RESOLVED FIXED 167066
JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction 
https://bugs.webkit.org/show_bug.cgi?id=167066
Summary JSCell::classInfo() shouldn't have a bunch of mitigations for being called du...
Filip Pizlo
Reported 2017-01-15 09:55:25 PST
Every time you use JSCell::classInfo(), you pay a compile time, code size, and running time cost for mitigations that are there to make that method safe to call from a destructor. The only reason why we call that method in destructors is: - Invalid use of jsCast<>. We used to have the discipline to only use static_cast<> in destructors. - Some isolated uses of the classInfo in specific subclasses. Those can do the mitigations themselves. We should also assert in classInfo() that we aren't destructing.
Attachments
the patch (21.00 KB, patch)
2017-01-15 10:04 PST, Filip Pizlo 		buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews103 for mac-elcapitan (314.59 KB, application/zip)
2017-01-15 11:05 PST, Build Bot 		no flags
Details
Archive of layout-test-results from ews105 for mac-elcapitan-wk2 (325.39 KB, application/zip)
2017-01-15 11:05 PST, Build Bot 		no flags
Details
Archive of layout-test-results from ews117 for mac-elcapitan (369.02 KB, application/zip)
2017-01-15 11:08 PST, Build Bot 		no flags
Details
Archive of layout-test-results from ews124 for ios-simulator-wk2 (424.09 KB, application/zip)
2017-01-15 11:14 PST, Build Bot 		no flags
Details
more (25.33 KB, patch)
2017-01-15 11:45 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
possible patch (26.93 KB, patch)
2017-01-16 00:49 PST, Filip Pizlo 		buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews100 for mac-elcapitan (342.35 KB, application/zip)
2017-01-16 01:48 PST, Build Bot 		no flags
Details
Archive of layout-test-results from ews117 for mac-elcapitan (367.02 KB, application/zip)
2017-01-16 01:48 PST, Build Bot 		no flags
Details
Archive of layout-test-results from ews107 for mac-elcapitan-wk2 (495.74 KB, application/zip)
2017-01-16 01:52 PST, Build Bot 		no flags
Details
Archive of layout-test-results from ews123 for ios-simulator-wk2 (657.04 KB, application/zip)
2017-01-16 02:00 PST, Build Bot 		no flags
Details
more (32.97 KB, patch)
2017-01-16 10:27 PST, Filip Pizlo 		buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews117 for mac-elcapitan (1.96 MB, application/zip)
2017-01-16 11:56 PST, Build Bot 		no flags
Details
more (33.72 KB, patch)
2017-01-16 12:04 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
more (34.02 KB, patch)
2017-01-16 13:04 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
possible patch (33.36 KB, patch)
2017-01-16 15:00 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (33.92 KB, patch)
2017-01-16 16:46 PST, Filip Pizlo 		msaboff: review+
DetailsFormatted DiffDiff
patch for relanding (55.45 KB, patch)
2017-01-17 15:39 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
Show Obsolete (17) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2017-01-15 10:04:10 PST
Created attachment 298898 [details] the patch
Filip Pizlo
Comment 2 2017-01-15 10:48:23 PST
Comment on attachment 298898 [details] the patch Doesn't look ready based on EWS. I'll run layout tests locally.
Build Bot
Comment 3 2017-01-15 11:05:22 PST
Comment on attachment 298898 [details] the patch Attachment 298898 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/2895044 Number of test failures exceeded the failure limit.
Build Bot
Comment 4 2017-01-15 11:05:26 PST
Created attachment 298902 [details] Archive of layout-test-results from ews103 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Build Bot
Comment 5 2017-01-15 11:05:50 PST
Comment on attachment 298898 [details] the patch Attachment 298898 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/2895040 Number of test failures exceeded the failure limit.
Build Bot
Comment 6 2017-01-15 11:05:54 PST
Created attachment 298903 [details] Archive of layout-test-results from ews105 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Build Bot
Comment 7 2017-01-15 11:08:15 PST
Comment on attachment 298898 [details] the patch Attachment 298898 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2895039 Number of test failures exceeded the failure limit.
Build Bot
Comment 8 2017-01-15 11:08:19 PST
Created attachment 298904 [details] Archive of layout-test-results from ews117 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Build Bot
Comment 9 2017-01-15 11:14:26 PST
Comment on attachment 298898 [details] the patch Attachment 298898 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/2895046 Number of test failures exceeded the failure limit.
Build Bot
Comment 10 2017-01-15 11:14:30 PST
Created attachment 298906 [details] Archive of layout-test-results from ews124 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Filip Pizlo
Comment 11 2017-01-15 11:24:27 PST
Oh yeah, this is all about that silly JSObjectGetPrivate. I have a really brutal fix...
