167066 – JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction

Bug 167066 - JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction

Summary: JSCell::classInfo() shouldn't have a bunch of mitigations for being called du...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2017-01-15 09:55 PST by Filip Pizlo
Modified:	2017-01-17 15:54 PST (History)
CC List:	10 users (show)

See Also:

Attachments
the patch (21.00 KB, patch) 2017-01-15 10:04 PST, Filip Pizlo	buildbot: commit-queue-	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews103 for mac-elcapitan (314.59 KB, application/zip) 2017-01-15 11:05 PST, Build Bot	no flags	Details
Archive of layout-test-results from ews105 for mac-elcapitan-wk2 (325.39 KB, application/zip) 2017-01-15 11:05 PST, Build Bot	no flags	Details
Archive of layout-test-results from ews117 for mac-elcapitan (369.02 KB, application/zip) 2017-01-15 11:08 PST, Build Bot	no flags	Details
Archive of layout-test-results from ews124 for ios-simulator-wk2 (424.09 KB, application/zip) 2017-01-15 11:14 PST, Build Bot	no flags	Details
more (25.33 KB, patch) 2017-01-15 11:45 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
possible patch (26.93 KB, patch) 2017-01-16 00:49 PST, Filip Pizlo	buildbot: commit-queue-	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews100 for mac-elcapitan (342.35 KB, application/zip) 2017-01-16 01:48 PST, Build Bot	no flags	Details
Archive of layout-test-results from ews117 for mac-elcapitan (367.02 KB, application/zip) 2017-01-16 01:48 PST, Build Bot	no flags	Details
Archive of layout-test-results from ews107 for mac-elcapitan-wk2 (495.74 KB, application/zip) 2017-01-16 01:52 PST, Build Bot	no flags	Details
Archive of layout-test-results from ews123 for ios-simulator-wk2 (657.04 KB, application/zip) 2017-01-16 02:00 PST, Build Bot	no flags	Details
more (32.97 KB, patch) 2017-01-16 10:27 PST, Filip Pizlo	buildbot: commit-queue-	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews117 for mac-elcapitan (1.96 MB, application/zip) 2017-01-16 11:56 PST, Build Bot	no flags	Details
more (33.72 KB, patch) 2017-01-16 12:04 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
more (34.02 KB, patch) 2017-01-16 13:04 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
possible patch (33.36 KB, patch) 2017-01-16 15:00 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
the patch (33.92 KB, patch) 2017-01-16 16:46 PST, Filip Pizlo	msaboff: review+	Details \| Formatted Diff \| Diff
patch for relanding (55.45 KB, patch) 2017-01-17 15:39 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (17) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2017-01-15 09:55:25 PST

Every time you use JSCell::classInfo(), you pay a compile time, code size, and running time cost for mitigations that are there to make that method safe to call from a destructor.

The only reason why we call that method in destructors is:

- Invalid use of jsCast<>.  We used to have the discipline to only use static_cast<> in destructors.
- Some isolated uses of the classInfo in specific subclasses.  Those can do the mitigations themselves.

We should also assert in classInfo() that we aren't destructing.

Comment 1 Filip Pizlo 2017-01-15 10:04:10 PST

Created attachment 298898 [details]
the patch

Comment 2 Filip Pizlo 2017-01-15 10:48:23 PST

Comment on attachment 298898 [details]
the patch

Doesn't look ready based on EWS.  I'll run layout tests locally.

Comment 3 Build Bot 2017-01-15 11:05:22 PST

Comment on attachment 298898 [details]
the patch

Attachment 298898 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/2895044

Number of test failures exceeded the failure limit.

Comment 4 Build Bot 2017-01-15 11:05:26 PST

Created attachment 298902 [details]
Archive of layout-test-results from ews103 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment 5 Build Bot 2017-01-15 11:05:50 PST

Comment on attachment 298898 [details]
the patch

Attachment 298898 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/2895040

Number of test failures exceeded the failure limit.

Comment 6 Build Bot 2017-01-15 11:05:54 PST

Created attachment 298903 [details]
Archive of layout-test-results from ews105 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6

Comment 7 Build Bot 2017-01-15 11:08:15 PST

Comment on attachment 298898 [details]
the patch

Attachment 298898 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/2895039

Number of test failures exceeded the failure limit.

Comment 8 Build Bot 2017-01-15 11:08:19 PST

Created attachment 298904 [details]
Archive of layout-test-results from ews117 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment 9 Build Bot 2017-01-15 11:14:26 PST

Comment on attachment 298898 [details]
the patch

Attachment 298898 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/2895046

Number of test failures exceeded the failure limit.

Comment 10 Build Bot 2017-01-15 11:14:30 PST

Created attachment 298906 [details]
Archive of layout-test-results from ews124 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews124  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6

Comment 11 Filip Pizlo 2017-01-15 11:24:27 PST

Oh yeah, this is all about that silly JSObjectGetPrivate.

I have a really brutal fix...

