RESOLVED FIXED 165728
REGRESSION(r209653) Crash in CallFrameShuffler::snapshot() 
https://bugs.webkit.org/show_bug.cgi?id=165728
Summary REGRESSION(r209653) Crash in CallFrameShuffler::snapshot()
Michael Saboff
Reported 2016-12-10 10:03:43 PST
* thread #1: tid = 0x1c5c6c9, 0x000000011031d738 JavaScriptCore`JSC::CachedRecovery::recovery(this=0x0000000000000000) const + 8 at CachedRecovery.h:115, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) frame #0: 0x000000011031d738 JavaScriptCore`JSC::CachedRecovery::recovery(this=0x0000000000000000) const + 8 at CachedRecovery.h:115 * frame #1: 0x000000011101f2dd JavaScriptCore`JSC::CallFrameShuffler::snapshot(this=0x0000000113bb8500, argumentsLocation=RegisterArgs4InRegisters) const + 653 at CallFrameShuffler.h:122 frame #2: 0x000000011101ddb1 JavaScriptCore`JSC::linkPolymorphicCall(exec=0x00007fff4fda2590, callLinkInfo=0x0000000113b82480, newVariant=CallVariant @ 0x00007fff4fda1bc8) + 7233 at Repatch.cpp:929 frame #3: 0x0000000110be0648 JavaScriptCore`::operationLinkPolymorphicCall(execCallee=0x00007fff4fda2590, callLinkInfo=0x0000000113b82480) + 152 at JITOperations.cpp:1091 frame #4: 0x00003c83a9c00f7a ... snapshot() can't handle a ValueRecovery targeted to multiple argument registers.
Attachments
Patch (5.04 KB, patch)
2016-12-10 11:03 PST, Michael Saboff 		fpizlo: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews101 for mac-yosemite (7.27 MB, application/zip)
2016-12-10 12:10 PST, Build Bot 		no flags
Details
Patch for Landing (6.23 KB, patch)
2016-12-10 12:12 PST, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews105 for mac-yosemite-wk2 (6.85 MB, application/zip)
2016-12-10 12:20 PST, Build Bot 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2016-12-10 11:03:51 PST
Created attachment 296809 [details] Patch
Filip Pizlo
Comment 2 2016-12-10 11:51:00 PST
Comment on attachment 296809 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=296809&action=review This change is right. It needs a careful rewording of the comment above m_newRegisters. Currently that comment says that m_newRegisters lists *all* of the registers that the shuffler will write to, which would imply that the old code before this change would have been correct. That comment needs to indicate that because the shuffler broadcasts to the "extra targets" after the fact, m_newRegisters only need to know about the master register for a recovery. > Source/JavaScriptCore/jit/CallFrameShuffler.h:228 > - static const bool verbose = false; > + static const bool verbose = true; Revert.
Build Bot
Comment 3 2016-12-10 12:09:58 PST
Comment on attachment 296809 [details] Patch Attachment 296809 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/2690343 New failing tests: workers/bomb.html
Build Bot
Comment 4 2016-12-10 12:10:01 PST
Created attachment 296813 [details] Archive of layout-test-results from ews101 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Michael Saboff
Comment 5 2016-12-10 12:12:44 PST
Created attachment 296814 [details] Patch for Landing
Build Bot
Comment 6 2016-12-10 12:20:29 PST
Comment on attachment 296809 [details] Patch Attachment 296809 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/2690372 New failing tests: workers/bomb.html
Build Bot
Comment 7 2016-12-10 12:20:32 PST
Created attachment 296815 [details] Archive of layout-test-results from ews105 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Michael Saboff
Comment 8 2016-12-10 13:04:36 PST
Committed r209673: <http://trac.webkit.org/changeset/209673>
WebKit Commit Bot
Comment 9 2016-12-10 17:06:45 PST
Re-opened since this is blocked by bug 165739
Michael Saboff
Comment 10 2016-12-12 13:50:27 PST
Relanded with fix in r209725: <http://trac.webkit.org/changeset/209725>
Note You need to log in before you can comment on or make changes to this bug.