Bug 206650

Summary:	Regression: 30+ web-platform-tests crashing on mac debug wk1
Product:	WebKit	Reporter:	Aakash Jain <aakash_jain>
Component:	Tools / Tests	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	aakash_jain, ap, keith_miller, webkit-bot-watchers-bugzilla, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	Other
Hardware:	Unspecified
OS:	Unspecified
See Also:	https://bugs.webkit.org/show_bug.cgi?id=206619

Aakash Jain

Reported 2020-01-23 04:28:36 PST

30+ layout tests recently started crashing on mac debug wk1. Sample result: https://build.webkit.org/results/Apple-Catalina-Debug-WK2-GPUProcess-Tests/r254969%20(402)/results.html Sample build: https://build.webkit.org/builders/Apple-Catalina-Debug-WK2-GPUProcess-Tests/builds/402 Results database: https://results.webkit.org/?suite=layout-tests&suite=layout-tests&suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fdom%2Franges%2FRange-mutations-deleteData.html&test=imported%2Fw3c%2Fweb-platform-tests%2Fbeacon%2Fidlharness.any.worker.html&test=imported%2Fw3c%2Fweb-platform-tests%2Ffetch%2Fcors-rfc1918%2Fidlharness.tentative.any.worker.html Regression range: r254966 - r254969

Attachments
Add attachment proposed patch, testcase, etc.

Aakash Jain

Comment 1 2020-01-23 04:31:45 PST

Crash seems to be in JSC::DFG::ByteCodeParser From https://build.webkit.org/results/Apple-Catalina-Debug-WK2-GPUProcess-Tests/r254969%20(402)/imported/w3c/web-platform-tests/resource-timing/idlharness.any.worker-crash-log.txt 1 0x243d4d8f9 WTFCrash 2 0x244485a1b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x24497ef2e JSC::Operand::asBits() const 4 0x2449987a1 JSC::DFG::OpInfo::OpInfo(JSC::Operand) 5 0x24499870d JSC::DFG::OpInfo::OpInfo(JSC::Operand) 6 0x2449bac27 JSC::DFG::ByteCodeParser::setDirect(JSC::Operand, JSC::DFG::Node*, JSC::DFG::ByteCodeParser::SetMode) 7 0x244a02288 JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3::operator()(JSC::CodeBlock*) const 8 0x2449b9bfa void JSC::DFG::ByteCodeParser::inlineCall<JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3>(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallVariant, int, int, JSC::InlineCallFrame::Kind, JSC::DFG::BasicBlock*, JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3 const&) 9 0x2449b98d5 JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind) From https://build.webkit.org/results/Apple-Catalina-Debug-WK2-GPUProcess-Tests/r254969%20(402)/imported/w3c/web-platform-tests/dom/ranges/Range-mutations-deleteData-crash-log.txt Thread 8 Crashed:: DFG Worklist Worker Thread 0 com.apple.JavaScriptCore 0x00000004de86b8fe WTFCrash + 14 (Assertions.cpp:305) 1 com.apple.JavaScriptCore 0x00000004defa3a1b WTFCrashWithInfo(int, char const*, char const*, int) + 27 2 com.apple.JavaScriptCore 0x00000004df49cf2e JSC::Operand::asBits() const + 126 (Operands.h:79) 3 com.apple.JavaScriptCore 0x00000004df4b67a1 JSC::DFG::OpInfo::OpInfo(JSC::Operand) + 33 (DFGOpInfo.h:47) 4 com.apple.JavaScriptCore 0x00000004df4b670d JSC::DFG::OpInfo::OpInfo(JSC::Operand) + 29 (DFGOpInfo.h:47) 5 com.apple.JavaScriptCore 0x00000004df4d8c27 JSC::DFG::ByteCodeParser::setDirect(JSC::Operand, JSC::DFG::Node*, JSC::DFG::ByteCodeParser::SetMode) + 55 (DFGByteCodeParser.cpp:386) 6 com.apple.JavaScriptCore 0x00000004df520288 JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3::operator()(JSC::CodeBlock*) const + 1176 (DFGByteCodeParser.cpp:1965) 7 com.apple.JavaScriptCore 0x00000004df4d7bfa void JSC::DFG::ByteCodeParser::inlineCall<JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3>

Aakash Jain

Comment 2 2020-01-23 04:35:33 PST

https://trac.webkit.org/changeset/254968/webkit seems like most likely candidate for the regression.

Yusuke Suzuki

Comment 3 2020-01-23 04:49:06 PST

Committed r254975: <https://trac.webkit.org/changeset/254975>

Radar WebKit Bug Importer

Comment 4 2020-01-23 04:50:14 PST

<rdar://problem/58831303>

Note You need to log in before you can comment on or make changes to this bug.