Bug 153704 - [DFG] call-varargs-from-inlined-code-with-odd-number-of-arguments.js fails in POSIX environment if SamplingProfiler is enabled
Summary: [DFG] call-varargs-from-inlined-code-with-odd-number-of-arguments.js fails in...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-30 03:59 PST by Yusuke Suzuki
Modified: 2017-03-21 02:23 PDT (History)
9 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yusuke Suzuki 2016-01-30 03:59:50 PST
I think, the signaling patch itself does not have problems and DFG or elsewhere have some problem...
I uploaded some very very simple patch in https://bugs.webkit.org/show_bug.cgi?id=153584
That just emit signal in ::suspend and do nothing in ::resume. Signal handler does nothing.
And SamplingProfiler just calls suspend and resume periodically.

Anything special is not done in the above testing patch. It just emits signals. Signal handler does nothing.

Even in the above situation, call-varargs-from-inlined-code-with-odd-number-of-arguments.js sometimes fails. So I think the following situation.

1. Signal handler is set with SA_RESTART. But some system calls does not restart. For example, sleep, usleep are the cases in UNIX. We need to fix this anyway (I'll open the bug for that)
2. So, in some place, sleep is interrupted.
3. As a result, the path that is rarely taken may be taken. For example, if you set some threshold time for invoking DFG, it may not be executed in the usual test cases. But due to interrupted sleep, it may be invoked.
4. And since this path has some issue, it causes the test failure, the result becomes NaN.

So I think there are some issues in DFG because when disabling DFG (with env variables), the issue does not occur.
And when disabling FTL, the issue occur.

I opened 2 issues.

1. Making non-restarted syscalls signal-safe. (Like sleep) [https://bugs.webkit.org/show_bug.cgi?id=153703]
2. Tracking call-varargs-from-inlined-code-with-odd-number-of-arguments.js issue [this one]
Comment 1 Yusuke Suzuki 2016-01-30 04:36:12 PST
call-varargs-from-inlined-code.js also fails.
Comment 2 Yusuke Suzuki 2016-01-30 04:39:34 PST
Also stress/v8-earley-boyer-strict.js.ftl-no-cjit-validate-sampling-profiler fails. Maybe call-vargs is related.
Comment 3 Yusuke Suzuki 2016-01-30 04:41:49 PST
One possible reason is signal stack. I'll check it later.
Comment 4 Carlos Alberto Lopez Perez 2017-03-06 10:56:23 PST
stress/spread-forward-call-varargs-stack-overflow.js is failing also on Linux platforms. Can it be related to this issue?

I reported this failure on bug 169206
Comment 5 Yusuke Suzuki 2017-03-06 21:45:12 PST
I believe this crash is caused by the same reason of this bug[1]: Somewhere, we have the code that touches stack area that is beyond the red zone. And SIGUSR2 signal stack (that is used to suspend and resume threads, which is heavily used for sampling profiler) mess up these area.

I'll investigate it in this weekend.

[1]: https://bugs.webkit.org/show_bug.cgi?id=167239
Comment 6 Yusuke Suzuki 2017-03-06 21:49:12 PST
I believe this is related to call arg forwarding.
Comment 7 Yusuke Suzuki 2017-03-21 02:23:05 PDT
This is fixed now.