166669 – REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm

RESOLVED FIXED 166669

REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm

https://bugs.webkit.org/show_bug.cgi?id=166669

Summary REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/...

Ryan Haddad

Reported 2017-01-03 16:11:19 PST

JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm Running wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm: test_script_33676: line 2: 29983 Segmentation fault: 11 ( "$@" ../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 -m --useWebAssembly\=1 wasm-to-wasm.js ) wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm: ERROR: Unexpected exit code: 139 FAIL: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm https://build.webkit.org/builders/Apple%20Sierra%20Release%20JSC%20%28Tests%29/builds/175

Attachments
Crash log (37.95 KB, text/plain) 2017-01-03 16:13 PST, Ryan Haddad	no flags	Details
patch (2.88 KB, patch) 2017-01-03 16:39 PST, JF Bastien	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ryan Haddad

Comment 1 2017-01-03 16:13:20 PST

Created attachment 297968 [details] Crash log

Ryan Haddad

Comment 2 2017-01-03 16:13:29 PST

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001039d363e JSC::callWebAssemblyFunction(JSC::ExecState*) + 1438 (WebAssemblyFunction.cpp:122) 1 com.apple.JavaScriptCore 0x000000010377380e JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 622 (LLIntSlowPaths.cpp:1238) 2 com.apple.JavaScriptCore 0x000000010377b29f llint_entry + 26689 3 com.apple.JavaScriptCore 0x000000010377b2ad llint_entry + 26703 4 com.apple.JavaScriptCore 0x000000010377487b vmEntryToJavaScript + 299 5 com.apple.JavaScriptCore 0x00000001035f6ece JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 190 (JITCode.cpp:82) 6 com.apple.JavaScriptCore 0x00000001035beb03 JSC::Interpreter::execute(JSC::ModuleProgramExecutable*, JSC::ExecState*, JSC::JSModuleEnvironment*) + 579 (Interpreter.cpp:1197) 7 com.apple.JavaScriptCore 0x00000001036a4bdd JSC::JSModuleRecord::evaluate(JSC::ExecState*) + 61 (JSModuleRecord.cpp:208) 8 com.apple.JavaScriptCore 0x000000010369f622 JSC::JSModuleLoader::evaluate(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue) + 466 (JSModuleLoader.cpp:198) 9 ??? 0x00003f4779201028 0 + 69576207372328 10 com.apple.JavaScriptCore 0x000000010377b23b llint_entry + 26589 11 com.apple.JavaScriptCore 0x000000010377b2ad llint_entry + 26703 12 ??? 0x00003f477920a248 0 + 69576207409736 13 com.apple.JavaScriptCore 0x000000010377487b vmEntryToJavaScript + 299 14 com.apple.JavaScriptCore 0x00000001035f6ece JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 190 (JITCode.cpp:82) 15 com.apple.JavaScriptCore 0x00000001035be2ca JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 522 (Interpreter.cpp:927) 16 com.apple.JavaScriptCore 0x000000010319f532 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 178 (CallData.cpp:59) 17 com.apple.JavaScriptCore 0x000000010369aa96 JSC::JSJobMicrotask::run(JSC::ExecState*) + 502 (JSJob.cpp:76) 18 com.apple.JavaScriptCore 0x0000000103953c7e JSC::VM::drainMicrotasks() + 302 (VM.cpp:863) 19 jsc 0x0000000102d91140 runJSC(JSC::VM*, CommandLine) + 3280 20 jsc 0x0000000102d8f81e jscmain(int, char**) + 686 21 jsc 0x0000000102d8f55b main + 27 22 libdyld.dylib 0x00007fff9a3015ad start + 1

Ryan Haddad

Comment 3 2017-01-03 16:13:46 PST

I think this started with https://trac.webkit.org/changeset/210244

JF Bastien

Comment 4 2017-01-03 16:14:44 PST

I was just investigating this.

Radar WebKit Bug Importer

Comment 5 2017-01-03 16:15:17 PST

<rdar://problem/29856455>

JF Bastien

Comment 6 2017-01-03 16:15:46 PST

The problem only occurs in release, which is why I didn't see it in my debug builds. We clobber at least $r12 in the test I added, and aren't restoring it.

JF Bastien

Comment 7 2017-01-03 16:39:20 PST

Created attachment 297969 [details] patch

WebKit Commit Bot

Comment 8 2017-01-03 17:15:55 PST

Comment on attachment 297969 [details] patch Clearing flags on attachment: 297969 Committed r210259: <http://trac.webkit.org/changeset/210259>

WebKit Commit Bot

Comment 9 2017-01-03 17:15:59 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

JF Bastien

Reported

2017-01-03 16:11 PST

Modified

2017-01-03 17:15 PST History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks