The following JSC tests are failing on debug bots: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.default-wasm wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-eager-jettison wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-no-call-ic wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-no-cjit-yes-tls-context wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-no-tls-context wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-slow-memory wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory https://build.webkit.org/builders/Apple%20Sierra%20Debug%20JSC%20%28Tests%29/builds/803
It looks like these are crashing with the following backtrace: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010c75cbff void const* Gigacage::caged<void const>(void const*) + 31 (Gigacage.h:62) 1 com.apple.JavaScriptCore 0x000000010c75ba95 Gigacage::isCaged(void const*) + 21 (Gigacage.h:73) 2 com.apple.JavaScriptCore 0x000000010c75b9da JSC::ArrayBuffer::createFromBytes(void const*, unsigned int, WTF::Function<void (void*)>&&) + 42 (ArrayBuffer.cpp:201) 3 com.apple.JavaScriptCore 0x000000010d3ba0dd JSC::JSWebAssemblyMemory::buffer(JSC::VM&, JSC::JSGlobalObject*) + 237 (JSWebAssemblyMemory.cpp:81) 4 com.apple.JavaScriptCore 0x000000010d83b413 JSC::webAssemblyMemoryProtoFuncBuffer(JSC::ExecState*) + 307 (WebAssemblyMemoryPrototype.cpp:94) 5 com.apple.JavaScriptCore 0x000000010d41660c vmEntryToNative + 349 6 com.apple.JavaScriptCore 0x000000010d1a0ae5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1333 (Interpreter.cpp:973) 7 com.apple.JavaScriptCore 0x000000010c971cc8 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 184 (CallData.cpp:40) 8 com.apple.JavaScriptCore 0x000000010d07155f JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue) + 399 (GetterSetter.cpp:87) 9 com.apple.JavaScriptCore 0x000000010d60326e JSC::PropertySlot::functionGetter(JSC::ExecState*) const + 142 (PropertySlot.cpp:35) 10 com.apple.JavaScriptCore 0x000000010c59180d JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 93 (PropertySlot.h:387) 11 com.apple.JavaScriptCore 0x000000010c59161b JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 91 (JSCJSValueInlines.h:800) 12 com.apple.JavaScriptCore 0x000000010d4079a4 llint_slow_path_get_by_id + 372 (LLIntSlowPaths.cpp:661) 13 com.apple.JavaScriptCore 0x000000010d41985c llint_entry + 12758 14 com.apple.JavaScriptCore 0x000000010d41dfa7 llint_entry + 31009 15 com.apple.JavaScriptCore 0x000000010d416467 vmEntryToJavaScript + 343 16 com.apple.JavaScriptCore 0x000000010d1f0a6e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 350 (JITCode.cpp:81) 17 com.apple.JavaScriptCore 0x000000010d1a226b JSC::Interpreter::executeModuleProgram(JSC::ModuleProgramExecutable*, JSC::ExecState*, JSC::JSModuleEnvironment*) + 1243 (Interpreter.cpp:1289) 18 com.apple.JavaScriptCore 0x000000010d2f9498 JSC::JSModuleRecord::evaluate(JSC::ExecState*) + 168 (JSModuleRecord.cpp:210) 19 com.apple.JavaScriptCore 0x000000010d2efc6e JSC::JSModuleLoader::evaluate(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue) + 286 (JSModuleLoader.cpp:239) 20 com.apple.JavaScriptCore 0x000000010d444e31 JSC::moduleLoaderPrototypeEvaluate(JSC::ExecState*) + 209 (ModuleLoaderPrototype.cpp:245) 21 ??? 0x0000351c17a01028 0 + 58394771722280 22 com.apple.JavaScriptCore 0x000000010d41df2d llint_entry + 30887 23 com.apple.JavaScriptCore 0x000000010d41dfa7 llint_entry + 31009 24 ??? 0x0000351c17a0ce80 0 + 58394771771008 25 com.apple.JavaScriptCore 0x000000010d416467 vmEntryToJavaScript + 343 26 com.apple.JavaScriptCore 0x000000010d1f0a6e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 350 (JITCode.cpp:81) 27 com.apple.JavaScriptCore 0x000000010d1a0aa5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1269 (Interpreter.cpp:971) 28 com.apple.JavaScriptCore 0x000000010c971cc8 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 184 (CallData.cpp:40) 29 com.apple.JavaScriptCore 0x000000010c971f7a JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 106 (CallData.cpp:60) 30 com.apple.JavaScriptCore 0x000000010d2e56b8 JSC::JSJobMicrotask::run(JSC::ExecState*) + 504 (JSJob.cpp:76) 31 com.apple.JavaScriptCore 0x000000010d730073 JSC::QueuedTask::run() + 83 (VM.cpp:906) 32 com.apple.JavaScriptCore 0x000000010d72fc87 JSC::VM::drainMicrotasks() + 135 (VM.cpp:900) 33 jsc 0x000000010c4a2b90 runWithOptions(GlobalObject*, CommandLine&) + 1984 (jsc.cpp:3438) 34 jsc 0x000000010c467a14 jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*) const + 36 (jsc.cpp:3836) 35 jsc 0x000000010c4580dd int runJSC<jscmain(int, char**)::$_6>(CommandLine, bool, jscmain(int, char**)::$_6 const&) + 1405 (jsc.cpp:3731) 36 jsc 0x000000010c456cbc jscmain(int, char**) + 172 (jsc.cpp:3833) 37 jsc 0x000000010c456bfe main + 46 (jsc.cpp:3272) 38 libdyld.dylib 0x00007fffc7239235 start + 1
Created attachment 317395 [details] Crashlog
I think the issue is that the order of this check is wrong: if (!Gigacage::isCaged(data) && data && byteLength) I think it should be: if (data && !Gigacage::isCaged(data) && byteLength) since isCaged asserts data isn't null.
Created attachment 317399 [details] Patch
Comment on attachment 317399 [details] Patch Clearing flags on attachment: 317399 Committed r220330: <http://trac.webkit.org/changeset/220330>
All reviewed patches have been landed. Closing bug.
<rdar://problem/33748872>