RESOLVED FIXED 190693
stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build. 
https://bugs.webkit.org/show_bug.cgi?id=190693
Summary stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN rele...
Mark Lam
Reported 2018-10-17 16:24:36 PDT
I'm not sure if ASAN is needed, but that's what I saw this failure on. It hasn't reproduced for me on a debug build though. I ran it through the run-javascriptcore-tests harness: $ ./Tools/Scripts/run-javascriptcore-tests --release --no-build --jsc-stress --filter const-semantics stress/const-semantics.js.dfg-eager: AddressSanitizer:DEADLYSIGNAL stress/const-semantics.js.dfg-eager: ================================================================= stress/const-semantics.js.dfg-eager: ==9196==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x000109bb2c7d bp 0x70000b860430 sp 0x70000b860430 T7) stress/const-semantics.js.dfg-eager: ==9196==The signal is caused by a READ memory access. stress/const-semantics.js.dfg-eager: ==9196==Hint: address points to the zero page. stress/const-semantics.js.dfg-eager: #0 0x109bb2c7c in JSC::ClassInfo const* WTF::Poisoned<WTF::Poison<g_GlobalDataPoison>, JSC::ClassInfo const*, void>::unpoisoned<JSC::ClassInfo const*>() const Poisoned.h:114 stress/const-semantics.js.dfg-eager: #1 0x10a0c85cc in JSC::JSCell::methodTable(JSC::VM&) const JSCellInlines.h:297 stress/const-semantics.js.dfg-eager: #2 0x10b20e099 in JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3::operator()(JSC::MarkStackArray&) const SlotVisitor.cpp:393 stress/const-semantics.js.dfg-eager: #3 0x10b2032c7 in JSC::IterationStatus JSC::SlotVisitor::forEachMarkStack<JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3>(JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3 const&) SlotVisitorInlines.h:190 stress/const-semantics.js.dfg-eager: #4 0x10b203198 in JSC::SlotVisitor::drain(WTF::MonotonicTime) SlotVisitor.cpp:493 stress/const-semantics.js.dfg-eager: #5 0x10b204619 in JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) SlotVisitor.cpp:693 stress/const-semantics.js.dfg-eager: #6 0x10b19b056 in JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18::operator()() const Heap.cpp:1269 stress/const-semantics.js.dfg-eager: #7 0x1094630cf in WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) ParallelHelperPool.cpp:112 stress/const-semantics.js.dfg-eager: #8 0x109464971 in WTF::ParallelHelperPool::Thread::work() ParallelHelperPool.cpp:200 stress/const-semantics.js.dfg-eager: #9 0x1093fff21 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const AutomaticThread.cpp:223 stress/const-semantics.js.dfg-eager: #10 0x1094af758 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:136 stress/const-semantics.js.dfg-eager: #11 0x1094b52b8 in WTF::wtfThreadEntryPoint(void*) ThreadingPthreads.cpp:202 stress/const-semantics.js.dfg-eager: #12 0x7fff5f5ea660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660) stress/const-semantics.js.dfg-eager: #13 0x7fff5f5ea50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c) stress/const-semantics.js.dfg-eager: #14 0x7fff5f5e9bf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8) stress/const-semantics.js.dfg-eager: stress/const-semantics.js.dfg-eager: ==9196==Register values: stress/const-semantics.js.dfg-eager: rax = 0x0000000000000008 rbx = 0x00006310000008d0 rcx = 0x0000100000000008 rdx = 0x000062d00014f180 stress/const-semantics.js.dfg-eager: rdi = 0x0000000000000040 rsi = 0x0000000000000000 rbp = 0x000070000b860430 rsp = 0x000070000b860430 stress/const-semantics.js.dfg-eager: r8 = 0x0000100000000000 