Bug 69897

Summary: Layout tests crashing in DFG JIT code
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: Tools / TestsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, ggaren, oliver, simon.fraser, webkit.review.bot
Priority: P2 Keywords: LayoutTestFailure, MakingBotsRed, Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.6   
URL: http://build.webkit.org/results/SnowLeopard%20Intel%20Leaks/r97218%20(19479)/results.html
Attachments:
Description Flags
the patch for fast/dom/prototype-inheritance-2 none

Simon Fraser (smfr)
Reported 2011-10-11 21:51:48 PDT
The following tests are crashing in com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator on the SnowLeopard leaks bot: fast/canvas/webgl/tex-image-with-format-and-type.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) + 871) fast/dom/prototype-inheritance-2.html: crash log (com.apple.JavaScriptCore: JSC::DFG::AbstractValue::clobberStructures() + 100) fast/harness/results.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) + 871) inspector/debugger/linkifier.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) + 871) inspector/debugger/script-formatter.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) +
Attachments
the patch for fast/dom/prototype-inheritance-2 (2.04 KB, patch)
2011-10-11 23:21 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2011-10-11 21:53:43 PDT
Most are an assertion in JITCodeGenerator::silentFillGPR: http://build.webkit.org/results/SnowLeopard%20Intel%20Leaks/r97218%20(19479)/fast/canvas/webgl/tex-image-with-format-and-type-crash-log.txt
Simon Fraser (smfr)
Comment 2 2011-10-11 22:17:00 PDT
Also on http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r97221%20(1193)/results.html fast/dom/prototype-inheritance-2.html is asserting in JavaScriptCore: JSC::DFG::AbstractValue::clobberStructures() + 125)
Gavin Barraclough
Comment 3 2011-10-11 22:30:07 PDT
The silentFillGPR regressions are likely my bad; clobberStructures is likely due to Filip's last change. I'll revert my last patch to get the tree green & investigate in the morning, Filip, I'll leave it up to you to choose whether you want to revert or to just land a fix.
Filip Pizlo
Comment 4 2011-10-11 22:32:00 PDT
(In reply to comment #3) > The silentFillGPR regressions are likely my bad; clobberStructures is likely due to Filip's last change. > > I'll revert my last patch to get the tree green & investigate in the morning, Filip, I'll leave it up to you to choose whether you want to revert or to just land a fix. I'm trying to figure this out right now...
Gavin Barraclough
Comment 5 2011-10-11 23:09:16 PDT
The silentFillGPR change is reverted in 97235.
Filip Pizlo
Comment 6 2011-10-11 23:21:49 PDT
Created attachment 110643 [details] the patch for fast/dom/prototype-inheritance-2
WebKit Review Bot
Comment 7 2011-10-12 01:00:20 PDT
Comment on attachment 110643 [details] the patch for fast/dom/prototype-inheritance-2 Clearing flags on attachment: 110643 Committed r97240: <http://trac.webkit.org/changeset/97240>
WebKit Review Bot
Comment 8 2011-10-12 01:00:24 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.