NEW 155037
Octane typescript benchmark test crashes sometimes 
https://bugs.webkit.org/show_bug.cgi?id=155037
Summary Octane typescript benchmark test crashes sometimes
Carlos Alberto Lopez Perez
Reported 2016-03-04 13:28:35 PST
Created attachment 273031 [details] Backtrace of the crash for the typescript test of octane On current trunk (r197571) running the last test of the Octane benchmark (typescript) crashes the WebProcess sometimes (like 1 out 5 or 10 times). I got a coredump, this is part of the backtrace: Thread 1 (Thread 0x7f78a0232a40 (LWP 10380)): #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x00007f78af0933d1 in WTF::StringImpl::create(unsigned char const*) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #2 0x00007f78af09ecbe in WTF::String::String(char const*) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #3 0x00007f78b0981037 in Inspector::Protocol::getEnumConstantValue(int) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #4 0x00007f78b0f33e86 in Inspector::Protocol::Page::FrameResource::Builder<1>::setType(Inspector::Protocol::Page::ResourceType) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #5 0x00007f78b0f30587 in WebCore::InspectorPageAgent::buildObjectForFrameTree(WebCore::Frame*) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 [...] I'm attaching the full backtrace. This was tested with: ./Tools/Scripts/run-benchmark --platform gtk --browser minibrowser --plan octane
Attachments
Backtrace of the crash for the typescript test of octane (35.36 KB, text/plain)
2016-03-04 13:28 PST, Carlos Alberto Lopez Perez 		no flags
Details
Backtrace of the crash for the typescript test of octane when asserts (debug build) (43.78 KB, text/plain)
2016-03-04 13:41 PST, Carlos Alberto Lopez Perez 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Carlos Alberto Lopez Perez
Comment 1 2016-03-04 13:41:18 PST
I managed to make it crash also with the Debug build, gave an assert: ASSERTION FAILED: value.isUndefinedOrNull() ../../Source/JavaScriptCore/bytecode/SpeculatedType.cpp(404) : SpeculatedType JSC::speculationFromValue(JSC::JSValue) 1 0x7f7c8bd11750 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x20) [0x7f7c8bd11750] 2 0x7f7c8b1c8acc /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC20speculationFromValueENS_7JSValueE+0x17c) [0x7f7c8b1c8acc] 3 0x7f7c8b1644f4 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC16ValueProfileBaseILj1EE24computeUpdatedPredictionERKNS_19ConcurrentJITLockerE+0x84) [0x7f7c8b1644f4] 4 0x7f7c8b155f60 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock36updateAllPredictionsAndCountLivenessERjS1_+0x100) [0x7f7c8b155f60] 5 0x7f7c8b15602d /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock32updateAllValueProfilePredictionsEv+0x1d) [0x7f7c8b15602d] 6 0x7f7c8b153c99 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock20updateAllPredictionsEv+0x19) [0x7f7c8b153c99] 7 0x7f7c8b8504d8 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(+0x1b2f4d8) [0x7f7c8b8504d8] 8 0x7f7c3c0b8c72 [0x7f7c3c0b8c72] I'm attaching the backtrace for the debug build
Carlos Alberto Lopez Perez
Comment 2 2016-03-04 13:41:51 PST
Created attachment 273035 [details] Backtrace of the crash for the typescript test of octane when asserts (debug build)
Carlos Alberto Lopez Perez
Comment 3 2016-03-04 13:43:26 PST
Btw, I was not able to reproduce this running the octane benchmark from https://chromium.github.io/octane/, but only the version of the octane benchmark that run-benchmark downloads <https://github.com/chromium/octane-benchmark/archive/fab09aef01c2a5560c22cdc1c1a2451c0d0f4cdc.zip>
Carlos Alberto Lopez Perez
Comment 4 2016-03-07 06:34:46 PST
I have modified the Octane tests to make it only run the Typescript subtest forever until it fails. So, by running the minibrowser like: $ Tools/Scripts/run-minibrowser --gtk [--release/--debug] http://people.igalia.com/clopez/wkbug/155037/octane I'm able to trigger the crash very easily and quickly.
Carlos Alberto Lopez Perez
Comment 5 2016-03-07 13:52:44 PST
This is not GTK specific. I was able to make the Mac port also crash. - Debug build on r197699 on MacOS 10.10.5 and running the minibrowser via "Tools/Scripts/run-minibrowser --debug" or running safari via "Tools/Scripts/run-safari --debug". After loading http://people.igalia.com/clopez/wkbug/155037/octane in the browser I get a crash in few minutes. The assert is the same: ASSERTION FAILED: value.isUndefinedOrNull() /Users/clopez/webkit/Source/JavaScriptCore/bytecode/SpeculatedType.cpp(404) : SpeculatedType JSC::speculationFromValue(JSC::JSValue) 1 0x10955dca0 WTFCrash 2 0x109394f5c JSC::speculationFromValue(JSC::JSValue) 3 0x1088ab4d4 JSC::ValueProfileBase<1u>::computeUpdatedPrediction(JSC::ConcurrentJITLocker const&) 4 0x10889ede5 JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&) 5 0x10889ee8d JSC::CodeBlock::updateAllValueProfilePredictions() 6 0x10889c979 JSC::CodeBlock::updateAllPredictions() 7 0x108fb9a4f operationOptimize 8 0x25b845d8e351 9 0x25b845c2813f 10 0x25b845f71413 11 0x25b845c29680 12 0x25b845f71413 13 0x25b84620f2e4 14 0x25b845a0265d 15 0x25b84621373e 16 0x25b846212128 17 0x25b845a0265d 18 0x25b845f387b9 19 0x25b845bf56a6 20 0x25b845d46a33 21 0x25b8461ff3bc 22 0x25b845a7588a 23 0x25b845a8e7e8 24 0x25b846208e1c 25 0x25b845a0265d 26 0x25b845f7b50b 27 0x25b846207b5a 28 0x25b845a0265d 29 0x10918eb8b llint_entry 30 0x10918eb8b llint_entry 31 0x10918ec05 llint_entry
Note You need to log in before you can comment on or make changes to this bug.