125314 – C Loop LLINT layout test regressions

Bug 125314 - C Loop LLINT layout test regressions

Summary: C Loop LLINT layout test regressions

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-12-05 12:45 PST by Mark Lam
Modified:	2013-12-05 21:13 PST (History)
CC List:	5 users (show)

See Also:

Attachments
the patch. (14.63 KB, patch) 2013-12-05 20:00 PST, Mark Lam	ggaren: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2013-12-05 12:45:01 PST

A release build will yield the following crashes.

Regressions: Unexpected crashes (15)
  http/tests/plugins/third-party-cookie-accept-policy.html [ Crash ]
  plugins/keyboard-events.html [ Crash ]
  plugins/mouse-events.html [ Crash ]
  plugins/netscape-dom-access-and-reload.html [ Crash ]
  plugins/netscape-dom-access.html [ Crash ]
  plugins/netscape-plugin-map-data-to-src.html [ Crash ]
  plugins/netscape-plugin-setwindow-size-2.html [ Crash ]
  plugins/netscape-plugin-setwindow-size.html [ Crash ]
  plugins/no-mime-with-valid-extension.html [ Crash ]
  plugins/npruntime/overrides-all-properties.html [ Crash ]
  plugins/npruntime/tostring.html [ Crash ]
  plugins/pass-different-npp-struct.html [ Crash ]
  plugins/resize-from-plugin.html [ Crash ]
  plugins/script-object-invoke.html [ Crash ]
  plugins/window-open.html [ Crash ]

The list may vary with runs. Hence, the root cause may be racy.

On release builds, the crash stack trace often looks like this:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000106de1b31 JSC::VM::clearExceptionStack() + 33 (RefCountedArray.h:98)
1   com.apple.JavaScriptCore      	0x0000000106cbf160 JSC::VMEntryScope::VMEntryScope(JSC::VM&, JSC::JSGlobalObject*) + 272 (VMEntryScope.cpp:67)
2   com.apple.JavaScriptCore      	0x0000000106c433ec JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 156 (Interpreter.cpp:926)
3   com.apple.JavaScriptCore      	0x0000000106c0723e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 (CallData.cpp:39)
4   com.apple.WebKit              	0x000000010712bc4b WebKit::NetscapePluginInstanceProxy::invoke(unsigned int, JSC::Identifier const&, char*, unsigned int, char*&, unsigned int&) + 667 (NetscapePluginInstanceProxy.mm:929)
5   com.apple.WebKit              	0x00000001071252b0 WKPCInvoke + 272 (NetscapePluginInstanceProxy.h:79)
6   com.apple.WebKit              	0x0000000107191e07 _XPCInvoke + 103 (WebKitPluginClientServer.c:1700)
7   com.apple.WebKit              	0x0000000107192821 WebKitPluginClient_server + 81 (WebKitPluginClientServer.c:3535)
8   com.apple.WebKit              	0x00000001071240e9 WebKit::NetscapePluginHostProxy::processRequests() + 185 (NetscapePluginHostProxy.mm:301) 
…

On debug builds, the crash stack trace often looks like 1 of the 2 following (same trace but different depending on who captured it e.g. one has the assertion that failed, the other has line numbers):

