Bug 165748 - REGRESSION(r209653): speedometer crashes making virtual slow path tailcalls
Summary: REGRESSION(r209653): speedometer crashes making virtual slow path tailcalls
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords:
Depends on:
Blocks: 160355 165728
  Show dependency treegraph
 
Reported: 2016-12-11 22:56 PST by Michael Saboff
Modified: 2018-02-14 10:36 PST (History)
13 users (show)

See Also:


Attachments
Patch (5.08 KB, patch)
2016-12-11 23:05 PST, Michael Saboff
fpizlo: review+
Details | Formatted Diff | Diff
Patch with fix and roll in of reverted revisions (310.68 KB, patch)
2016-12-12 09:15 PST, Michael Saboff
no flags Details | Formatted Diff | Diff
Updated unified patch with JITEntryPoints.h included (322.21 KB, patch)
2016-12-12 09:48 PST, Michael Saboff
beidson: review-
buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews101 for mac-yosemite (1.14 MB, application/zip)
2016-12-12 11:10 PST, Build Bot
no flags Details
Archive of layout-test-results from ews105 for mac-yosemite-wk2 (1.19 MB, application/zip)
2016-12-12 11:16 PST, Build Bot
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2016-12-11 22:56:53 PST
When running Speedometer (browser bench.org) with r209653 you get a crash like:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       EXC_I386_GPFLT
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

Application Specific Information:
Bundle controller class:
BrowserBundleController
 

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010beeaa1a JSC::StructureIDTable::get(unsigned int) + 42 (StructureIDTable.h:124)
1   com.apple.JavaScriptCore      	0x000000010beea9c3 JSC::VM::getStructure(unsigned int) + 51 (VM.h:494)
2   com.apple.JavaScriptCore      	0x000000010beea8af JSC::JSCell::structure(JSC::VM&) const + 31 (JSCellInlines.h:115)
3   com.apple.JavaScriptCore      	0x000000010beeabb3 JSC::JSCell::classInfo() const + 147 (JSCellInlines.h:276)
4   com.apple.JavaScriptCore      	0x000000010beeaaf9 JSC::JSCell::inherits(JSC::ClassInfo const*) const + 25 (JSCellInlines.h:250)
5   com.apple.JavaScriptCore      	0x000000010bf71c40 JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(JSC::JSCell*) + 48 (JSCell.h:265)
6   com.apple.JavaScriptCore      	0x000000010bf71bff JSC::asObject(JSC::JSCell*) + 79 (JSObject.h:1271)
7   com.apple.JavaScriptCore      	0x000000010c0a8926 JSC::JSValue::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 230 (JSCJSValueInlines.h:825)
8   com.apple.JavaScriptCore      	0x000000010cab6ccd std::__1::result_of<operationGetByIdOptimize::$_0 (bool, JSC::PropertySlot&)>::type JSC::JSValue::getPropertySlot<operationGetByIdOptimize::$_0>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, operationGetByIdOptimize::$_0) const + 173 (JSCJSValueInlines.h:808)
9   com.apple.JavaScriptCore      	0x000000010caa52b0 std::__1::result_of<operationGetByIdOptimize::$_0 (bool, JSC::PropertySlot&)>::type JSC::JSValue::getPropertySlot<operationGetByIdOptimize::$_0>(JSC::ExecState*, JSC::PropertyName, operationGetByIdOptimize::$_0) const + 192 (JSCJSValueInlines.h:801)
10  com.apple.JavaScriptCore      	0x000000010caa51b0 operationGetByIdOptimize + 352 (JITOperations.cpp:261)
11  ???                           	0x0000585f62654130 0 + 97166695940400
12  ???                           	0x0000585f62ab6da6 0 + 97166700539302
13  ???                           	0x0000585f62e14fc1 0 + 97166704070593
14  ???                           	0x0000585f626100b2 0 + 97166695661746
15  com.apple.JavaScriptCore      	0x000000010ccba43b llint_entry + 29863 (LowLevelInterpreter.asm:778)
16  ???                           	0x0000585f62611306 0 + 97166695666438
17  ???                           	0x0000585f626170fc 0 + 97166695690492
18  ???                           	0x0000585f628e71df 0 + 97166698639839
19  com.apple.JavaScriptCore      	0x000000010ccb2d7e vmEntryToJavaScript + 334 (LowLevelInterpreter64.asm:256)
20  com.apple.JavaScriptCore      	0x000000010ca96e22 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 354 (JITCode.cpp:81)
21  com.apple.JavaScriptCore      	0x000000010ca12aaf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1215 (Interpreter.cpp:944)
22  com.apple.JavaScriptCore      	0x000000010c1ee068 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 184 (CallData.cpp:39)
23  com.apple.JavaScriptCore      	0x000000010c1ee179 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 201 (CallData.cpp:46)
24  com.apple.JavaScriptCore      	0x000000010c1ee3ed JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 125 (CallData.cpp:65)
25  com.apple.WebCore             	0x000000011092e4db WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 139 (JSMainThreadExecState.h:75)
26  com.apple.WebCore             	0x0000000110bf68a9 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1801 (JSEventListener.cpp:144)
27  com.apple.WebCore             	0x0000000110109846 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) + 742 (EventTarget.cpp:253)
28  com.apple.WebCore             	0x0000000110109433 WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 323 (EventTarget.cpp:200)
Comment 1 Michael Saboff 2016-12-11 23:05:03 PST
Created attachment 296894 [details]
Patch

