Bug 126174 - jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit is failing in cStack
Summary: jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cji...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Mark Lam
URL:
Keywords:
Depends on:
Blocks: 126172
  Show dependency treegraph
 
Reported: 2013-12-23 12:42 PST by Filip Pizlo
Modified: 2014-01-15 08:27 PST (History)
7 users (show)

See Also:

Attachments
the patch. (4.24 KB, patch)
2013-12-25 23:04 PST, Mark Lam 		no flags Details | Formatted Diff | Diff
the patch. (4.24 KB, patch)
2013-12-25 23:12 PST, Mark Lam 		ggaren: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2013-12-23 12:42:55 PST 
Probably a varargs issue.
Comment 1 Filip Pizlo 2013-12-23 16:14:08 PST 
It looks like this fails even in the LLInt.  Still investigating...
Comment 2 Filip Pizlo 2013-12-23 16:32:49 PST 
This looks like an exception throwing, unwinding, and stack overflow bug.

All engines crash on the tests for stack overflow, where you apply with a ridiculous argument count.
Comment 3 Mark Lam 2013-12-23 18:24:23 PST 
Here's a reduced test case that reproduces this issue (or likely the root cause of this issue):

function foo() {
    try {
        foo();
    } catch (e) {
        throw e;
    }
}
foo();
Comment 4 Mark Lam 2013-12-25 23:04:33 PST 
Created attachment 220024 [details]
the patch.
Comment 5 Mark Lam 2013-12-25 23:12:09 PST 
Created attachment 220025 [details]
the patch.
Comment 6 Mark Lam 2013-12-25 23:15:06 PST 
When we do a stack check in a function prologue, the activation object in the frame hasn't been set yet. The test failures came from the stack unwinding code trying to tear off the frame to a non-existant activation object. Since we haven't entered the function yet and the frame is technically not fully "pushed" yet, we can throw i.e. start the unwinding from the caller frame instead. This fixes the issue.

Landed in r161084 on the jsCStack branch: <http://trac.webkit.org/r161084>.
Comment 7 Michael Saboff 2013-12-26 08:15:33 PST 
With the span size ASSERT disabled in ConservativeRoots.cpp, function-apply-aliased.js.layout-no-cjit (and the other instances of function-apply-aliased.js) fail after timing out:

jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: Timed out after 169.000000 seconds!
jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 1   0x10188adc0 WTFCrash
jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 2   0x1011be960 jscmain(int, char**)
jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 3   0x1018da288 WTF::threadEntryPoint(void*)
jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 4   0x1018db038 WTF::wtfThreadEntryPoint(void*)
jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 5   0x7fff8c879899 _pthread_body
jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 6   0x7fff8c87972a _pthread_struct_init
jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: 7   0x7fff8c87dfc9 thread_start
jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: test_script_6882: line 2: 57151 Segmentation fault: 11  "$@" ../../../../.vm/JavaScriptCore.framework/Resources/jsc --enableConcurrentJIT\=false resources/standalone-pre.js function-apply-aliased.js resources/standalone-post.js
jsc-layout-tests.yaml/js/script-tests/function-apply-aliased.js.layout-no-cjit: ERROR: Unexpected exit code: 139
Comment 8 Mark Lam 2013-12-26 08:17:37 PST 
(In reply to comment #7)
> With the span size ASSERT disabled in ConservativeRoots.cpp, function-apply-aliased.js.layout-no-cjit (and the other instances of function-apply-aliased.js) fail after timing out:

That is because the JSStack size used to be 512K.  Now it is is 63M.  I’m now working on adding a VM option to cap the C stack size, and we’ll cap the stack size to 4M for jsc and tests.  With that, the tests won’t time out.
Comment 9 Filip Pizlo 2013-12-26 08:26:53 PST 
(In reply to comment #8)
> (In reply to comment #7)
> > With the span size ASSERT disabled in ConservativeRoots.cpp, function-apply-aliased.js.layout-no-cjit (and the other instances of function-apply-aliased.js) fail after timing out:
> 
> That is because the JSStack size used to be 512K.  Now it is is 63M.  I’m now working on adding a VM option to cap the C stack size, and we’ll cap the stack size to 4M for jsc and tests.  With that, the tests won’t time out.

OK - we need to have an *actual* story for this.  We can't have a WebKit user getting a spin every time that some program overflows stack.

Maybe you should have limits on how much stack JS is allowed to use?  As we talked previously, you'll have to have a story for how this will work in case of VM reentry.
Comment 10 Mark Lam 2013-12-30 22:37:23 PST 
(In reply to comment #9)
> Maybe you should have limits on how much stack JS is allowed to use?  As we talked previously, you'll have to have a story for how this will work in case of VM reentry.

The work to use a separate limit for the JS stack is at https://bugs.webkit.org/show_bug.cgi?id=126320.
Comment 11 Geoffrey Garen 2014-01-14 14:47:26 PST 
Comment on attachment 220025 [details]
the patch.

r=me
Comment 12 Mark Lam 2014-01-15 08:27:42 PST 
Review status updated in r162014: <http://trac.webkit.org/r162014>.