ASSERTION FAILED: !heap.vm()->isInitializingObject()
/Volumes/Data/ws6/OpenSource/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/JSCellInlines.h(92) : void *JSC::allocateCell(JSC::Heap &, size_t) [T = JSC::Structure]
1   0x1083d4780 WTFCrash
2   0x10911d984 void* JSC::allocateCell<JSC::Structure>(JSC::Heap&, unsigned long)
3   0x10911d72f void* JSC::allocateCell<JSC::Structure>(JSC::Heap&)
4   0x10911d4af JSC::Structure::create(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::TypeInfo const&, JSC::ClassInfo const*, unsigned char, unsigned int)
5   0x10911d350 WebKit::ProxyRuntimeObject::createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue)
6   0x10911d1fd JSC::Structure* WebCore::getDOMStructure<WebKit::ProxyRuntimeObject>(JSC::VM&, WebCore::JSDOMGlobalObject*)
7   0x109117f0e JSC::Structure* WebCore::deprecatedGetDOMStructure<WebKit::ProxyRuntimeObject>(JSC::ExecState*)
8   0x10911625d WebKit::ProxyInstance::newRuntimeObject(JSC::ExecState*)
9   0x10996e626 JSC::Bindings::Instance::createRuntimeObject(JSC::ExecState*)
10  0x10a74da3a WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*)
11  0x10a74dbb5 WebCore::pluginElementCustomGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLElement*)
12  0x10a6423d2 bool WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLEmbedElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLEmbedElement*)
13  0x10a642235 WebCore::JSHTMLEmbedElement::getOwnPropertySlotDelegate(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
14  0x10a640489 WebCore::JSHTMLEmbedElement::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
15  0x107f7cdaf JSC::JSObject::fastGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
16  0x107f7cb2d JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
17  0x107f9800d JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
18  0x1081d058b llint_slow_path_get_by_id
19  0x1081e54ad JSC::LLInt::CLoop::execute(JSC::ExecState*, void*, bool)
20  0x1081daaba JSC::executeJS(JSC::ExecState*, void*)
21  0x1081da80a long long JSC::doCallToJavaScript<&(JSC::executeJS(JSC::ExecState*, void*))>(void*, JSC::ProtoCallFrame*)
22  0x1081da675 callToJavaScript
23  0x10809913f JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*, JSC::Register*)
24  0x108090808 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
25  0x107fe389e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
26  0x10a47bf3b WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
27  0x10a5be914 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
28  0x109eb5f21 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&)
29  0x109eb586e WebCore::EventTarget::fireEventListeners(WebCore::Event*)
30  0x109dfc4b0 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>)
31  0x109e032c8 WebCore::DOMWindow::dispatchLoadEvent()

or:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000104a4d78a WTFCrash + 42 (Assertions.cpp:341)
1   com.apple.WebKit              	0x0000000105797984 void* JSC::allocateCell<JSC::Structure>(JSC::Heap&, unsigned long) + 196 (JSCellInlines.h:92)
2   com.apple.WebKit              	0x000000010579772f void* JSC::allocateCell<JSC::Structure>(JSC::Heap&) + 31 (JSCellInlines.h:109)
3   com.apple.WebKit              	0x00000001057974af JSC::Structure::create(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::TypeInfo const&, JSC::ClassInfo const*, unsigned char, unsigned int) + 191 (StructureInlines.h:39)
4   com.apple.WebKit              	0x0000000105797350 WebKit::ProxyRuntimeObject::createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue) + 112 (ProxyRuntimeObject.h:53)
5   com.apple.WebKit              	0x00000001057971fd JSC::Structure* WebCore::getDOMStructure<WebKit::ProxyRuntimeObject>(JSC::VM&, WebCore::JSDOMGlobalObject*) + 141 (JSDOMBinding.h:104)
6   com.apple.WebKit              	0x0000000105791f0e JSC::Structure* WebCore::deprecatedGetDOMStructure<WebKit::ProxyRuntimeObject>(JSC::ExecState*) + 46 (JSDOMBinding.h:110)
7   com.apple.WebKit              	0x000000010579025d WebKit::ProxyInstance::newRuntimeObject(JSC::ExecState*) + 45 (ProxyInstance.mm:134)
8   com.apple.WebCore             	0x0000000105fe9626 JSC::Bindings::Instance::createRuntimeObject(JSC::ExecState*) + 278 (BridgeJSC.cpp:79)
9   com.apple.WebCore             	0x0000000106dc8a3a WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*) + 282 (JSPluginElementFunctions.cpp:100)
10  com.apple.WebCore             	0x0000000106dc8bb5 WebCore::pluginElementCustomGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLElement*) + 37 (JSPluginElementFunctions.cpp:115)
11  com.apple.WebCore             	0x0000000106cbd3d2 bool WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLEmbedElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLEmbedElement*) + 274 (JSPluginElementFunctions.h:57)
12  com.apple.WebCore             	0x0000000106cbd235 WebCore::JSHTMLEmbedElement::getOwnPropertySlotDelegate(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 53 (JSHTMLEmbedElementCustom.cpp:38)
13  com.apple.WebCore             	0x0000000106cbb489 WebCore::JSHTMLEmbedElement::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 313 (JSHTMLEmbedElement.cpp:126)
14  com.apple.JavaScriptCore      	0x00000001045f5daf JSC::JSObject::fastGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 159 (JSObject.h:1219)
15  com.apple.JavaScriptCore      	0x00000001045f5b2d JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 61 (JSObject.h:1228)
16  com.apple.JavaScriptCore      	0x000000010461100d JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 253 (JSCJSValueInlines.h:669)
17  com.apple.JavaScriptCore      	0x000000010484958b llint_slow_path_get_by_id + 235 (LLIntSlowPaths.cpp:518)
18  com.apple.JavaScriptCore      	0x000000010485e4ad JSC::LLInt::CLoop::execute(JSC::ExecState*, void*, bool) + 39965 (LLIntAssembly.h:2053)
19  com.apple.JavaScriptCore      	0x0000000104853aba JSC::executeJS(JSC::ExecState*, void*) + 42 (LLIntThunks.cpp:132)
20  com.apple.JavaScriptCore      	0x000000010485380a long long JSC::doCallToJavaScript<&(JSC::executeJS(JSC::ExecState*, void*))>(void*, JSC::ProtoCallFrame*) + 394 (LLIntThunks.cpp:122)
21  com.apple.JavaScriptCore      	0x0000000104853675 callToJavaScript + 37 (LLIntThunks.cpp:137)
22  com.apple.JavaScriptCore      	0x000000010471213f JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*, JSC::Register*) + 159 (JITCode.cpp:48)
23  com.apple.JavaScriptCore      	0x0000000104709108 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4520 (Interpreter.cpp:880)
24  com.apple.JavaScriptCore      	0x00000001046a2f0f JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 479 (Completion.cpp:82)
25  com.apple.WebKit              	0x00000001057621a9 WebKit::NetscapePluginInstanceProxy::evaluate(unsigned int, WTF::String const&, char*&, unsigned int&, bool) + 633 (SourceCode.h:116)
26  com.apple.WebKit              	0x00000001057503e2 WKPCEvaluate + 370 (NetscapePluginHostProxy.mm:592)
27  com.apple.WebKit              	0x000000010585d8ca _XPCEvaluate + 154 (WebKitPluginClientServer.c:1612)
