NEW 159627
New stress/arity-check-ftl-throw.js crashes on Linux bots 
https://bugs.webkit.org/show_bug.cgi?id=159627
Summary New stress/arity-check-ftl-throw.js crashes on Linux bots
Csaba Osztrogonác
Reported 2016-07-11 09:15:18 PDT
It is introduced in https://trac.webkit.org/changeset/202838 and crashes on Linux bots: - GTK: https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Release%20%28Tests%29/builds/16835 - EFL: https://build.webkit.org/builders/EFL%20Linux%2064-bit%20Release%20WK2/builds/28753 (note: I just reported this bug, I'm not interested in fixing this bug at all. I don't have any time to generate backtraces or help anybody fixing it.)
Attachments
log with --showDisassembly=true command line option (379.60 KB, text/plain)
2016-09-14 03:14 PDT, Csaba Osztrogonác 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Csaba Osztrogonác
Comment 1 2016-09-14 02:37:05 PDT
This bug is still valid, stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler still crashes on the EFL and GTK bots and it crashes for me on JSCOnly port too.
Csaba Osztrogonác
Comment 2 2016-09-14 03:11:59 PDT
$ ./jsc --useFunctionDotArguments=true --maxPerThreadStackUsage=1572864 --validateGraph=true --useSamplingProfiler=true --useConcurrentJIT=false --thresholdForJITAfterWarmUp=100 --scribbleFreeCells=true arity-check-ftl-throw.js ASSERTION FAILED: isCell() ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h(500) : JSC::JSCell* JSC::JSValue::asCell() const (gdb) bt #0 0x00007f0d6258b1bf in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323 #1 0x000000000045030d in JSC::JSValue::asCell (this=0x7ffd07651fc0) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:500 #2 0x000000000044c827 in JSC::asObject (value=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1175 #3 0x000000000044d124 in JSC::Register::object (this=0x7ffd07652148) at ../../Source/JavaScriptCore/runtime/JSObject.h:1497 #4 0x0000000000448fc4 in JSC::ExecState::callee (this=0x7ffd07652130) at ../../Source/JavaScriptCore/interpreter/CallFrame.h:90 #5 0x000000000044d469 in JSC::ExecState::vm (this=0x7ffd07652130) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:118 #6 0x00007f0d61fe4d34 in JSC::FTL::compileFTLLazySlowPath (exec=0x7ffd07652130, index=2) at ../../Source/JavaScriptCore/ftl/FTLOperations.cpp:347 #7 0x00007f0d1c40397e in ?? () #8 0x0000000003b29bea in ?? () #9 0x0000000003b29bea in ?? () #10 0x00007ffd07652130 in ?? () #11 0x0000000000000002 in ?? () #12 0x0000000000000000 in ?? ()
Csaba Osztrogonác
Comment 3 2016-09-14 03:14:05 PDT
Created attachment 288798 [details] log with --showDisassembly=true command line option
Note You need to log in before you can comment on or make changes to this bug.