188917 – RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83

Bug 188917 - RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83

Summary: RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Other

Importance:	P2 Normal
Assignee:	Keith Miller

URL:
Keywords:	InRadar

Duplicates (1):	189285 (view as bug list)
Depends on:
Blocks:

Reported:	2018-08-24 02:41 PDT by zhunkibatu
Modified:	2018-09-05 13:38 PDT (History)
CC List:	10 users (show)

See Also:

Attachments
Patch (3.08 KB, patch) 2018-08-27 04:57 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews102 for mac-sierra (2.36 MB, application/zip) 2018-08-27 06:03 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews107 for mac-sierra-wk2 (2.99 MB, application/zip) 2018-08-27 06:06 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews114 for mac-sierra (3.06 MB, application/zip) 2018-08-27 06:41 PDT, EWS Watchlist	no flags	Details
Patch (7.60 KB, patch) 2018-09-05 10:29 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews103 for mac-sierra (9.40 MB, application/zip) 2018-09-05 11:56 PDT, EWS Watchlist	no flags	Details
Patch for landing (8.35 KB, patch) 2018-09-05 12:21 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhunkibatu 2018-08-24 02:41:23 PDT

the following poc triggers a RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83

    static size_t sizeClassToIndex(size_t size)
    {
        RELEASE_ASSERT(size);                       ==>(1)
        return (size + sizeStep - 1) / sizeStep - 1;
    }
where size=0, without this RELEASE_ASSERT, the function will return 18446744073709551615.
the poc may need to run several times to trigger crash.

poc:
==================================================================
function foo(o){}

function test() {
    	var floatArray = foo(new Float64Array(0));
}

for (var i = 0; i < 100000; ++i){
    test();
}
test();
==================================================================

stack trace:
1   0x42c45b
2   0x7fd3cc70c9ef
3   0x7fd3cc6d05cd
4   0x7fd3cc66c682 JSC::FTL::lowerDFGToB3(JSC::FTL::State&)
5   0x7fd3cc44e7f3 JSC::DFG::Plan::compileInThreadImpl()
6   0x7fd3cc44a0da JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
7   0x7fd3cc64f372 JSC::DFG::Worklist::ThreadBody::work()
8   0x7fd3ccdaaa7c
9   0x7fd3ccdc39c1 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
10  0x7fd3ccdf7003
11  0x7fd3c99ba6ba
12  0x7fd3c89ed41d clone
Segmentation fault

Comment 1 Keith Miller 2018-08-27 04:57:25 PDT

Created attachment 348132 [details]
Patch

Comment 2 EWS Watchlist 2018-08-27 06:03:19 PDT

Comment on attachment 348132 [details]
Patch

Attachment 348132 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/8994239

New failing tests:
js/slow-stress/Int32Array-alloc-large-long-lived.html

Comment 3 EWS Watchlist 2018-08-27 06:03:20 PDT

Created attachment 348133 [details]
Archive of layout-test-results from ews102 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews102  Port: mac-sierra  Platform: Mac OS X 10.12.6

Comment 4 EWS Watchlist 2018-08-27 06:06:56 PDT

Comment on attachment 348132 [details]
Patch

Attachment 348132 [details] did not pass mac-wk2-ews (mac-wk2):
Output: https://webkit-queues.webkit.org/results/8994230

New failing tests:
js/slow-stress/Int32Array-alloc-large-long-lived.html

Comment 5 EWS Watchlist 2018-08-27 06:06:58 PDT

Created attachment 348134 [details]
Archive of layout-test-results from ews107 for mac-sierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-sierra-wk2  Platform: Mac OS X 10.12.6

Comment 6 EWS Watchlist 2018-08-27 06:41:01 PDT

Comment on attachment 348132 [details]
Patch

Attachment 348132 [details] did not pass mac-debug-ews (mac):
Output: https://webkit-queues.webkit.org/results/8994281

New failing tests:
js/slow-stress/Int32Array-alloc-large-long-lived.html

Comment 7 EWS Watchlist 2018-08-27 06:41:03 PDT

Created attachment 348137 [details]
Archive of layout-test-results from ews114 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews114  Port: mac-sierra  Platform: Mac OS X 10.12.6

Comment 8 Radar WebKit Bug Importer 2018-08-28 00:45:57 PDT

<rdar://problem/43788245>

Comment 9 Ryan Haddad 2018-08-28 08:53:19 PDT

Something about this patch causes JSC EWS bots to hang while running tests.

