164440 – DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure) in ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default

NEW 164440

DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure) in ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default

https://bugs.webkit.org/show_bug.cgi?id=164440

Summary DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure) in ChakraCore...

Mark Lam

Reported 2016-11-04 17:46:11 PDT

I saw this DFG assert while running the JSC tests on a debug build of 208404 with the patch from https://bugs.webkit.org/show_bug.cgi?id=164436. I don't think the patch from https://bugs.webkit.org/show_bug.cgi?id=164436 matters here. The issue seems to be intermittent (racy). I have not been able to reproduce it yet, but just want to record it. The crash info and trace dumped by the JSC test: ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/dfg/DFGGraph.cpp(1526) : void JSC::DFG::Graph::assertIsRegistered(JSC::Structure *) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 1 0x10d96437d WTFCrash ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 2 0x10d964399 WTFCrashWithSecurityImplication ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 3 0x10cd6773f JSC::DFG::crash(JSC::DFG::Graph&, WTF::CString const&, char const*, int, char const*, char const*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 4 0x10cd67549 JSC::DFG::Graph::handleAssertionFailure(std::nullptr_t, char const*, int, char const*, char const*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 5 0x10cd63fd4 JSC::DFG::Graph::assertIsRegistered(JSC::Structure*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 6 0x10cfe50a9 JSC::DFG::StructureAbstractValue::assertIsRegistered(JSC::DFG::Graph&) const ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 7 0x10cba76bd JSC::DFG::AbstractValue::assertIsRegistered(JSC::DFG::Graph&) const ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 8 0x10cba778e JSC::DFG::AbstractValue::set(JSC::DFG::Graph&, JSC::Structure*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 9 0x10cc5a5ff JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 10 0x10cc4b65b JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 11 0x10cc4a505 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 12 0x10cc49e92 JSC::DFG::CFAPhase::performForwardCFA() ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 13 0x10cc49917 JSC::DFG::CFAPhase::run() ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 14 0x10cc49112 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 15 0x10cc4906e bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 16 0x10cc49035 JSC::DFG::performCFA(JSC::DFG::Graph&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 17 0x10cec0065 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 18 0x10cebee69 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 19 0x10d031295 JSC::DFG::Worklist::ThreadBody::work() ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 20 0x10d9c2c35 WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 21 0x10d9c29fd void std::__1::__invoke_void_return_wrapper<void>::__call<WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0&>(WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0&&&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 22 0x10d9c2799 std::__1::__function::__func<WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0, std::__1::allocator<WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0>, void ()>::operator()() ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 23 0x10cf006ba std::__1::function<void ()>::operator()() const ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 24 0x10d9d3a77 WTF::threadEntryPoint(void*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 25 0x10d9d5441 WTF::wtfThreadEntryPoint(void*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 26 0x7fff97ec4aab _pthread_body ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 27 0x7fff97ec49f7 _pthread_body ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 28 0x7fff97ec41fd thread_start ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: test_script_30122: line 2: 74605 Segmentation fault: 11 ( "$@" ../../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true jsc-lib.js array_includes.js ) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: ERROR: Unexpected exit code: 139 ** The following JSC stress test failures have been introduced: ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default

Attachments
dump from failing test (with DFG graph). (222.83 KB, text/plain) 2016-11-04 17:48 PDT, Mark Lam	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2016-11-04 17:47:43 PDT

Eeek ... the build was from a revision before 208404. I svn up'ed to 208404, but did not rebuild because the JSC tests were already running.

Mark Lam

Comment 2 2016-11-04 17:48:31 PDT

Created attachment 293965 [details] dump from failing test (with DFG graph).

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2016-11-04 17:46 PDT

Modified

2016-11-04 17:49 PDT History

CC List

2 users Show

URL

Keywords

Depends on

Blocks