159627 – New stress/arity-check-ftl-throw.js crashes on Linux bots

Bug 159627 - New stress/arity-check-ftl-throw.js crashes on Linux bots

Summary: New stress/arity-check-ftl-throw.js crashes on Linux bots

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P1 Critical
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	159439
	Show dependency tree / graph

Reported:	2016-07-11 09:15 PDT by Csaba Osztrogonác
Modified:	2022-02-18 03:12 PST (History)
CC List:	8 users (show)

See Also:

Attachments
log with --showDisassembly=true command line option (379.60 KB, text/plain) 2016-09-14 03:14 PDT, Csaba Osztrogonác	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Csaba Osztrogonác 2016-07-11 09:15:18 PDT

It is introduced in https://trac.webkit.org/changeset/202838 and crashes on Linux bots:
- GTK: https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Release%20%28Tests%29/builds/16835
- EFL: https://build.webkit.org/builders/EFL%20Linux%2064-bit%20Release%20WK2/builds/28753

(note: I just reported this bug, I'm not interested in fixing this bug at all.
I don't have any time to generate backtraces or help anybody fixing it.)

Comment 1 Csaba Osztrogonác 2016-09-14 02:37:05 PDT

This bug is still valid, stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler still crashes on the EFL and GTK bots and it crashes for me on JSCOnly port too.

Comment 2 Csaba Osztrogonác 2016-09-14 03:11:59 PDT

$ ./jsc --useFunctionDotArguments=true --maxPerThreadStackUsage=1572864 --validateGraph=true --useSamplingProfiler=true --useConcurrentJIT=false --thresholdForJITAfterWarmUp=100 --scribbleFreeCells=true arity-check-ftl-throw.js

ASSERTION FAILED: isCell()
../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h(500) : JSC::JSCell* JSC::JSValue::asCell() const


(gdb) bt
#0  0x00007f0d6258b1bf in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323
#1  0x000000000045030d in JSC::JSValue::asCell (this=0x7ffd07651fc0) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:500
#2  0x000000000044c827 in JSC::asObject (value=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1175
#3  0x000000000044d124 in JSC::Register::object (this=0x7ffd07652148) at ../../Source/JavaScriptCore/runtime/JSObject.h:1497
#4  0x0000000000448fc4 in JSC::ExecState::callee (this=0x7ffd07652130) at ../../Source/JavaScriptCore/interpreter/CallFrame.h:90
#5  0x000000000044d469 in JSC::ExecState::vm (this=0x7ffd07652130) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:118
#6  0x00007f0d61fe4d34 in JSC::FTL::compileFTLLazySlowPath (exec=0x7ffd07652130, index=2)
    at ../../Source/JavaScriptCore/ftl/FTLOperations.cpp:347
#7  0x00007f0d1c40397e in ?? ()
#8  0x0000000003b29bea in ?? ()
#9  0x0000000003b29bea in ?? ()
#10 0x00007ffd07652130 in ?? ()
#11 0x0000000000000002 in ?? ()
#12 0x0000000000000000 in ?? ()

Comment 3 Csaba Osztrogonác 2016-09-14 03:14:05 PDT

Created attachment 288798 [details]
log with --showDisassembly=true command line option