Note, this patch will not apply to the current ToT.  It is meant to apply after rolling back in the changes rolled out in https://bugs.webkit.org/show_bug.cgi?id=165739.
Comment 2 Michael Saboff 2016-12-12 09:15:26 PST
Created attachment 296923 [details]
Patch with fix and roll in of reverted revisions
Comment 3 WebKit Commit Bot 2016-12-12 09:18:20 PST
Attachment 296923 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp:45:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:444:  Multi line control clauses should use braces.  [whitespace/braces] [4]
ERROR: Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:863:  Should have only a single space after a punctuation in a comment.  [whitespace/comments] [5]
ERROR: Source/JavaScriptCore/ftl/FTLOutput.h:101:  The parameter name "reg" adds no information, so it should be removed.  [readability/parameter_name] [5]
ERROR: Source/JavaScriptCore/ftl/FTLOutput.h:102:  The parameter name "reg" adds no information, so it should be removed.  [readability/parameter_name] [5]
ERROR: Source/JavaScriptCore/ftl/FTLLink.cpp:293:  Weird number of spaces at line-start.  Are you using a 4-space indent?  [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/jit/JSInterfaceJIT.h:66:  The parameter name "reg" adds no information, so it should be removed.  [readability/parameter_name] [5]
ERROR: Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1213:  Multi line control clauses should use braces.  [whitespace/braces] [4]
Total errors found: 8 in 106 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 4 Michael Saboff 2016-12-12 09:48:15 PST
Created attachment 296929 [details]
Updated unified patch with JITEntryPoints.h included
Comment 5 WebKit Commit Bot 2016-12-12 09:49:49 PST
Attachment 296929 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp:45:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:444:  Multi line control clauses should use braces.  [whitespace/braces] [4]
ERROR: Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:863:  Should have only a single space after a punctuation in a comment.  [whitespace/comments] [5]
ERROR: Source/JavaScriptCore/ftl/FTLOutput.h:101:  The parameter name "reg" adds no information, so it should be removed.  [readability/parameter_name] [5]
ERROR: Source/JavaScriptCore/ftl/FTLOutput.h:102:  The parameter name "reg" adds no information, so it should be removed.  [readability/parameter_name] [5]
ERROR: Source/JavaScriptCore/ftl/FTLLink.cpp:293:  Weird number of spaces at line-start.  Are you using a 4-space indent?  [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/jit/JITEntryPoints.h:205:  Wrong number of spaces before statement. (expected: 12)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/jit/JITEntryPoints.h:206:  Wrong number of spaces before statement. (expected: 12)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/jit/JITEntryPoints.h:216:  Wrong number of spaces before statement. (expected: 12)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/jit/JSInterfaceJIT.h:66:  The parameter name "reg" adds no information, so it should be removed.  [readability/parameter_name] [5]
ERROR: Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1213:  Multi line control clauses should use braces.  [whitespace/braces] [4]
Total errors found: 11 in 107 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 6 Build Bot 2016-12-12 11:10:43 PST
Comment on attachment 296929 [details]
Updated unified patch with JITEntryPoints.h included

Attachment 296929 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/2706191

New failing tests:
inspector/codemirror/prettyprinting-css-rules.html
Comment 7 Build Bot 2016-12-12 11:10:47 PST
Created attachment 296937 [details]
Archive of layout-test-results from ews101 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 8 Build Bot 2016-12-12 11:16:17 PST
Comment on attachment 296929 [details]
Updated unified patch with JITEntryPoints.h included

Attachment 296929 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/2706206

New failing tests:
inspector/codemirror/prettyprinting-css-rules.html
Comment 9 Build Bot 2016-12-12 11:16:22 PST
Created attachment 296940 [details]
Archive of layout-test-results from ews105 for mac-yosemite-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-yosemite-wk2  Platform: Mac OS X 10.10.5
Comment 10 Michael Saboff 2016-12-12 13:47:18 PST
Committed r209725: <http://trac.webkit.org/changeset/209725>
Comment 11 Csaba Osztrogonác 2016-12-13 00:01:54 PST
(In reply to comment #10)
> Committed r209725: <http://trac.webkit.org/changeset/209725>

It made zillion tests crash on ARMv7 Thumb2 platform: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Thumb2%20Release/builds/2975 (ARMv7 with ARM instruction set works fine.)
Comment 12 WebKit Commit Bot 2016-12-13 11:35:17 PST
Re-opened since this is blocked by bug 165811
Comment 13 Alexey Proskuryakov 2016-12-17 14:38:43 PST
Is this still happening? Surprised that we could have  Speedometer crashing for a week.
Comment 14 Michael Saboff 2016-12-19 10:01:49 PST
(In reply to comment #13)
> Is this still happening? Surprised that we could have  Speedometer crashing
> for a week.

No.

The roll out was for all of the Register Calling changes in <https://bugs.webkit.org/show_bug.cgi?id=160355>.  Reopened that bug and will close this bug and re
Comment 15 Brady Eidson 2018-02-14 10:36:24 PST
Comment on attachment 296929 [details]
Updated unified patch with JITEntryPoints.h included

Patches that have been up for review since 2016 are almost certainly too stale to be relevant to trunk in their current form.

If this patch is still important please rebase it and post it for review again.