156292 – 32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing

Bug 156292 - 32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing

Summary: 32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-04-06 09:31 PDT by Ryan Haddad
Modified:	2016-04-06 18:44 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
the patch (1.56 KB, patch) 2016-04-06 18:34 PDT, Filip Pizlo	benjamin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryan Haddad 2016-04-06 09:31:02 PDT

JSC stress/multi-put-by-offset-multiple-transitions.js failing

<https://build.webkit.org/builders/Apple%20El%20Capitan%2032-bit%20JSC%20%28BuildAndTest%29/builds/2006/steps/webkit-32bit-jsc-test/logs/stdio>

** The following JSC stress test failures have been introduced:
	stress/multi-put-by-offset-multiple-transitions.js.always-trigger-copy-phase
	stress/multi-put-by-offset-multiple-transitions.js.default
	stress/multi-put-by-offset-multiple-transitions.js.default-ftl
	stress/multi-put-by-offset-multiple-transitions.js.dfg-eager
	stress/multi-put-by-offset-multiple-transitions.js.dfg-eager-no-cjit-validate
	stress/multi-put-by-offset-multiple-transitions.js.dfg-maximal-flush-validate-no-cjit
	stress/multi-put-by-offset-multiple-transitions.js.ftl-eager
	stress/multi-put-by-offset-multiple-transitions.js.ftl-eager-no-cjit
	stress/multi-put-by-offset-multiple-transitions.js.ftl-no-cjit-no-put-stack-validate
	stress/multi-put-by-offset-multiple-transitions.js.ftl-no-cjit-small-pool
	stress/multi-put-by-offset-multiple-transitions.js.ftl-no-cjit-validate-sampling-profiler
	stress/multi-put-by-offset-multiple-transitions.js.no-cjit-validate-phases
	stress/multi-put-by-offset-multiple-transitions.js.no-llint

stress/multi-put-by-offset-multiple-transitions.js.default: ASSERTION FAILED: codeBlock->canGetCodeOrigin(index)
stress/multi-put-by-offset-multiple-transitions.js.default: /Volumes/Data/slave/elcapitan-32bitJSC-debug/build/Source/JavaScriptCore/interpreter/StackVisitor.cpp(114) : void JSC::StackVisitor::readFrame(CallFrame *)
stress/multi-put-by-offset-multiple-transitions.js.default: 1   0xe4707d WTFCrash
stress/multi-put-by-offset-multiple-transitions.js.default: 2   0xd4f180 JSC::StackVisitor::readFrame(JSC::ExecState*)
stress/multi-put-by-offset-multiple-transitions.js.default: 3   0xd4effd JSC::StackVisitor::StackVisitor(JSC::ExecState*)
stress/multi-put-by-offset-multiple-transitions.js.default: 4   0xd4f364 JSC::StackVisitor::StackVisitor(JSC::ExecState*)
stress/multi-put-by-offset-multiple-transitions.js.default: 5   0xa7c014 void JSC::StackVisitor::visit<JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*)::$_1>(JSC::ExecState*, JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*)::$_1 const&)
stress/multi-put-by-offset-multiple-transitions.js.default: 6   0xa7bc83 JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*)
stress/multi-put-by-offset-multiple-transitions.js.default: 7   0x7ef056 JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [18])
stress/multi-put-by-offset-multiple-transitions.js.default: 8   0x7eee2e JSC::Heap::collect(JSC::HeapOperation)
stress/multi-put-by-offset-multiple-transitions.js.default: 9   0x16de76 JSC::Heap::collectIfNecessaryOrDefer()
stress/multi-put-by-offset-multiple-transitions.js.default: 10  0x16dd95 JSC::Heap::decrementDeferralDepthAndGCIfNeeded()
stress/multi-put-by-offset-multiple-transitions.js.default: 11  0x16dd69 JSC::DeferGC::~DeferGC()
stress/multi-put-by-offset-multiple-transitions.js.default: 12  0x16c267 JSC::DeferGC::~DeferGC()
stress/multi-put-by-offset-multiple-transitions.js.default: 13  0x184fbe JSC::JSObject::setStructureAndReallocateStorageIfNecessary(JSC::VM&, unsigned int, JSC::Structure*)
stress/multi-put-by-offset-multiple-transitions.js.default: 14  0x18491b JSC::JSObject::setStructureAndReallocateStorageIfNecessary(JSC::VM&, JSC::Structure*)
stress/multi-put-by-offset-multiple-transitions.js.default: 15  0x93ea3e operationReallocateStorageAndFinishPut
stress/multi-put-by-offset-multiple-transitions.js.default: 16  0x295d567
stress/multi-put-by-offset-multiple-transitions.js.default: 17  0x2960436
stress/multi-put-by-offset-multiple-transitions.js.default: 18  0xb2185c vmEntryToJavaScript
stress/multi-put-by-offset-multiple-transitions.js.default: 19  0x928e82 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
stress/multi-put-by-offset-multiple-transitions.js.default: 20  0x8db0c9 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
stress/multi-put-by-offset-multiple-transitions.js.default: 21  0x2f8c48 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
stress/multi-put-by-offset-multiple-transitions.js.default: 22  0xc3cdc runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool, bool)
stress/multi-put-by-offset-multiple-transitions.js.default: 23  0xc30ef runJSC(JSC::VM*, CommandLine)
stress/multi-put-by-offset-multiple-transitions.js.default: 24  0xc246a jscmain(int, char**)
stress/multi-put-by-offset-multiple-transitions.js.default: 25  0xc22f6 main
stress/multi-put-by-offset-multiple-transitions.js.default: 26  0x9633d6ad start
stress/multi-put-by-offset-multiple-transitions.js.default: test_script_15870: line 2: 43021 Segmentation fault: 11  ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true multi-put-by-offset-multiple-transitions.js )

Comment 1 Ryan Haddad 2016-04-06 09:32:39 PDT

The two JSC changes in the first failing run were <https://trac.webkit.org/changeset/199073> and <https://trac.webkit.org/changeset/199075>.

r199073 was rolled out in r199084 for an unrelated reason, but the tests are still failing.

Comment 2 Ryan Haddad 2016-04-06 17:11:47 PDT

Filip, is this something you can look at soon or should we go ahead and roll out r199075?

Comment 3 Filip Pizlo 2016-04-06 18:15:43 PDT

This is going to be an easy fix.  The code leading up to the call to operationReallocateStorageAndFinishPut doesn't stash the callsite index.

Comment 4 Filip Pizlo 2016-04-06 18:15:58 PDT

(I have a fix, testing locally.)

Comment 5 Filip Pizlo 2016-04-06 18:34:46 PDT

Created attachment 275843 [details]
the patch

Comment 6 Filip Pizlo 2016-04-06 18:44:44 PDT

Landed in http://trac.webkit.org/changeset/199132