28  com.apple.WebKit              	0x000000010585e9ac WebKitPluginClient_server + 236 (WebKitPluginClientServer.c:3536)
29  com.apple.WebKit              	0x000000010574dd5f WebKit::NetscapePluginHostProxy::processRequests() + 431 (NetscapePluginHostProxy.mm:301)
30  com.apple.WebKit              	0x00000001057617dd WebKit::NetscapePluginInstanceProxy::processRequestsAndWaitForReply(unsigned int) + 1101 (NetscapePluginInstanceProxy.mm:822)
31  com.apple.WebKit              	0x0000000105767afa std::__1::unique_ptr<WebKit::NetscapePluginInstanceProxy::BooleanReply, std::__1::default_delete<WebKit::NetscapePluginInstanceProxy::BooleanReply> > WebKit::NetscapePluginInstanceProxy::waitForReply<WebKit::NetscapePluginInstanceProxy::BooleanReply>(unsigned int) + 122 (NetscapePluginInstanceProxy.h:265)
32  com.apple.WebKit              	0x000000010575cd67 WebKit::NetscapePluginInstanceProxy::resize(CGRect, CGRect) + 183 (NetscapePluginInstanceProxy.mm:277)
33  com.apple.WebKit              	0x000000010581c391 -[WebHostedNetscapePluginView updateAndSetWindow] + 1297 (WebHostedNetscapePluginView.mm:260)
34  com.apple.WebKit              	0x00000001057a7558 -[WebBaseNetscapePluginView start] + 584 (WebBaseNetscapePluginView.mm:412)
35  com.apple.WebKit              	0x00000001057a7e46 -[WebBaseNetscapePluginView viewDidMoveToWindow] + 262 (WebBaseNetscapePluginView.mm:548)
36  com.apple.AppKit              	0x00007fff9803d2e7 -[NSView _setWindow:] + 2788
37  com.apple.AppKit              	0x00007fff98046a77 -[NSView addSubview:] + 407
38  com.apple.WebKit              	0x0000000105832f69 -[WebHTMLView addSubview:] + 73 (WebHTMLView.mm:2982)
39  com.apple.WebCore             	0x000000010762f5b6 WebCore::ScrollView::platformAddChild(WebCore::Widget*) + 358 (ScrollViewMac.mm:71)
40  com.apple.WebCore             	0x0000000107625a8c WebCore::ScrollView::addChild(WTF::PassRefPtr<WebCore::Widget>) + 236 (ScrollView.cpp:72)
41  com.apple.WebCore             	0x000000010755bf19 WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets() + 313 (RenderWidget.cpp:68)
42  com.apple.WebCore             	0x0000000106059a8c WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 108 (RenderWidget.h:43)
43  com.apple.WebCore             	0x0000000106059a15 WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 21 (RenderWidget.h:45)
44  com.apple.WebCore             	0x0000000106646486 WebCore::FrameView::updateEmbeddedObjects() + 406 (FrameView.cpp:2690)
45  com.apple.WebCore             	0x0000000106640605 WebCore::FrameView::performPostLayoutTasks() + 629 (FrameView.cpp:2751)
46  com.apple.WebCore             	0x000000010663ff21 WebCore::FrameView::layout(bool) + 4385 (FrameView.cpp:1338)
47  com.apple.WebCore             	0x000000010635e338 WebCore::Document::updateLayout() + 328 (Document.cpp:1804)
48  com.apple.WebCore             	0x00000001063614ff WebCore::Document::updateLayoutIgnorePendingStylesheets() + 207 (Document.cpp:1838)
49  com.apple.WebCore             	0x00000001067e115f WebCore::HTMLEmbedElement::renderWidgetForJSBindings() const + 111 (HTMLEmbedElement.cpp:76)
50  com.apple.WebCore             	0x00000001068552fb WebCore::HTMLPlugInElement::pluginWidget() const + 59 (HTMLPlugInElement.cpp:168)
51  com.apple.WebCore             	0x0000000106dc8a69 WebCore::pluginScriptObjectFromPluginViewBase(WebCore::HTMLPlugInElement&, JSC::JSGlobalObject*) + 25 (JSPluginElementFunctions.cpp:56)
52  com.apple.WebCore             	0x0000000106dc89b3 WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*) + 147 (JSPluginElementFunctions.cpp:90)
53  com.apple.WebCore             	0x0000000106dc8bb5 WebCore::pluginElementCustomGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLElement*) + 37 (JSPluginElementFunctions.cpp:115)
54  com.apple.WebCore             	0x0000000106cbd3d2 bool WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLEmbedElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLEmbedElement*) + 274 (JSPluginElementFunctions.h:57)
…

Comment 1 Mark Lam 2013-12-05 20:00:47 PST

Created attachment 218566 [details]
the patch.

Comment 2 Geoffrey Garen 2013-12-05 20:25:42 PST

Comment on attachment 218566 [details]
the patch.

r=me

Comment 3 Mark Lam 2013-12-05 21:13:34 PST

Thanks for the review.  Landed in r160211: <http://trac.webkit.org/r160211>.