Comment 12 Filip Pizlo 2017-01-15 11:45:52 PST

Created attachment 298909 [details]
more

Comment 13 Filip Pizlo 2017-01-16 00:49:15 PST

Created attachment 298943 [details]
possible patch

Comment 14 Build Bot 2017-01-16 01:48:29 PST

Comment on attachment 298943 [details]
possible patch

Attachment 298943 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/2898101

Number of test failures exceeded the failure limit.

Comment 15 Build Bot 2017-01-16 01:48:33 PST

Created attachment 298944 [details]
Archive of layout-test-results from ews100 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews100  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment 16 Build Bot 2017-01-16 01:48:42 PST

Comment on attachment 298943 [details]
possible patch

Attachment 298943 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/2898096

Number of test failures exceeded the failure limit.

Comment 17 Build Bot 2017-01-16 01:48:45 PST

Created attachment 298945 [details]
Archive of layout-test-results from ews117 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment 18 Build Bot 2017-01-16 01:52:24 PST

Comment on attachment 298943 [details]
possible patch

Attachment 298943 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/2898104

Number of test failures exceeded the failure limit.

Comment 19 Build Bot 2017-01-16 01:52:27 PST

Created attachment 298946 [details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6

Comment 20 Build Bot 2017-01-16 02:00:47 PST

Comment on attachment 298943 [details]
possible patch

Attachment 298943 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/2898108

Number of test failures exceeded the failure limit.

Comment 21 Build Bot 2017-01-16 02:00:50 PST

Created attachment 298947 [details]
Archive of layout-test-results from ews123 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6

Comment 22 Filip Pizlo 2017-01-16 10:27:21 PST

Created attachment 298970 [details]
more

Fixed a bunch of crash bugs.

Comment 23 Build Bot 2017-01-16 11:56:01 PST

Comment on attachment 298970 [details]
more

Attachment 298970 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/2900098

New failing tests:
fast/dom/DOMURL/searchparams.html
fast/text/font-face-set-document.html
imported/w3c/web-platform-tests/html/browsers/browsing-the-web/read-media/pageload-video.html
imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location.html
imported/w3c/web-platform-tests/fetch/api/request/request-init-002.html
fast/text/font-face-set-javascript.html

Comment 24 Build Bot 2017-01-16 11:56:07 PST

Created attachment 298979 [details]
Archive of layout-test-results from ews117 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment 25 Filip Pizlo 2017-01-16 12:04:35 PST

Created attachment 298980 [details]
more

Comment 26 Filip Pizlo 2017-01-16 13:04:44 PST

Created attachment 298984 [details]
more

Fixed build and a C API bug

Comment 27 Filip Pizlo 2017-01-16 15:00:20 PST

Created attachment 298992 [details]
possible patch

Two changes:

- More changelog.

- Streamlined logic in JSObjectGetPrivate(). I think it's more correct, but who knows. Will wait for EWS before r?.

Comment 28 Filip Pizlo 2017-01-16 16:46:22 PST

Created attachment 299000 [details]
the patch

Comment 29 Radar WebKit Bug Importer 2017-01-16 16:52:03 PST

<rdar://problem/30044439>

Comment 30 Keith Miller 2017-01-17 10:34:52 PST

Comment on attachment 299000 [details]
the patch

r=me, although you're killing me with the timing of this.

Comment 31 Michael Saboff 2017-01-17 10:45:50 PST

Comment on attachment 299000 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=299000&action=review

r=me

> Source/JavaScriptCore/ChangeLog:20
> +        being destructed. JSObjectGetPrivate() is UB anyway if you use it on any

UB -> undefined behavior

> Source/JavaScriptCore/ChangeLog:31
> +        That was the only really weird of this patch. The rest is mostly removing illegal

Sentence wording.

Comment 32 Filip Pizlo 2017-01-17 10:52:49 PST

(In reply to comment #30)
> Comment on attachment 299000 [details]
> the patch
> 
> r=me, although you're killing me with the timing of this.

:-(

I thought it was a blocker for one of the crashes I had in bug 165760. This ended up not being the reason, but I only realized that after getting over the "no classInfo from destructor" hump.

Comment 33 Joseph Pecoraro 2017-01-17 11:56:33 PST

This may have caused some crashes on the bots:
https://build.webkit.org/builders/Apple%20Sierra%20Release%20JSC%20%28Tests%29/builds/427

> ** The following JSC stress test failures have been introduced:
> 	stress/reflect-enumerate.js.ftl-eager
> 	stress/typedarray-of.js.no-cjit-collect-continuously

Failures looked like:

> stress/reflect-enumerate.js.ftl-eager: test_script_14719: line 2: 43319 Trace/BPT trap: 5       ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --collectContinuously\=true --useGenerationalGC\=false reflect-enumerate.js )
> stress/reflect-enumerate.js.ftl-eager: ERROR: Unexpected exit code: 133

> stress/typedarray-of.js.no-cjit-collect-continuously: test_script_18860: line 2: 80608 Trace/BPT trap: 5       ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --scribbleFreeCells\=true --collectContinuously\=true --useGenerationalGC\=false typedarray-of.js )
> stress/typedarray-of.js.no-cjit-collect-continuously: ERROR: Unexpected exit code: 133