Comment 10 Mark Lam 2018-08-28 16:56:36 PDT

<rdar://problem/43433804>

Comment 11 Keith Miller 2018-09-05 10:29:56 PDT

Created attachment 348935 [details]
Patch

Comment 12 Mark Lam 2018-09-05 10:39:05 PDT

*** Bug 189285 has been marked as a duplicate of this bug. ***

Comment 13 Mark Lam 2018-09-05 10:40:51 PDT

<rdar://problem/39380095>

Comment 14 Mark Lam 2018-09-05 10:45:58 PDT

<rdar://problem/36715428>

Comment 15 EWS Watchlist 2018-09-05 11:56:57 PDT

Comment on attachment 348935 [details]
Patch

Attachment 348935 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/9104276

New failing tests:
imported/w3c/web-platform-tests/encoding/legacy-mb-korean/euc-kr/euckr-encode-form-csksc56011987.html
imported/w3c/web-platform-tests/encoding/legacy-mb-korean/euc-kr/euckr-encode-form-korean.html
imported/w3c/web-platform-tests/encoding/legacy-mb-korean/euc-kr/euckr-encode-form-ks_c_5601-1987.html
imported/w3c/web-platform-tests/encoding/legacy-mb-korean/euc-kr/euckr-encode-form-windows-949.html
imported/w3c/web-platform-tests/encoding/legacy-mb-korean/euc-kr/euckr-encode-form-ksc5601.html
imported/w3c/web-platform-tests/encoding/legacy-mb-japanese/shift_jis/sjis-encode-form-errors-han.html
imported/w3c/web-platform-tests/encoding/legacy-mb-korean/euc-kr/euckr-encode-form-iso-ir-149.html

Comment 16 EWS Watchlist 2018-09-05 11:56:59 PDT

Created attachment 348952 [details]
Archive of layout-test-results from ews103 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-sierra  Platform: Mac OS X 10.12.6

Comment 17 EWS Watchlist 2018-09-05 12:01:09 PDT

Comment on attachment 348935 [details]
Patch

Attachment 348935 [details] did not pass jsc-ews (mac):
Output: https://webkit-queues.webkit.org/results/9104104

