Proskuryakov 2018-12-01 15:58:01 PST
*** Bug 192220 has been marked as a duplicate of this bug. ***
Comment 19 Alexey Proskuryakov 2018-12-01 15:58:18 PST
*** Bug 192219 has been marked as a duplicate of this bug. ***
Comment 20 Alexey Proskuryakov 2018-12-01 15:58:22 PST
*** Bug 192218 has been marked as a duplicate of this bug. ***
Comment 21 Alexey Proskuryakov 2018-12-01 15:58:26 PST
*** Bug 192202 has been marked as a duplicate of this bug. ***
Comment 22 Alexey Proskuryakov 2018-12-01 15:58:53 PST
*** Bug 192199 has been marked as a duplicate of this bug. ***
Comment 23 Alexey Proskuryakov 2018-12-01 15:59:17 PST
*** Bug 192196 has been marked as a duplicate of this bug. ***
Comment 24 Alexey Proskuryakov 2018-12-01 15:59:21 PST
*** Bug 192195 has been marked as a duplicate of this bug. ***
Comment 25 Alexey Proskuryakov 2018-12-01 15:59:25 PST
*** Bug 192194 has been marked as a duplicate of this bug. ***
Comment 26 Alexey Proskuryakov 2018-12-01 15:59:30 PST
*** Bug 192188 has been marked as a duplicate of this bug. ***
Comment 27 Alexey Proskuryakov 2018-12-01 15:59:34 PST
*** Bug 192187 has been marked as a duplicate of this bug. ***
Comment 28 Alexey Proskuryakov 2018-12-01 15:59:38 PST
*** Bug 192186 has been marked as a duplicate of this bug. ***
Comment 29 Alexey Proskuryakov 2018-12-01 15:59:43 PST
*** Bug 192177 has been marked as a duplicate of this bug. ***
Comment 30 Alexey Proskuryakov 2018-12-01 16:00:00 PST
*** Bug 192176 has been marked as a duplicate of this bug. ***
Comment 31 Alexey Proskuryakov 2018-12-01 16:00:03 PST
*** Bug 192146 has been marked as a duplicate of this bug. ***
Comment 32 Alexey Proskuryakov 2018-12-01 16:00:38 PST
*** Bug 192145 has been marked as a duplicate of this bug. ***
Comment 33 Alexey Proskuryakov 2018-12-01 16:00:49 PST
*** Bug 192144 has been marked as a duplicate of this bug. ***
Comment 34 Alexey Proskuryakov 2018-12-01 16:01:07 PST
*** Bug 192142 has been marked as a duplicate of this bug. ***
Comment 35 Alexey Proskuryakov 2018-12-01 16:01:10 PST
*** Bug 192141 has been marked as a duplicate of this bug. ***
Comment 36 Alexey Proskuryakov 2018-12-01 16:01:14 PST
*** Bug 192140 has been marked as a duplicate of this bug. ***
Comment 37 Alexey Proskuryakov 2018-12-01 16:01:18 PST
*** Bug 192139 has been marked as a duplicate of this bug. ***
Comment 38 Alexey Proskuryakov 2018-12-01 16:01:24 PST
*** Bug 192125 has been marked as a duplicate of this bug. ***
Comment 39 Alexey Proskuryakov 2018-12-01 16:01:27 PST
*** Bug 192104 has been marked as a duplicate of this bug. ***
Comment 40 Alexey Proskuryakov 2018-12-01 16:01:59 PST
*** Bug 192098 has been marked as a duplicate of this bug. ***
Comment 41 Alexey Proskuryakov 2018-12-01 16:02:02 PST
*** Bug 192103 has been marked as a duplicate of this bug. ***
Comment 42 Alexey Proskuryakov 2018-12-01 16:02:26 PST
*** Bug 192095 has been marked as a duplicate of this bug. ***
Comment 43 Alexey Proskuryakov 2018-12-01 16:02:30 PST
*** Bug 192096 has been marked as a duplicate of this bug. ***
Comment 44 Alexey Proskuryakov 2018-12-01 16:03:23 PST
*** Bug 171985 has been marked as a duplicate of this bug. ***
Comment 45 Alexey Proskuryakov 2018-12-01 16:05:02 PST
*** Bug 192072 has been marked as a duplicate of this bug. ***
Comment 46 Alexey Proskuryakov 2018-12-01 16:05:14 PST
*** Bug 192065 has been marked as a duplicate of this bug. ***
Comment 47 Alexey Proskuryakov 2018-12-01 16:05:20 PST
*** Bug 192064 has been marked as a duplicate of this bug. ***
Comment 48 Alexey Proskuryakov 2018-12-01 16:05:28 PST
*** Bug 192063 has been marked as a duplicate of this bug. ***
Comment 49 Alexey Proskuryakov 2018-12-01 16:05:35 PST
*** Bug 192058 has been marked as a duplicate of this bug. ***
Comment 50 Alexey Proskuryakov 2018-12-01 16:06:06 PST
*** Bug 192057 has been marked as a duplicate of this bug. ***
Comment 51 Alexey Proskuryakov 2018-12-01 16:06:16 PST
*** Bug 192052 has been marked as a duplicate of this bug. ***
Comment 52 Alexey Proskuryakov 2018-12-01 16:06:24 PST
*** Bug 192051 has been marked as a duplicate of this bug. ***
Comment 53 Alexey Proskuryakov 2018-12-01 16:06:31 PST
*** Bug 192048 has been marked as a duplicate of this bug. ***
Comment 54 Alexey Proskuryakov 2018-12-01 16:06:39 PST
*** Bug 192047 has been marked as a duplicate of this bug. ***
Comment 55 Alexey Proskuryakov 2018-12-01 16:07:05 PST
*** Bug 192043 has been marked as a duplicate of this bug. ***
Comment 56 Alexey Proskuryakov 2018-12-01 16:07:14 PST
*** Bug 191992 has been marked as a duplicate of this bug. ***
Comment 57 Alexey Proskuryakov 2018-12-01 16:07:20 PST
*** Bug 191991 has been marked as a duplicate of this bug. ***
Comment 58 Alexey Proskuryakov 2018-12-03 10:29:38 PST
*** Bug 192311 has been marked as a duplicate of this bug. ***
Comment 59 WebKit Commit Bot 2018-12-03 15:13:42 PST
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356402 [details] on bug 192091.
Bot: webkit-cq-02  Port: <class 'webkitpy.common.config.ports.MacPort'>  Platform: Mac OS X 10.12.6
Comment 60 WebKit Commit Bot 2018-12-03 15:13:43 PST
Created attachment 356414 [details]
Archive of layout-test-results from webkit-cq-02
Comment 61 Alexey Proskuryakov 2018-12-03 16:37:18 PST
*** Bug 192339 has been marked as a duplicate of this bug. ***
Comment 62 Alexey Proskuryakov 2018-12-03 16:37:32 PST
