NEW 107257
[GTK] fast/js/toString-stack-overflow.html is crashing 
https://bugs.webkit.org/show_bug.cgi?id=107257
Summary [GTK] fast/js/toString-stack-overflow.html is crashing
Zan Dobersek
Reported 2013-01-18 04:19:27 PST
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&showAllRuns=true&tests=fast%2Fjs%2FtoString-stack-overflow.html No specific regression range ... yet. Crash log for DumpRenderTree (pid 25347): ... [New LWP 25357] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'. Program terminated with signal 11, Segmentation fault. #0 0x00002b795b2e10ac in JSC::ConservativeRoots::genericAddSpan<JSC::DummyMarkHook> (this=0x7ffff6938160, begin=0x7ffff6938e20, end=0x7ffff7fd7000, markHook=...) at ../../Source/JavaScriptCore/heap/ConservativeRoots.cpp:97 97 ASSERT((static_cast<char*>(end) - static_cast<char*>(begin)) < 0x1000000); ... Thread 1 (Thread 0x2b796a139680 (LWP 25347)): #0 0x00002b795b2e10ac in JSC::ConservativeRoots::genericAddSpan<JSC::DummyMarkHook> (this=0x7ffff6938160, begin=0x7ffff6938e20, end=0x7ffff7fd7000, markHook=...) at ../../Source/JavaScriptCore/heap/ConservativeRoots.cpp:97 #1 0x00002b795b2e0702 in JSC::ConservativeRoots::add (this=0x7ffff6938160, begin=0x7ffff6938e20, end=0x7ffff7fd7000) at ../../Source/JavaScriptCore/heap/ConservativeRoots.cpp:114 #2 0x00002b795b2f8e37 in JSC::MachineThreads::gatherFromCurrentThread (this=0x28860b8, conservativeRoots=..., stackCurrent=0x7ffff6938e20) at ../../Source/JavaScriptCore/heap/MachineStackMarker.cpp:263 #3 0x00002b795b2f9025 in JSC::MachineThreads::gatherConservativeRoots (this=0x28860b8, conservativeRoots=..., stackCurrent=0x7ffff6938e20) at ../../Source/JavaScriptCore/heap/MachineStackMarker.cpp:475 #4 0x00002b795b2eb810 in JSC::Heap::markRoots (this=0x2882fc8, fullGC=true) at ../../Source/JavaScriptCore/heap/Heap.cpp:440 #5 0x00002b795b2ec2e0 in JSC::Heap::collect (this=0x2882fc8, sweepToggle=JSC::Heap::DoNotSweep) at ../../Source/JavaScriptCore/heap/Heap.cpp:748 #6 0x00002b795b2eaffe in JSC::Heap::reportExtraMemoryCostSlowCase (this=0x2882fc8, cost=17784) at ../../Source/JavaScriptCore/heap/Heap.cpp:309 #7 0x00002b795b1167d5 in JSC::Heap::reportExtraMemoryCost (this=0x2882fc8, cost=17784) at ../../Source/JavaScriptCore/heap/Heap.h:380 #8 0x00002b795b133383 in JSC::JSString::finishCreation (this=0x2b79b088cea0, globalData=..., length=17784, cost=17784) at ../../Source/JavaScriptCore/runtime/JSString.h:107 #9 0x00002b795b1334a2 in JSC::JSString::create (globalData=..., value=...) at ../../Source/JavaScriptCore/runtime/JSString.h:127 #10 0x00002b795b133603 in JSC::jsString (globalData=0x2882f70, s="0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,"...) at ../../Source/JavaScriptCore/runtime/JSString.h:395 #11 0x00002b795b133647 in JSC::jsString (exec=0x2b79b0085c48, s="0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,"...) at ../../Source/JavaScriptCore/runtime/JSString.h:458 #12 0x00002b795b3ea07d in JSC::arrayProtoFuncToString (exec=0x2b79b0085c48) at ../../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:348 #13 0x00002b795b3114c5 in JSC::Interpreter::executeCall (this=0x2b79ac0067f0, callFrame=0x2b79b0085bf0, function=0x2b79b064d500, callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1058 #14 0x00002b795b3f5c71 in JSC::call (exec=0x2b79b0085bf0, functionObject=..., callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:40 #15 0x00002b795b44bb59 in JSC::callDefaultValueFunction (exec=0x2b79b0085bf0, object=0x2b79b0c21940, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1362 #16 0x00002b795b44bd26 in JSC::JSObject::defaultValue (object=0x2b79b0c21940, exec=0x2b79b0085bf0, hint=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1383 #17 0x00002b795b427aad in