Bug 98596
| Summary: | [GTK][EFL] Crash in JSC::checkOffset, originating from LLInt | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Zan Dobersek <zan> |
| Component: | Tools / Tests | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | cdumez, d-r, fpizlo, mrobinson, pnormand, wingo |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Zan Dobersek
The crash occurred on GTK 64-bit Debug builder, it seems to be first such crash in this test and it's also the first time I see such crash.
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&showAllRuns=true&tests=http%2Ftests%2Finspector-enabled%2Fdedicated-workers-list
http://build.webkit.org/builders/GTK%20Linux%2064-bit%20Debug/builds/37359
http://build.webkit.org/results/GTK%20Linux%2064-bit%20Debug/r130578%20(37359)/results.html
Here's the crash log:
Crash log for DumpRenderTree (pid 26961):
...
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007ff0f1125f2c in JSC::checkOffset (offset=49, inlineCapacity=15) at ../../Source/JavaScriptCore/runtime/PropertyOffset.h:71
71 ASSERT(offset == invalidOffset
...
Thread 1 (Thread 0x7ff0e2c9b900 (LWP 26961)):
#0 0x00007ff0f1125f2c in JSC::checkOffset (offset=49, inlineCapacity=15) at ../../Source/JavaScriptCore/runtime/PropertyOffset.h:71
#1 0x00007ff0f12395dc in JSC::validateOffset (offset=49, inlineCapacity=15) at ../../Source/JavaScriptCore/runtime/PropertyOffset.h:84
#2 0x00007ff0f1239790 in JSC::JSObject::offsetForLocation (this=0x7ff09764fee0, location=0x7ff097650078) at ../../Source/JavaScriptCore/runtime/JSObject.h:468
#3 0x00007ff0f1237bec in JSC::JSFunction::getOwnPropertySlot (cell=0x7ff09764fee0, exec=0x7ff09f69a038, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:218
#4 0x00007ff0f1238771 in JSC::JSFunction::put (cell=0x7ff09764fee0, exec=0x7ff09f69a038, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:342
#5 0x00007ff0f10987d4 in JSC::JSValue::put (this=0x7fff9b194580, exec=0x7ff09f69a038, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1201
#6 0x00007ff0f118d52e in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7ff09f69a038, pc=0x5322310) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:933
#7 0x00007ff0f11968d3 in llint_op_put_by_id () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0
#8 0x00007fff9b194640 in ?? ()
#9 0x00007fff9b194670 in ?? ()
#10 0x0000000000000000 in ?? ()
...
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Zan Dobersek
Also, not adding any crash expectation just to see if this will actually incur again in the same test or anywhere else.
Chris Dumez
We have the same intermittent crashes on EFL port for:
fast/workers/worker-replace-global-constructor.html
fast/scrolling/scrollable-area-frame.html
fast/scrolling/scrollable-area-frame-inherited-visibility-hidden.html
fast/table/padding-height-and-override-height.html
(And probably others)
Backtrace:
crash log for WebProcess (pid <unknown>):
STDOUT: <empty>
STDERR: ASSERTION FAILED: offset == invalidOffset || offset < inlineCapacity || isOutOfLineOffset(offset)
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/runtime/PropertyOffset.h(73) : void JSC::checkOffset(JSC::PropertyOffset, JSC::PropertyOffset)
STDERR: 1 0x7fea6a4bed92 JSC::checkOffset(int, int)
STDERR: 2 0x7fea64aff92e JSC::validateOffset(int, int)
STDERR: 3 0x7fea64affae2 JSC::JSObject::offsetForLocation(JSC::WriteBarrierBase<JSC::Unknown>*) const
STDERR: 4 0x7fea64b4460d JSC::setUpStaticFunctionSlot(JSC::ExecState*, JSC::HashEntry const*, JSC::JSObject*, JSC::PropertyName, JSC::PropertySlot&)
STDERR: 5 0x7fea64b6b23c bool JSC::getStaticFunctionSlot<JSC::StringObject>(JSC::ExecState*, JSC::HashTable const*, JSC::JSObject*, JSC::PropertyName, JSC::PropertySlot&)
STDERR: 6 0x7fea64b63460 JSC::StringPrototype::getOwnPropertySlot(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
STDERR: 7 0x7fea64b30ad2 JSC::JSString::getOwnPropertySlot(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
STDERR: 8 0x7fea6da069db JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
STDERR: 9 0x7fea6a4d0742 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
STDERR: 10 0x7fea64bb8fcd
STDERR: 11 0x7fea64bc2a00
STDERR: LEAK: 1 WebPageProxy
STDERR: LEAK: 1 WebContext
Dominik Röttsches (drott)
I propose to mark this duplicate of bug 98722 since this one has revision information and best root cause info.
*** This bug has been marked as a duplicate of bug 98722 ***