151440 – REGRESSION(r192599): It made 34 JSC tests crash on ARM Linux

Bug 151440 - REGRESSION(r192599): It made 34 JSC tests crash on ARM Linux

Summary: REGRESSION(r192599): It made 34 JSC tests crash on ARM Linux

Status:	RESOLVED DUPLICATE of bug 151445

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P1 Critical
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	108645 151415
	Show dependency tree / graph

Reported:	2015-11-19 03:03 PST by Csaba Osztrogonác
Modified:	2015-11-20 02:38 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Csaba Osztrogonác 2015-11-19 03:03:52 PST

https://trac.webkit.org/changeset/192599 made 34 JSC stress tests
crash at least on ARM Linux platforms. (ARMv7 - ARM and Thumb2
instruction sets too; AArch64)

Maybe these tests fail on iOS too, but unfortunately 
there is no public iOS buildbot, so I don't know.

- https://build.webkit.org/builders/EFL%20Linux%20ARMv7%20Traditional%20Release/builds/16061
- https://build.webkit.org/builders/EFL%20Linux%20ARMv7%20Thumb2%20Release/builds/16212
- https://build.webkit.org/builders/EFL%20Linux%20AArch64%20Release/builds/4416
  (note: there were 25-30 failures on AArch64 before this change)

** The following JSC stress test failures have been introduced:
	jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-osr-exit.js.layout
	jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-osr-exit.js.layout-dfg-eager-no-cjit
	jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-osr-exit.js.layout-no-cjit
	jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-osr-exit.js.layout-no-llint
	jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-overwrite-arguments.js.layout
	jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-overwrite-arguments.js.layout-dfg-eager-no-cjit
	jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-overwrite-arguments.js.layout-no-cjit
	jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-overwrite-arguments.js.layout-no-llint
	jsc-layout-tests.yaml/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js.layout
	jsc-layout-tests.yaml/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js.layout-dfg-eager-no-cjit
	jsc-layout-tests.yaml/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js.layout-no-cjit
	jsc-layout-tests.yaml/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js.layout-no-llint
	regress/script-tests/v8-raytrace-with-empty-try-catch.js.dfg-maximal-flush-validate-no-cjit
	stress/double-rep-with-null.js.always-trigger-copy-phase
	stress/double-rep-with-null.js.default
	stress/double-rep-with-undefined.js.dfg-maximal-flush-validate-no-cjit
	stress/double-rep-with-undefined.js.no-cjit-validate-phases
	stress/double-rep-with-undefined.js.no-llint
	stress/op_add.js.always-trigger-copy-phase
	stress/op_add.js.default
	stress/op_add.js.dfg-eager
	stress/op_add.js.dfg-eager-no-cjit-validate
	stress/op_add.js.dfg-maximal-flush-validate-no-cjit
	stress/op_add.js.no-cjit-validate-phases
	stress/op_add.js.no-llint
	stress/op_sub.js.always-trigger-copy-phase
	stress/op_sub.js.default
	stress/op_sub.js.dfg-eager
	stress/op_sub.js.dfg-eager-no-cjit-validate
	stress/op_sub.js.dfg-maximal-flush-validate-no-cjit
	stress/op_sub.js.no-cjit-validate-phases
	stress/op_sub.js.no-llint
	stress/v8-raytrace-strict.js.dfg-maximal-flush-validate-no-cjit
	v8-v6/v8-raytrace.js.dfg-maximal-flush-validate-no-cjit

I'll try to create debug backtraces in the following week to help fixing this regression.

Comment 1 Csaba Osztrogonác 2015-11-19 03:04:34 PST

ah, the forgot the GTK ARM link:
- https://build.webkit.org/builders/GTK%20Linux%20ARM%20Release/builds/9377

Comment 2 Michael Catanzaro 2015-11-19 05:29:25 PST

Looks serious enough for a rollout? What do you think, Mark?

Comment 3 Csaba Osztrogonác 2015-11-19 05:35:05 PST

(In reply to comment #2)
> Looks serious enough for a rollout? What do you think, Mark?

Generally we don't rollout any JSC patch which cause 
build failure or test regression on non Apple ports.

Comment 4 Mark Lam 2015-11-19 05:44:11 PST

Can someone run run-javascriptcore-tests manually on ARM, and post an actual crash trace?  Thanks.

Comment 5 Mark Lam 2015-11-19 08:22:37 PST

I just finished a release build run on ARMv7 without any issues.  I will also do runs with debug builds and ARM64, but I suspect that this issue needs to be debugged on the EFL port.

Comment 6 Mark Lam 2015-11-19 08:24:26 PST

(In reply to comment #5)
> I just finished a release build run on ARMv7 without any issues.  I will
> also do runs with debug builds and ARM64, but I suspect that this issue
> needs to be debugged on the EFL port.

I take that back.  My build did not include the change.  Will re-test.

Comment 7 Csaba Osztrogonác 2015-11-19 08:28:54 PST

(In reply to comment #4)
> Can someone run run-javascriptcore-tests manually on ARM, and post an actual
> crash trace?  Thanks.

I tried to generate backtrack on ARMv7, but unfortunately gdb crashes
on debug build of JSC. :(

But it seems the bug is in the DFG JIT somewhere, because 
stress/op_sub.js passes with disable DFG, but crashes by default.

I had a release backtrace. I don't think if it helps, but who knows.

#0  0x00000000 in ?? ()
(gdb) bt
#0  0x00000000 in ?? ()
#1  0xb6d83d56 in llint_entry ()
   from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1
#2  0xb6d83d56 in llint_entry ()
   from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1
#3  0xb6d83da0 in llint_entry ()
   from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1
#4  0xb6d7ebe0 in vmEntryToJavaScript ()
   from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1
#5  0xb6b4956a in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) ()
   from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1
#6  0xdfacb3fc in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

I'll try to create a debug backtrace on AArch64, but I will 
have time for it only tomorrow morning (in CET timezone).

Comment 8 Mark Lam 2015-11-19 10:29:12 PST

I found one issue in https://bugs.webkit.org/show_bug.cgi?id=151445 which is now fixed.  With that fix, I was able to run the JSC tests with a release build of ToT r192631 to completion without any of the failures reported in this bug.  Let me know if you're still seeing any failures.

Comment 9 Zan Dobersek 2015-11-19 11:28:07 PST

(In reply to comment #8)
> I found one issue in https://bugs.webkit.org/show_bug.cgi?id=151445 which is
> now fixed.  With that fix, I was able to run the JSC tests with a release
> build of ToT r192631 to completion without any of the failures reported in
> this bug.  Let me know if you're still seeing any failures.

This does fix the problem for me locally, ARMv7 with Thumb2.

I'll leave it to Ossy to confirm, and to close the bug.

Thanks for the prompt fix.

Comment 10 Csaba Osztrogonác 2015-11-20 02:38:57 PST

bug151445 fixed all tests, thanks.

*** This bug has been marked as a duplicate of bug 151445 ***