Bug 69897

Summary: Layout tests crashing in DFG JIT code
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: Tools / TestsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, ggaren, oliver, simon.fraser, webkit.review.bot
Priority: P2 Keywords: LayoutTestFailure, MakingBotsRed, Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.6   
URL: http://build.webkit.org/results/SnowLeopard%20Intel%20Leaks/r97218%20(19479)/results.html
Attachments:
Description Flags
the patch for fast/dom/prototype-inheritance-2 none

Description Simon Fraser (smfr) 2011-10-11 21:51:48 PDT 
The following tests are crashing in com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator on the SnowLeopard leaks bot:

fast/canvas/webgl/tex-image-with-format-and-type.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) + 871)
fast/dom/prototype-inheritance-2.html: crash log (com.apple.JavaScriptCore: JSC::DFG::AbstractValue::clobberStructures() + 100)
fast/harness/results.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) + 871)
inspector/debugger/linkifier.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) + 871)
inspector/debugger/script-formatter.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) +
Comment 1 Simon Fraser (smfr) 2011-10-11 21:53:43 PDT 
Most are an assertion in JITCodeGenerator::silentFillGPR:

http://build.webkit.org/results/SnowLeopard%20Intel%20Leaks/r97218%20(19479)/fast/canvas/webgl/tex-image-with-format-and-type-crash-log.txt
Comment 2 Simon Fraser (smfr) 2011-10-11 22:17:00 PDT 
Also on http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r97221%20(1193)/results.html
fast/dom/prototype-inheritance-2.html
is asserting in JavaScriptCore: JSC::DFG::AbstractValue::clobberStructures() + 125)
Comment 3 Gavin Barraclough 2011-10-11 22:30:07 PDT 
The silentFillGPR regressions are likely my bad; clobberStructures is likely due to Filip's last change.

I'll revert my last patch to get the tree green & investigate in the morning, Filip, I'll leave it up to you to choose whether you want to revert or to just land a fix.
Comment 4 Filip Pizlo 2011-10-11 22:32:00 PDT 
(In reply to comment #3)
> The silentFillGPR regressions are likely my bad; clobberStructures is likely due to Filip's last change.
> 
> I'll revert my last patch to get the tree green & investigate in the morning, Filip, I'll leave it up to you to choose whether you want to revert or to just land a fix.

I'm trying to figure this out right now...
Comment 5 Gavin Barraclough 2011-10-11 23:09:16 PDT 
The silentFillGPR change is reverted in 97235.
Comment 6 Filip Pizlo 2011-10-11 23:21:49 PDT 
Created attachment 110643 [details]
the patch for fast/dom/prototype-inheritance-2
Comment 7 WebKit Review Bot 2011-10-12 01:00:20 PDT 
Comment on attachment 110643 [details]
the patch for fast/dom/prototype-inheritance-2

Clearing flags on attachment: 110643

Committed r97240: <http://trac.webkit.org/changeset/97240>
Comment 8 WebKit Review Bot 2011-10-12 01:00:24 PDT 
All reviewed patches have been landed.  Closing bug.