Bug 216406

Summary: REGRESSION(r266770): construct-return-early-from-infinite-loop-for-fuzzer.js loops on x86_64 cloop
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: guijemont, mcatanzaro, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=216289
https://bugs.webkit.org/show_bug.cgi?id=258179

Michael Catanzaro
Reported 2020-09-11 09:07:40 PDT
The new construct-return-early-from-infinite-loop-for-fuzzer.js test added in r266770 "[JSC] returnEarlyFromInfiniteLoopsForFuzzing should return object" loops forever on llint, but only on x86_64. Other architectures seems to be fine. (So this doesn't affect any architectures that commonly use llint, but x86_64 is great to have working as a baseline to see when problems occur only on a particular architecture.)
Attachments
Add attachment proposed patch, testcase, etc.
Guillaume Emont
Comment 1 2020-09-14 07:28:23 PDT
(In reply to Michael Catanzaro from comment #0) > The new construct-return-early-from-infinite-loop-for-fuzzer.js test added > in r266770 "[JSC] returnEarlyFromInfiniteLoopsForFuzzing should return > object" loops forever on llint, but only on x86_64. Other architectures > seems to be fine. (So this doesn't affect any architectures that commonly > use llint, but x86_64 is great to have working as a baseline to see when > problems occur only on a particular architecture.) Did you mean when using CLoop (JIT disabled at compile time)? Or with LLInt compiled with the x86_64 backend (default) and disabling higher tiers at runtime? FWIW x86_64 does use LLInt as its first tier by default.
Michael Catanzaro
Comment 2 2020-09-14 08:03:04 PDT
Yes, this is with cloop enabled and JIT disabled. (The point of testing cloop on x86_64 is to distinguish between architecture-specific bugs and general cloop bugs.)
Michael Catanzaro
Comment 3 2020-09-15 16:47:19 PDT
Is there anything I should try running that could maybe help with debugging this? It hangs our internal Jenkins builder, and I'm starting to get nervous about missing CI coverage since it's now been a week since the regression landed.
Yusuke Suzuki
Comment 4 2020-09-15 16:48:44 PDT
I think maybe returnEarlyFromInfiniteLoopsForFuzzing's loop-hint thing is not supported in CLoop...? For now, I'll put `isUseJIT()` check
Yusuke Suzuki
Comment 5 2020-09-15 16:51:48 PDT
Committed r267115: <https://trac.webkit.org/changeset/267115>
Radar WebKit Bug Importer
Comment 6 2020-09-15 16:52:19 PDT
<rdar://problem/68950461>
Michael Catanzaro
Comment 7 2020-09-15 17:52:44 PDT
OK, thanks Yusuke! $vm.useJIT() will certainly guarantee the test doesn't run.
Note You need to log in before you can comment on or make changes to this bug.