Filip Pizlo
Comment 12 2017-01-15 11:45:52 PST
Created attachment 298909 [details] more
Filip Pizlo
Comment 13 2017-01-16 00:49:15 PST
Created attachment 298943 [details] possible patch
Build Bot
Comment 14 2017-01-16 01:48:29 PST
Comment on attachment 298943 [details] possible patch Attachment 298943 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/2898101 Number of test failures exceeded the failure limit.
Build Bot
Comment 15 2017-01-16 01:48:33 PST
Created attachment 298944 [details] Archive of layout-test-results from ews100 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Build Bot
Comment 16 2017-01-16 01:48:42 PST
Comment on attachment 298943 [details] possible patch Attachment 298943 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2898096 Number of test failures exceeded the failure limit.
Build Bot
Comment 17 2017-01-16 01:48:45 PST
Created attachment 298945 [details] Archive of layout-test-results from ews117 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Build Bot
Comment 18 2017-01-16 01:52:24 PST
Comment on attachment 298943 [details] possible patch Attachment 298943 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/2898104 Number of test failures exceeded the failure limit.
Build Bot
Comment 19 2017-01-16 01:52:27 PST
Created attachment 298946 [details] Archive of layout-test-results from ews107 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Build Bot
Comment 20 2017-01-16 02:00:47 PST
Comment on attachment 298943 [details] possible patch Attachment 298943 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/2898108 Number of test failures exceeded the failure limit.
Build Bot
Comment 21 2017-01-16 02:00:50 PST
Created attachment 298947 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Filip Pizlo
Comment 22 2017-01-16 10:27:21 PST
Created attachment 298970 [details] more Fixed a bunch of crash bugs.
Build Bot
Comment 23 2017-01-16 11:56:01 PST
Comment on attachment 298970 [details] more Attachment 298970 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2900098 New failing tests: fast/dom/DOMURL/searchparams.html fast/text/font-face-set-document.html imported/w3c/web-platform-tests/html/browsers/browsing-the-web/read-media/pageload-video.html imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location.html imported/w3c/web-platform-tests/fetch/api/request/request-init-002.html fast/text/font-face-set-javascript.html
Build Bot
Comment 24 2017-01-16 11:56:07 PST
Created attachment 298979 [details] Archive of layout-test-results from ews117 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Filip Pizlo
Comment 25 2017-01-16 12:04:35 PST
Created attachment 298980 [details] more
Filip Pizlo
Comment 26 2017-01-16 13:04:44 PST
Created attachment 298984 [details] more Fixed build and a C API bug
Filip Pizlo
Comment 27 2017-01-16 15:00:20 PST
Created attachment 298992 [details] possible patch Two changes: - More changelog. - Streamlined logic in JSObjectGetPrivate(). I think it's more correct, but who knows. Will wait for EWS before r?.
Filip Pizlo
Comment 28 2017-01-16 16:46:22 PST
Created attachment 299000 [details] the patch
Radar WebKit Bug Importer
Comment 29 2017-01-16 16:52:03 PST
<rdar://problem/30044439>
Keith Miller
Comment 30 2017-01-17 10:34:52 PST
Comment on attachment 299000 [details] the patch r=me, although you're killing me with the timing of this.
Michael Saboff
Comment 31 2017-01-17 10:45:50 PST
Comment on attachment 299000 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=299000&action=review r=me > Source/JavaScriptCore/ChangeLog:20 > + being destructed. JSObjectGetPrivate() is UB anyway if you use it on any UB -> undefined behavior > Source/JavaScriptCore/ChangeLog:31 > + That was the only really weird of this patch. The rest is mostly removing illegal Sentence wording.
Filip Pizlo
Comment 32 2017-01-17 10:52:49 PST
(In reply to comment #30) > Comment on attachment 299000 [details] > the patch > > r=me, although you're killing me with the timing of this. :-( I thought it was a blocker for one of the crashes I had in bug 165760. This ended up not being the reason, but I only realized that after getting over the "no classInfo from destructor" hump.