JSC::JSObject::toPrimitive (this=0x2b79b0c21940, exec=0x2b79b0085bf0, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.h:1400 #18 0x00002b795b427481 in JSC::JSCell::toPrimitive (this=0x2b79b0c21940, exec=0x2b79b0085bf0, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSCell.cpp:145 #19 0x00002b795b46dd44 in JSC::JSValue::toStringSlowCase (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:308 #20 0x00000000004b71d3 in JSC::JSValue::toString (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSString.h:511 #21 0x00002b795b3efed3 in JSC::inlineJSValueNotStringtoString (value=..., exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSString.h:536 #22 0x00002b795b46ddff in JSC::JSValue::toWTFStringSlowCase (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:317 #23 0x00002b795b3efd1a in JSC::JSValue::toWTFString (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSString.h:518 #24 0x00002b795b3e9d7e in JSC::arrayProtoFuncToString (exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:320 #25 0x00002b795b3114c5 in JSC::Interpreter::executeCall (this=0x2b79ac0067f0, callFrame=0x2b79b0085b98, function=0x2b79b064d500, callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1058 #26 0x00002b795b3f5c71 in JSC::call (exec=0x2b79b0085b98, functionObject=..., callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:40 #27 0x00002b795b44bb59 in JSC::callDefaultValueFunction (exec=0x2b79b0085b98, object=0x2b79b0c21920, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1362 #28 0x00002b795b44bd26 in JSC::JSObject::defaultValue (object=0x2b79b0c21920, exec=0x2b79b0085b98, hint=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1383 #29 0x00002b795b427aad in JSC::JSObject::toPrimitive (this=0x2b79b0c21920, exec=0x2b79b0085b98, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.h:1400 #30 0x00002b795b427481 in JSC::JSCell::toPrimitive (this=0x2b79b0c21920, exec=0x2b79b0085b98, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSCell.cpp:145 #31 0x00002b795b46dd44 in JSC::JSValue::toStringSlowCase (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:308 #32 0x00000000004b71d3 in JSC::JSValue::toString (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSString.h:511 #33 0x00002b795b3efed3 in JSC::inlineJSValueNotStringtoString (value=..., exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSString.h:536 #34 0x00002b795b46ddff in JSC::JSValue::toWTFStringSlowCase (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:317 #35 0x00002b795b3efd1a in JSC::JSValue::toWTFString (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSString.h:518 (The last 12 frames loop.)
Attachments
Add attachment proposed patch, testcase, etc.
Zan Dobersek
Comment 1 2013-01-18 13:18:23 PST
This test is crashing due to stack size being too large. This was caused by increasing the swap size on the debug builder (I believe from 8GB to 12GB, while the system also has 8GB of RAM). Two more tests started failing because of the same cause: fast/dom/Window/window-postmessage-clone-deep-array.html fast/js/large-expressions.html On the setup I'm using (8GB of RAM, 18GB of swap), I've ran a simple test in both Chrome and GtkLauncher: var i = 0; function rec() { i++; rec(); } try { rec(); } catch (error) { console.log("Got error " + error); console.log("Hit the top at " + i); } In Chrome, I get 25083 recursions while in GtkLauncher I get 58034 of those. Debugging the stack size, the stack made available through pthread is (on my setup) 8MB large. http://trac.webkit.org/browser/trunk/Source/WTF/wtf/StackBounds.cpp#L131
Simon Pena
Comment 2 2013-07-05 09:42:39 PDT
This test now fails but doesn't crash any more.
Note You need to log in before you can comment on or make changes to this bug.