Comment 34 Filip Pizlo 2017-01-17 12:08:33 PST

(In reply to comment #33)
> This may have caused some crashes on the bots:
> https://build.webkit.org/builders/
> Apple%20Sierra%20Release%20JSC%20%28Tests%29/builds/427
> 
> > ** The following JSC stress test failures have been introduced:
> > 	stress/reflect-enumerate.js.ftl-eager
> > 	stress/typedarray-of.js.no-cjit-collect-continuously
> 
> Failures looked like:
> 
> > stress/reflect-enumerate.js.ftl-eager: test_script_14719: line 2: 43319 Trace/BPT trap: 5       ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --collectContinuously\=true --useGenerationalGC\=false reflect-enumerate.js )
> > stress/reflect-enumerate.js.ftl-eager: ERROR: Unexpected exit code: 133
> 
> > stress/typedarray-of.js.no-cjit-collect-continuously: test_script_18860: line 2: 80608 Trace/BPT trap: 5       ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --scribbleFreeCells\=true --collectContinuously\=true --useGenerationalGC\=false typedarray-of.js )
> > stress/typedarray-of.js.no-cjit-collect-continuously: ERROR: Unexpected exit code: 133

Darn. I'm momentarily afk, and it's cool to roll this out.

Comment 35 Filip Pizlo 2017-01-17 12:18:54 PST

(In reply to comment #34)
> (In reply to comment #33)
> > This may have caused some crashes on the bots:
> > https://build.webkit.org/builders/
> > Apple%20Sierra%20Release%20JSC%20%28Tests%29/builds/427
> > 
> > > ** The following JSC stress test failures have been introduced:
> > > 	stress/reflect-enumerate.js.ftl-eager
> > > 	stress/typedarray-of.js.no-cjit-collect-continuously
> > 
> > Failures looked like:
> > 
> > > stress/reflect-enumerate.js.ftl-eager: test_script_14719: line 2: 43319 Trace/BPT trap: 5       ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --collectContinuously\=true --useGenerationalGC\=false reflect-enumerate.js )
> > > stress/reflect-enumerate.js.ftl-eager: ERROR: Unexpected exit code: 133
> > 
> > > stress/typedarray-of.js.no-cjit-collect-continuously: test_script_18860: line 2: 80608 Trace/BPT trap: 5       ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --scribbleFreeCells\=true --collectContinuously\=true --useGenerationalGC\=false typedarray-of.js )
> > > stress/typedarray-of.js.no-cjit-collect-continuously: ERROR: Unexpected exit code: 133
> 
> Darn. I'm momentarily afk, and it's cool to roll this out.

Looking at this now.

Comment 36 Filip Pizlo 2017-01-17 12:19:38 PST

This landed in http://trac.webkit.org/changeset/210821

Keeping open while I double-check that it's at fault for crashes.

Comment 37 Filip Pizlo 2017-01-17 12:23:30 PST

(In reply to comment #36)
> This landed in http://trac.webkit.org/changeset/210821
> 
> Keeping open while I double-check that it's at fault for crashes.

I'm pretty sure that this is the cause of crashes.  I'll roll it out.

Comment 38 Filip Pizlo 2017-01-17 12:27:09 PST

Rolled out in http://trac.webkit.org/changeset/210824

Comment 39 Filip Pizlo 2017-01-17 13:39:08 PST

(In reply to comment #38)
> Rolled out in http://trac.webkit.org/changeset/210824

It's clear that rolling this out fixed the crashes but I still cannot repro those darn crashes locally.

I'll keep trying.

Comment 40 Filip Pizlo 2017-01-17 13:50:14 PST

There's also this: https://build.webkit.org/results/Apple%20El%20Capitan%20Debug%20WK2%20(Tests)/r210822%20(10432)/plugins/destroy-plugin-from-callback-crash-log.txt

Some NPAPI stuff needs to stop using jsCast in some places.

Comment 41 Filip Pizlo 2017-01-17 14:50:29 PST

Boy, the crash rate of the crash the bot saw is incredibly low.  I got it to crash on my machine once.  It seems to consistently crash in assertions in checkOffsetConsistency, so I've made those assertions more verbose. I haven't seen a crash since.

I'm simultaneously running tests on bot157 since that one seemed to get the crash once per run-javascriptcore-tests run. It's more than half-way through a test run right now and still no crash.

Comment 42 Filip Pizlo 2017-01-17 15:26:55 PST

I made a small change to the assertion to cover a race condition in the assert itself.  Now I cannot get a crash anymore.

I've done two runs in a row on bot157 without a crash and I've done a bunch of runs on my machine without crashing.

I'll do one more round of testing and if no crash then I'll reland.

Comment 43 Filip Pizlo 2017-01-17 15:39:42 PST

Created attachment 299076 [details]
patch for relanding

Comment 44 Filip Pizlo 2017-01-17 15:54:55 PST

Relanded in https://trac.webkit.org/changeset/210829