Joseph Pecoraro
Comment 33 2017-01-17 11:56:33 PST
This may have caused some crashes on the bots: https://build.webkit.org/builders/Apple%20Sierra%20Release%20JSC%20%28Tests%29/builds/427 > ** The following JSC stress test failures have been introduced: > stress/reflect-enumerate.js.ftl-eager > stress/typedarray-of.js.no-cjit-collect-continuously Failures looked like: > stress/reflect-enumerate.js.ftl-eager: test_script_14719: line 2: 43319 Trace/BPT trap: 5 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --collectContinuously\=true --useGenerationalGC\=false reflect-enumerate.js ) > stress/reflect-enumerate.js.ftl-eager: ERROR: Unexpected exit code: 133 > stress/typedarray-of.js.no-cjit-collect-continuously: test_script_18860: line 2: 80608 Trace/BPT trap: 5 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --scribbleFreeCells\=true --collectContinuously\=true --useGenerationalGC\=false typedarray-of.js ) > stress/typedarray-of.js.no-cjit-collect-continuously: ERROR: Unexpected exit code: 133
Filip Pizlo
Comment 34 2017-01-17 12:08:33 PST
(In reply to comment #33) > This may have caused some crashes on the bots: > https://build.webkit.org/builders/ > Apple%20Sierra%20Release%20JSC%20%28Tests%29/builds/427 > > > ** The following JSC stress test failures have been introduced: > > stress/reflect-enumerate.js.ftl-eager > > stress/typedarray-of.js.no-cjit-collect-continuously > > Failures looked like: > > > stress/reflect-enumerate.js.ftl-eager: test_script_14719: line 2: 43319 Trace/BPT trap: 5 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --collectContinuously\=true --useGenerationalGC\=false reflect-enumerate.js ) > > stress/reflect-enumerate.js.ftl-eager: ERROR: Unexpected exit code: 133 > > > stress/typedarray-of.js.no-cjit-collect-continuously: test_script_18860: line 2: 80608 Trace/BPT trap: 5 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --scribbleFreeCells\=true --collectContinuously\=true --useGenerationalGC\=false typedarray-of.js ) > > stress/typedarray-of.js.no-cjit-collect-continuously: ERROR: Unexpected exit code: 133 Darn. I'm momentarily afk, and it's cool to roll this out.
Filip Pizlo
Comment 35 2017-01-17 12:18:54 PST
(In reply to comment #34) > (In reply to comment #33) > > This may have caused some crashes on the bots: > > https://build.webkit.org/builders/ > > Apple%20Sierra%20Release%20JSC%20%28Tests%29/builds/427 > > > > > ** The following JSC stress test failures have been introduced: > > > stress/reflect-enumerate.js.ftl-eager > > > stress/typedarray-of.js.no-cjit-collect-continuously > > > > Failures looked like: > > > > > stress/reflect-enumerate.js.ftl-eager: test_script_14719: line 2: 43319 Trace/BPT trap: 5 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --collectContinuously\=true --useGenerationalGC\=false reflect-enumerate.js ) > > > stress/reflect-enumerate.js.ftl-eager: ERROR: Unexpected exit code: 133 > > > > > stress/typedarray-of.js.no-cjit-collect-continuously: test_script_18860: line 2: 80608 Trace/BPT trap: 5 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --scribbleFreeCells\=true --collectContinuously\=true --useGenerationalGC\=false typedarray-of.js ) > > > stress/typedarray-of.js.no-cjit-collect-continuously: ERROR: Unexpected exit code: 133 > > Darn. I'm momentarily afk, and it's cool to roll this out. Looking at this now.
Filip Pizlo
Comment 36 2017-01-17 12:19:38 PST
This landed in http://trac.webkit.org/changeset/210821 Keeping open while I double-check that it's at fault for crashes.
Filip Pizlo
Comment 37 2017-01-17 12:23:30 PST
(In reply to comment #36) > This landed in http://trac.webkit.org/changeset/210821 > > Keeping open while I double-check that it's at fault for crashes. I'm pretty sure that this is the cause of crashes. I'll roll it out.
Filip Pizlo
Comment 38 2017-01-17 12:27:09 PST
Rolled out in http://trac.webkit.org/changeset/210824
Filip Pizlo
Comment 39 2017-01-17 13:39:08 PST
(In reply to comment #38) > Rolled out in http://trac.webkit.org/changeset/210824 It's clear that rolling this out fixed the crashes but I still cannot repro those darn crashes locally. I'll keep trying.
Filip Pizlo
Comment 40 2017-01-17 13:50:14 PST
There's also this: https://build.webkit.org/results/Apple%20El%20Capitan%20Debug%20WK2%20(Tests)/r210822%20(10432)/plugins/destroy-plugin-from-callback-crash-log.txt Some NPAPI stuff needs to stop using jsCast in some places.
Filip Pizlo
Comment 41 2017-01-17 14:50:29 PST
Boy, the crash rate of the crash the bot saw is incredibly low. I got it to crash on my machine once. It seems to consistently crash in assertions in checkOffsetConsistency, so I've made those assertions more verbose. I haven't seen a crash since. I'm simultaneously running tests on bot157 since that one seemed to get the crash once per run-javascriptcore-tests run. It's more than half-way through a test run right now and still no crash.
Filip Pizlo
Comment 42 2017-01-17 15:26:55 PST
I made a small change to the assertion to cover a race condition in the assert itself. Now I cannot get a crash anymore. I've done two runs in a row on bot157 without a crash and I've done a bunch of runs on my machine without crashing. I'll do one more round of testing and if no crash then I'll reland.
Filip Pizlo
Comment 43 2017-01-17 15:39:42 PST
Created attachment 299076 [details] patch for relanding
Filip Pizlo
Comment 44 2017-01-17 15:54:55 PST
Relanded in https://trac.webkit.org/changeset/210829
Note You need to log in before you can comment on or make changes to this bug.