*** Bug 192338 has been marked as a duplicate of this bug. ***
Comment 63 Alexey Proskuryakov 2018-12-03 16:37:46 PST
*** Bug 192333 has been marked as a duplicate of this bug. ***
Comment 64 Alexey Proskuryakov 2018-12-03 16:37:54 PST
*** Bug 192332 has been marked as a duplicate of this bug. ***
Comment 65 WebKit Commit Bot 2018-12-03 21:46:18 PST
The commit-queue just saw inspector/unit-tests/event-listener.html flake (DumpRenderTree crashed) while processing attachment 356454 [details] on bug 192346.
Bot: webkit-cq-02  Port: <class 'webkitpy.common.config.ports.MacPort'>  Platform: Mac OS X 10.12.6
Comment 66 WebKit Commit Bot 2018-12-03 21:46:19 PST
Created attachment 356462 [details]
Archive of layout-test-results from webkit-cq-02
Comment 67 WebKit Commit Bot 2018-12-04 09:58:09 PST
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356502 [details] on bug 192120.
Bot: webkit-cq-02  Port: <class 'webkitpy.common.config.ports.MacPort'>  Platform: Mac OS X 10.12.6
Comment 68 WebKit Commit Bot 2018-12-04 09:58:11 PST
Created attachment 356512 [details]
Archive of layout-test-results from webkit-cq-02
Comment 69 Alexey Proskuryakov 2018-12-04 13:54:58 PST
*** Bug 192370 has been marked as a duplicate of this bug. ***
Comment 70 Alexey Proskuryakov 2018-12-04 13:55:33 PST
*** Bug 192368 has been marked as a duplicate of this bug. ***
Comment 71 Alexey Proskuryakov 2018-12-04 13:55:36 PST
*** Bug 192367 has been marked as a duplicate of this bug. ***
Comment 72 Alexey Proskuryakov 2018-12-04 13:55:39 PST
*** Bug 192365 has been marked as a duplicate of this bug. ***
Comment 73 Alexey Proskuryakov 2018-12-04 13:55:43 PST
*** Bug 192364 has been marked as a duplicate of this bug. ***
Comment 74 Alexey Proskuryakov 2018-12-04 13:55:50 PST
*** Bug 192369 has been marked as a duplicate of this bug. ***
Comment 75 Alexey Proskuryakov 2018-12-04 13:59:25 PST
*** Bug 192351 has been marked as a duplicate of this bug. ***
Comment 76 Alexey Proskuryakov 2018-12-04 13:59:34 PST
*** Bug 192350 has been marked as a duplicate of this bug. ***
Comment 77 Alexey Proskuryakov 2018-12-04 16:49:22 PST
*** Bug 192343 has been marked as a duplicate of this bug. ***
Comment 78 Alexey Proskuryakov 2018-12-04 16:49:41 PST
*** Bug 192383 has been marked as a duplicate of this bug. ***
Comment 79 Alexey Proskuryakov 2018-12-04 16:50:25 PST
*** Bug 192382 has been marked as a duplicate of this bug. ***
Comment 80 Simon Fraser (smfr) 2018-12-05 10:16:13 PST
I can hit this crash running https://browserbench.org/Speedometer2.0/?suite=VueJS-TodoMVC&iterationCount=1000
Comment 81 Alexey Proskuryakov 2018-12-05 10:30:34 PST
*** Bug 192399 has been marked as a duplicate of this bug. ***
Comment 82 Ryan Haddad 2018-12-06 09:04:46 PST
*** Bug 192442 has been marked as a duplicate of this bug. ***
Comment 83 Ryan Haddad 2018-12-06 09:05:16 PST
*** Bug 192440 has been marked as a duplicate of this bug. ***
Comment 84 Ryan Haddad 2018-12-06 09:05:55 PST
*** Bug 192423 has been marked as a duplicate of this bug. ***
Comment 85 Ryan Haddad 2018-12-06 09:06:13 PST
*** Bug 192419 has been marked as a duplicate of this bug. ***
Comment 86 WebKit Commit Bot 2018-12-06 13:21:26 PST
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356741 [details] on bug 187554.
Bot: webkit-cq-03  Port: <class 'webkitpy.common.config.ports.MacPort'>  Platform: Mac OS X 10.12.6
Comment 87 WebKit Commit Bot 2018-12-06 13:21:27 PST
Created attachment 356744 [details]
Archive of layout-test-results from webkit-cq-03
Comment 88 WebKit Commit Bot 2018-12-06 14:51:13 PST
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356748 [details] on bug 192409.
Bot: webkit-cq-02  Port: <class 'webkitpy.common.config.ports.MacPort'>  Platform: Mac OS X 10.12.6
Comment 89 WebKit Commit Bot 2018-12-06 14:51:15 PST
Created attachment 356758 [details]
Archive of layout-test-results from webkit-cq-02
Comment 90 WebKit Commit Bot 2018-12-06 17:20:23 PST
The commit-queue just saw imported/w3c/web-platform-tests/WebCryptoAPI/generateKey/failures_AES-GCM.https.any.html flake (DumpRenderTree crashed) while processing attachment 356762 [details] on bug 192377.
Bot: webkit-cq-02  Port: <class 'webkitpy.common.config.ports.MacPort'>  Platform: Mac OS X 10.12.6
Comment 91 WebKit Commit Bot 2018-12-06 17:20:24 PST
Created attachment 356768 [details]
Archive of layout-test-results from webkit-cq-02
Comment 92 Alexey Proskuryakov 2018-12-07 11:11:31 PST
*** Bug 192475 has been marked as a duplicate of this bug. ***
Comment 93 Alexey Proskuryakov 2018-12-07 11:11:58 PST
*** Bug 192476 has been marked as a duplicate of this bug. ***
Comment 94 Alexey Proskuryakov 2018-12-07 11:12:03 PST
*** Bug 192477 has been marked as a duplicate of this bug. ***
Comment 95 Alexey Proskuryakov 2018-12-07 11:12:46 PST
*** Bug 192488 has been marked as a duplicate of this bug. ***
Comment 96 Alexey Proskuryakov 2018-12-07 11:12:51 PST
*** Bug 192485 has been marked as a duplicate of this bug. ***
Comment 97 Alexey Proskuryakov 2018-12-07 11:12:55 PST
*** Bug 192484 has been marked as a duplicate of this bug. ***
Comment 98 Tadeu Zagallo 2018-12-07 15:49:57 PST
Created attachment 356847 [details]
Patch
Comment 99 Mark Lam 2018-12-07 15:52:28 PST
Comment on attachment 356847 [details]
Patch

r=me
Comment 100 WebKit Commit Bot 2018-12-07 17:13:05 PST
Comment on attachment 356847 [details]
Patch

Clearing flags on attachment: 356847

Committed r238997: <https://trac.webkit.org/changeset/238997>
Comment 101 WebKit Commit Bot 2018-12-07 17:13:08 PST
All reviewed patches have been landed.  Closing bug.
Comment 102 Saam Barati 2018-12-07 18:17:51 PST
Comment on attachment 356847 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=356847&action=review

> Source/JavaScriptCore/ChangeLog:9
> +        Although certain platforms don't require the metadata to be aligned,

a nit on wording here -- I think the point here is actually more of:
- Some platforms don't trap on unaligned accesses
- However, *all platforms need* this because no platform we support is atomic on unaligned accesses. Otherwise, we may observe tearing which can lead us to crash.
- This patch aligns all metadata.

> Source/JavaScriptCore/bytecode/Opcode.cpp:-196
> -#if CPU(NEEDS_ALIGNED_ACCESS)

Not pertinent to this patch, but we should really rename this #define. "Needs" is a super convoluted word in this context. "Needs" depends on the workload. We should probably have something along the lines of CPU(TRAPS_ON_UNALIGNED_ACCESSES)
Comment 103 Alexey Proskuryakov 2018-12-10 13:55:56 PST
*** Bug 192506 has been marked as a duplicate of this bug. ***
Comment 104 Alexey Proskuryakov 2018-12-10 13:56:01 PST
*** Bug 192505 has been marked as a duplicate of this bug. ***
Comment 105 Michael Catanzaro 2018-12-20 19:49:32 PST
*** Bug 192882 has been marked as a duplicate of this bug. ***