Bug 121661 - Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
Summary: Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords: InRadar, MakingBotsRed
Depends on:
Blocks:
 
Reported: 2013-09-20 00:26 PDT by Alexey Proskuryakov
Modified: 2013-10-18 13:20 PDT (History)
5 users (show)

See Also:

Attachments
the patch (5.01 KB, patch)
2013-10-18 10:59 PDT, Filip Pizlo 		no flags Details | Formatted Diff | Diff
the patch (5.31 KB, patch)
2013-10-18 11:01 PDT, Filip Pizlo 		mhahnenberg: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2013-09-20 00:26:57 PDT 
All these tests are quite crashy, particularly on leaks tester for whatever reason: <http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=swizzlers>

    RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize());

Thread 12 Crashed:: JSC Compilation Thread
0   com.apple.JavaScriptCore      	0x000000010d91280a WTFCrash + 42 (Assertions.cpp:342)
1   com.apple.JavaScriptCore      	0x000000010d395a9f JSC::Structure::checkOffsetConsistency() const + 207 (StructureInlines.h:233)
2   com.apple.JavaScriptCore      	0x000000010d394c89 JSC::Structure::outOfLineCapacity() const + 25 (Structure.h:182)
3   com.apple.JavaScriptCore      	0x000000010d49ee2f JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 16639 (DFGByteCodeParser.cpp:2518)
4   com.apple.JavaScriptCore      	0x000000010d499ab2 JSC::DFG::ByteCodeParser::parseCodeBlock() + 2002 (DFGByteCodeParser.cpp:3589)
5   com.apple.JavaScriptCore      	0x000000010d4a50fa JSC::DFG::ByteCodeParser::parse() + 250 (DFGByteCodeParser.cpp:3626)
6   com.apple.JavaScriptCore      	0x000000010d4a53de JSC::DFG::parse(JSC::DFG::Graph&) + 62 (DFGByteCodeParser.cpp:3666)
7   com.apple.JavaScriptCore      	0x000000010d59446e JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 190 (DFGPlan.cpp:155)
8   com.apple.JavaScriptCore      	0x000000010d5941a2 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) + 242 (DFGPlan.cpp:116)
9   com.apple.JavaScriptCore      	0x000000010d634cc4 JSC::DFG::Worklist::runThread() + 468 (DFGWorklist.cpp:239)
10  com.apple.JavaScriptCore      	0x000000010d633d95 JSC::DFG::Worklist::threadFunction(void*) + 21 (DFGWorklist.cpp:261)
11  com.apple.JavaScriptCore      	0x000000010d959400 WTF::threadEntryPoint(void*) + 144 (Threading.cpp:70)
12  com.apple.JavaScriptCore      	0x000000010d959dd8 WTF::wtfThreadEntryPoint(void*) + 104 (ThreadingPthreads.cpp:195)
13  libsystem_c.dylib             	0x00007fff96e23772 _pthread_start + 327
14  libsystem_c.dylib             	0x00007fff96e101a1 thread_start + 13
Comment 1 Radar WebKit Bug Importer 2013-09-20 00:39:33 PDT 
<rdar://problem/15038349>
Comment 2 Filip Pizlo 2013-10-18 10:59:01 PDT 
Created attachment 214586 [details]
the patch
Comment 3 Filip Pizlo 2013-10-18 11:01:26 PDT 
Created attachment 214587 [details]
the patch
Comment 4 Mark Hahnenberg 2013-10-18 11:08:47 PDT 
Comment on attachment 214587 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=214587&action=review

r=me

> Source/JavaScriptCore/ChangeLog:21
> +        keeping in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be

it in sync

> Source/JavaScriptCore/ChangeLog:39
> +        outOfLineCapacity(), and is right to do wo without holding any locks (since in all cases where

do so

> Source/JavaScriptCore/ChangeLog:44
> +        property table modified - instead what happens is that so downstream structure steals the

some downstream
Comment 5 Filip Pizlo 2013-10-18 13:20:05 PDT 
Landed in http://trac.webkit.org/changeset/157645