Bug 175256 - REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
Summary: REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JS...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Keith Miller
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-08-06 20:05 PDT by Ryan Haddad
Modified: 2017-08-07 00:04 PDT (History)
9 users (show)

See Also:


Attachments
Crashlog (90.57 KB, text/plain)
2017-08-06 20:08 PDT, Ryan Haddad
no flags Details
Patch (1.68 KB, patch)
2017-08-06 22:37 PDT, Keith Miller
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Haddad 2017-08-06 20:05:00 PDT
The following JSC tests are failing on debug bots:

	wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.default-wasm
	wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-eager-jettison
	wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-no-call-ic
	wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-no-cjit-yes-tls-context
	wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-no-tls-context
	wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-slow-memory
	wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory

https://build.webkit.org/builders/Apple%20Sierra%20Debug%20JSC%20%28Tests%29/builds/803
Comment 1 Ryan Haddad 2017-08-06 20:07:04 PDT
It looks like these are crashing with the following backtrace:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010c75cbff void const* Gigacage::caged<void const>(void const*) + 31 (Gigacage.h:62)
1   com.apple.JavaScriptCore      	0x000000010c75ba95 Gigacage::isCaged(void const*) + 21 (Gigacage.h:73)
2   com.apple.JavaScriptCore      	0x000000010c75b9da JSC::ArrayBuffer::createFromBytes(void const*, unsigned int, WTF::Function<void (void*)>&&) + 42 (ArrayBuffer.cpp:201)
3   com.apple.JavaScriptCore      	0x000000010d3ba0dd JSC::JSWebAssemblyMemory::buffer(JSC::VM&, JSC::JSGlobalObject*) + 237 (JSWebAssemblyMemory.cpp:81)
4   com.apple.JavaScriptCore      	0x000000010d83b413 JSC::webAssemblyMemoryProtoFuncBuffer(JSC::ExecState*) + 307 (WebAssemblyMemoryPrototype.cpp:94)
5   com.apple.JavaScriptCore      	0x000000010d41660c vmEntryToNative + 349
6   com.apple.JavaScriptCore      	0x000000010d1a0ae5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1333 (Interpreter.cpp:973)
7   com.apple.JavaScriptCore      	0x000000010c971cc8 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 184 (CallData.cpp:40)
8   com.apple.JavaScriptCore      	0x000000010d07155f JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue) + 399 (GetterSetter.cpp:87)
9   com.apple.JavaScriptCore      	0x000000010d60326e JSC::PropertySlot::functionGetter(JSC::ExecState*) const + 142 (PropertySlot.cpp:35)
10  com.apple.JavaScriptCore      	0x000000010c59180d JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 93 (PropertySlot.h:387)
11  com.apple.JavaScriptCore      	0x000000010c59161b JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 91 (JSCJSValueInlines.h:800)
12  com.apple.JavaScriptCore      	0x000000010d4079a4 llint_slow_path_get_by_id + 372 (LLIntSlowPaths.cpp:661)
13  com.apple.JavaScriptCore      	0x000000010d41985c llint_entry + 12758
14  com.apple.JavaScriptCore      	0x000000010d41dfa7 llint_entry + 31009
15  com.apple.JavaScriptCore      	0x000000010d416467 vmEntryToJavaScript + 343
16  com.apple.JavaScriptCore      	0x000000010d1f0a6e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 350 (JITCode.cpp:81)
17  com.apple.JavaScriptCore      	0x000000010d1a226b JSC::Interpreter::executeModuleProgram(JSC::ModuleProgramExecutable*, JSC::ExecState*, JSC::JSModuleEnvironment*) + 1243 (Interpreter.cpp:1289)
18  com.apple.JavaScriptCore      	0x000000010d2f9498 JSC::JSModuleRecord::evaluate(JSC::ExecState*) + 168 (JSModuleRecord.cpp:210)
19  com.apple.JavaScriptCore      	0x000000010d2efc6e JSC::JSModuleLoader::evaluate(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue) + 286 (JSModuleLoader.cpp:239)
20  com.apple.JavaScriptCore      	0x000000010d444e31 JSC::moduleLoaderPrototypeEvaluate(JSC::ExecState*) + 209 (ModuleLoaderPrototype.cpp:245)
21  ???                           	0x0000351c17a01028 0 + 58394771722280
22  com.apple.JavaScriptCore      	0x000000010d41df2d llint_entry + 30887
23  com.apple.JavaScriptCore      	0x000000010d41dfa7 llint_entry + 31009
24  ???                           	0x0000351c17a0ce80 0 + 58394771771008
25  com.apple.JavaScriptCore      	0x000000010d416467 vmEntryToJavaScript + 343
26  com.apple.JavaScriptCore      	0x000000010d1f0a6e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 350 (JITCode.cpp:81)
27  com.apple.JavaScriptCore      	0x000000010d1a0aa5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1269 (Interpreter.cpp:971)
28  com.apple.JavaScriptCore      	0x000000010c971cc8 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 184 (CallData.cpp:40)
29  com.apple.JavaScriptCore      	0x000000010c971f7a JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 106 (CallData.cpp:60)
30  com.apple.JavaScriptCore      	0x000000010d2e56b8 JSC::JSJobMicrotask::run(JSC::ExecState*) + 504 (JSJob.cpp:76)
31  com.apple.JavaScriptCore      	0x000000010d730073 JSC::QueuedTask::run() + 83 (VM.cpp:906)
32  com.apple.JavaScriptCore      	0x000000010d72fc87 JSC::VM::drainMicrotasks() + 135 (VM.cpp:900)
33  jsc                           	0x000000010c4a2b90 runWithOptions(GlobalObject*, CommandLine&) + 1984 (jsc.cpp:3438)
34  jsc                           	0x000000010c467a14 jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*) const + 36 (jsc.cpp:3836)
35  jsc                           	0x000000010c4580dd int runJSC<jscmain(int, char**)::$_6>(CommandLine, bool, jscmain(int, char**)::$_6 const&) + 1405 (jsc.cpp:3731)
36  jsc                           	0x000000010c456cbc jscmain(int, char**) + 172 (jsc.cpp:3833)
37  jsc                           	0x000000010c456bfe main + 46 (jsc.cpp:3272)
38  libdyld.dylib                 	0x00007fffc7239235 start + 1
Comment 2 Ryan Haddad 2017-08-06 20:08:53 PDT
Created attachment 317395 [details]
Crashlog
Comment 3 Keith Miller 2017-08-06 22:24:54 PDT
I think the issue is that the order of this check is wrong: 

if (!Gigacage::isCaged(data) && data && byteLength)

I think it should be:

if (data && !Gigacage::isCaged(data) && byteLength)

since isCaged asserts data isn't null.
Comment 4 Keith Miller 2017-08-06 22:37:35 PDT
Created attachment 317399 [details]
Patch
Comment 5 WebKit Commit Bot 2017-08-07 00:03:09 PDT
Comment on attachment 317399 [details]
Patch

Clearing flags on attachment: 317399

Committed r220330: <http://trac.webkit.org/changeset/220330>
Comment 6 WebKit Commit Bot 2017-08-07 00:03:11 PDT
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2017-08-07 00:04:23 PDT
<rdar://problem/33748872>