New failing tests:
stress/new-array-with-spread-with-phantom-new-array-buffer.js.ftl-no-cjit-no-put-stack-validate
stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-eager-no-cjit-b3o1
stress/phantom-spread-forward-varargs.js.ftl-no-cjit-no-put-stack-validate
stress/new-array-with-spread-with-normal-spread-and-phantom-spread.js.ftl-eager
slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.ftl-no-cjit-validate-sampling-profiler
stress/arguments-custom-properties-gc.js.ftl-eager
stress/new-array-with-spread-with-phantom-new-array-buffer.js.ftl-no-cjit-small-pool
stress/IIFE-function-name-captured.js.ftl-eager-no-cjit
stress/get-my-argument-by-val-creates-arguments.js.ftl-eager-no-cjit
slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.default
stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-eager
stress/phantom-new-array-buffer-forward-varargs.js.ftl-no-cjit-no-inline-validate
stress/arguments-custom-properties-gc.js.default
stress/typedarray-functions-with-neutered.js.ftl-eager
stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-eager-no-cjit
stress/IIFE-function-name-captured.js.ftl-eager
stress/new-array-with-spread-with-normal-spread-and-phantom-spread.js.ftl-eager-no-cjit
stress/arguments-custom-properties-gc.js.ftl-no-cjit-no-put-stack-validate
jsc-layout-tests.yaml/js/script-tests/array-enumerators-functions.js.layout-ftl-eager-no-cjit
stress/phantom-spread-forward-varargs.js.ftl-no-cjit-b3o1
stress/typedarray-functions-with-neutered.js.ftl-eager-no-cjit
stress/phantom-new-array-buffer-forward-varargs.js.ftl-no-cjit-no-put-stack-validate
jsc-layout-tests.yaml/js/script-tests/Object-getOwnPropertyNames.js.layout-ftl-eager-no-cjit
stress/arguments-custom-properties-gc.js.ftl-no-cjit-b3o1
stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-no-cjit-b3o1
jsc-layout-tests.yaml/js/script-tests/basic-spread.js.layout-ftl-eager-no-cjit
stress/arguments-custom-properties-gc.js.ftl-eager-no-cjit-b3o1
stress/new-array-with-spread-with-phantom-new-array-buffer.js.default
stress/tagged-template-tdz.js.ftl-eager
v8-v6/v8-earley-boyer.js.ftl-eager-no-cjit-b3o1
stress/phantom-new-array-buffer-forward-varargs.js.ftl-no-cjit-validate-sampling-profiler
stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-no-cjit-no-inline-validate
stress/phantom-new-array-buffer-forward-varargs.js.ftl-no-cjit-b3o1
v8-v6/v8-earley-boyer.js.ftl-eager-no-cjit
v8-v6/v8-earley-boyer.js.ftl-eager
stress/arguments-custom-properties-gc.js.ftl-eager-no-cjit
stress/new-array-with-spread-with-phantom-new-array-buffer.js.ftl-no-cjit-b3o1
stress/arguments-custom-properties-gc.js.ftl-no-cjit-small-pool
jsc-layout-tests.yaml/js/slow-stress/script-tests/variadic-closure-call.js.ftl-no-cjit-validate-sampling-profiler
stress/arguments-custom-properties-gc.js.ftl-no-cjit-no-inline-validate
stress/regexp-matches-array-bad-time.js.ftl-eager-no-cjit-b3o1
stress/v8-earley-boyer-strict.js.ftl-eager
stress/phantom-spread-forward-varargs.js.ftl-no-cjit-validate-sampling-profiler
stress/arguments-custom-properties-gc.js.ftl-no-cjit-validate-sampling-profiler
stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-no-cjit-no-put-stack-validate
stress/v8-earley-boyer-strict.js.ftl-eager-no-cjit-b3o1
stress/v8-earley-boyer-strict.js.ftl-eager-no-cjit
stress/tagged-template-tdz.js.ftl-eager-no-cjit
stress/get-my-argument-by-val-creates-arguments.js.ftl-eager
stress/new-array-with-spread-with-phantom-new-array-buffer.js.ftl-eager-no-cjit-b3o1
stress/spread-non-array.js.ftl-eager
stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-no-cjit-validate-sampling-profiler
stress/spread-non-array.js.ftl-eager-no-cjit
stress/new-array-with-spread-with-phantom-new-array-buffer.js.ftl-no-cjit-validate-sampling-profiler
stress/phantom-spread-forward-varargs.js.ftl-no-cjit-no-inline-validate
apiTests

Comment 18 Mark Lam 2018-09-05 12:10:44 PDT

Comment on attachment 348935 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=348935&action=review

r=me if you can show that the test failures are not related to this patch.

> Source/JavaScriptCore/heap/MarkedSpace.h:88
> -        return (index + 1) * sizeStep;
> +        return index * sizeStep;

nit: can you express this as follows?
    size_t result = index * sizeStep;
    ASSERT(sizeClassToIndex(result) == index);
    return result;

I also recommend adding the following ASSERT in MarkedSpace.cpp's buildSizeClassTable:
    ASSERT(MarkedSpace::sizeClassToIndex(largeCutoff - 1) < MarkedSpace::numSizeClasses);

Comment 19 Keith Miller 2018-09-05 12:21:06 PDT

Created attachment 348953 [details]
Patch for landing

Comment 20 Keith Miller 2018-09-05 13:38:42 PDT

Committed r235685: <https://trac.webkit.org/changeset/235685>