RESOLVED FIXED 155411
REGRESSION: ASSERTION FAILED: !m_lastActiveBlock on js/function-apply.html 
https://bugs.webkit.org/show_bug.cgi?id=155411
Summary REGRESSION: ASSERTION FAILED: !m_lastActiveBlock on js/function-apply.html
Alexey Proskuryakov
Reported 2016-03-13 14:14:29 PDT
js/function-apply.html has started to sometimes assert around March 9. It's not frequent enough to pinpoint the exact revision, but it seems to be frequent enough to confuse EWS (see bug 155388). Perhaps bug 155178? ASSERTION FAILED: !m_lastActiveBlock /Volumes/Data/slave/yosemite-debug/build/Source/JavaScriptCore/heap/MarkedAllocator.h(131) : void JSC::MarkedAllocator::stopAllocating() 1 0x108805030 WTFCrash 2 0x108446e1a JSC::MarkedAllocator::stopAllocating() 3 0x108446dc9 JSC::StopAllocatingFunctor::operator()(JSC::MarkedAllocator&) 4 0x108446d86 void JSC::MarkedSpace::forEachAllocator<JSC::StopAllocatingFunctor>(JSC::StopAllocatingFunctor&) 5 0x108445bd9 void JSC::MarkedSpace::forEachAllocator<JSC::StopAllocatingFunctor>() 6 0x108444c8c JSC::MarkedSpace::stopAllocating() 7 0x10844558c JSC::MarkedSpace::willStartIterating() 8 0x108107a6c JSC::Heap::willStartIterating() 9 0x107bef0d3 JSC::HeapIterationScope::HeapIterationScope(JSC::Heap&) 10 0x107bdf40d JSC::HeapIterationScope::HeapIterationScope(JSC::Heap&) 11 0x108109085 JSC::Heap::removeDeadHeapSnapshotNodes(JSC::HeapProfiler&) 12 0x10810a279 JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [37]) 13 0x108109c4d JSC::Heap::collect(JSC::HeapOperation) 14 0x107fe0805 JSC::EdenGCActivityCallback::doCollection() 15 0x1080f8620 JSC::GCActivityCallback::doWork() 16 0x1081248cf JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*) 17 0x7fff8ade12e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__
Attachments
[PATCH] Proposed Fix (2.18 KB, patch)
2016-03-14 16:49 PDT, Joseph Pecoraro 		mark.lam: review-
ap: commit-queue-
DetailsFormatted DiffDiff
[PATCH] Proposed Fix (3.68 KB, patch)
2016-03-15 13:43 PDT, Joseph Pecoraro 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-03-13 14:14:52 PDT
<rdar://problem/25134537>
Geoffrey Garen
Comment 2 2016-03-14 15:39:30 PDT
Joe, is this you? Are you sure it's OK for removeDeadHeapSnapshotNodes to iterate the heap during GC? Maybe you can move this to after GC instead?
Ryan Haddad
Comment 3 2016-03-14 15:39:52 PDT
Marked this test as flaky to unblock EWS <http://trac.webkit.org/projects/webkit/changeset/198165>
Joseph Pecoraro
Comment 4 2016-03-14 16:04:13 PDT
(In reply to comment #2) > Joe, is this you? Seems likely! > Are you sure it's OK for removeDeadHeapSnapshotNodes to iterate the heap > during GC? Maybe you can move this to after GC instead? Yes, I think the problem is that both Heap::gatherExtraHeapSnapshotData and Heap::removeDeadHeapSnapshotNodes take a HeapIterationScope (which does a stopAllocating/resumeAllocating) but Heap::collectImpl has already done a stopAllocating and will do a resetAllocators. Duplicate stopAllocating calls looks like it would cause this ASSERT. I will see if it makes sense to just drop the HeapIterationScopes here given the Heap is already stopped. It looks like it would be perfectly fine to move these snapshot operations after resetAllocators where they won't mess with the state of the allocator between the normal stop/reset of collection. Given this test is encountering the removeDeadHeapSnapshotNodes path at all, it means imply that this VM had previously run a test that created a HeapProfiler. So that would mean the bot ran an LayoutTests/inspector/heap test and then ran this LayoutTests/js/function-apply.html, so I'll try to reproduce locally with this in mind. While the HeapProfiler will still exist for the VM, the HeapSnapshots should have been cleared when the page changed so there should essentially be no work.
Joseph Pecoraro
Comment 5 2016-03-14 16:48:26 PDT
(In reply to comment #4) > I will see if it makes sense to just drop the HeapIterationScopes here given > the Heap is already stopped. It looks like it would be perfectly fine to > move these snapshot operations after resetAllocators where they won't mess > with the state of the allocator between the normal stop/reset of collection. Bah, MarkedSpace::forEachLiveCell/DeadCell expects a HeapIterationScope& in its API to ensure callers have stopped allocation. So just moving the HeapProfiler work to the end of GC (after allocators are resumed) seems easiest/safest.
Joseph Pecoraro
Comment 6 2016-03-14 16:49:12 PDT
Created attachment 274053 [details] [PATCH] Proposed Fix
Joseph Pecoraro
Comment 7 2016-03-14 16:51:22 PDT
(In reply to comment #4) > So that would mean the bot ran an LayoutTests/inspector/heap > test and then ran this LayoutTests/js/function-apply.html, so I'll try to > reproduce locally with this in mind. I was unable to reproduce this locally running lots of iterations of these kind of combinations.
Alexey Proskuryakov
Comment 8 2016-03-14 23:53:54 PDT
Comment on attachment 274053 [details] [PATCH] Proposed Fix Please also unmark the test in TestExpectations when landing this. FWIW, js/function-call-aliased.html is another affected test.
Ryan Haddad
Comment 9 2016-03-15 12:48:37 PDT
Can we update the patch and land this soon? js/function-call-aliased.html is wreaking havoc on Mac EWS results.
Mark Lam
Comment 10 2016-03-15 13:29:16 PDT
Comment on attachment 274053 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=274053&action=review > Source/JavaScriptCore/heap/Heap.cpp:1201 > + if (HeapProfiler* heapProfiler = m_vm->heapProfiler()) { > + gatherExtraHeapSnapshotData(*heapProfiler); > + removeDeadHeapSnapshotNodes(*heapProfiler); > + } > + Let's put this in didFinishCollection() (at the bottom) instead. We do many heap iterations in there and collect statistics. That would be the proper place for this.
Joseph Pecoraro
Comment 11 2016-03-15 13:43:49 PDT
Created attachment 274121 [details] [PATCH] Proposed Fix
Mark Lam
Comment 12 2016-03-15 13:56:49 PDT
Comment on attachment 274121 [details] [PATCH] Proposed Fix r=me
WebKit Commit Bot
Comment 13 2016-03-15 14:48:02 PDT
Comment on attachment 274121 [details] [PATCH] Proposed Fix Clearing flags on attachment: 274121 Committed r198229: <http://trac.webkit.org/changeset/198229>
WebKit Commit Bot
Comment 14 2016-03-15 14:48:08 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.