r9 = 0x0000000000000001 r10 = 0x00007fff919721a8 r11 = 0x0000000000000198 stress/const-semantics.js.dfg-eager: r12 = 0x00000000ffffff9d r13 = 0x000062d00014f180 r14 = 0x0000000000000000 r15 = 0x0000611000002e80 stress/const-semantics.js.dfg-eager: AddressSanitizer can not provide additional info. stress/const-semantics.js.dfg-eager: SUMMARY: AddressSanitizer: SEGV Poisoned.h:114 in JSC::ClassInfo const* WTF::Poisoned<WTF::Poison<g_GlobalDataPoison>, JSC::ClassInfo const*, void>::unpoisoned<JSC::ClassInfo const*>() const stress/const-semantics.js.dfg-eager: Thread T7 created by T5 here: stress/const-semantics.js.dfg-eager: #0 0x10f35650d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f50d) stress/const-semantics.js.dfg-eager: #1 0x1094b51d3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) ThreadingPthreads.cpp:214 stress/const-semantics.js.dfg-eager: #2 0x1094af9e6 in WTF::Thread::create(char const*, WTF::Function<void ()>&&) Threading.cpp:152 stress/const-semantics.js.dfg-eager: #3 0x1093fc2e4 in WTF::AutomaticThread::start(WTF::AbstractLocker const&) AutomaticThread.cpp:165 stress/const-semantics.js.dfg-eager: #4 0x1093fc6a6 in WTF::AutomaticThreadCondition::notifyAll(WTF::AbstractLocker const&) AutomaticThread.cpp:76 stress/const-semantics.js.dfg-eager: #5 0x1094627e1 in WTF::ParallelHelperPool::didMakeWorkAvailable(WTF::AbstractLocker const&) ParallelHelperPool.cpp:216 stress/const-semantics.js.dfg-eager: #6 0x1094622d0 in WTF::ParallelHelperClient::setTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) ParallelHelperPool.cpp:62 stress/const-semantics.js.dfg-eager: #7 0x10b17b58e in void WTF::ParallelHelperClient::setFunction<JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18>(JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18 const&) ParallelHelperPool.h:142 stress/const-semantics.js.dfg-eager: #8 0x10b178c4e in JSC::Heap::runBeginPhase(JSC::GCConductor) Heap.cpp:1256 stress/const-semantics.js.dfg-eager: #9 0x10b177e53 in JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) Heap.cpp:1168 stress/const-semantics.js.dfg-eager: #10 0x10b177ce7 in JSC::Heap::collectInCollectorThread() Heap.cpp:1111 stress/const-semantics.js.dfg-eager: #11 0x10b1852b8 in JSC::Heap::Thread::work() Heap.cpp:261 stress/const-semantics.js.dfg-eager: #12 0x1093fff21 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const AutomaticThread.cpp:223 stress/const-semantics.js.dfg-eager: #13 0x1094af758 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:136 stress/const-semantics.js.dfg-eager: #14 0x1094b52b8 in WTF::wtfThreadEntryPoint(void*) ThreadingPthreads.cpp:202 stress/const-semantics.js.dfg-eager: #15 0x7fff5f5ea660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660) stress/const-semantics.js.dfg-eager: #16 0x7fff5f5ea50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c) stress/const-semantics.js.dfg-eager: #17 0x7fff5f5e9bf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8) stress/const-semantics.js.dfg-eager: stress/const-semantics.js.dfg-eager: Thread T5 created by T4 here: stress/const-semantics.js.dfg-eager: #0 0x10f35650d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f50d) stress/const-semantics.js.dfg-eager: #1 0x1094b51d3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) ThreadingPthreads.cpp:214 stress/const-semantics.js.dfg-eager: #2 0x1094af9e6 in WTF::Thread::create(char const*, WTF::Function<void ()>&&) Threading.cpp:152 stress/const-semantics.js.dfg-eager: #3 0x1093fc2e4 in WTF::AutomaticThread::start(WTF::AbstractLocker const&) AutomaticThread.cpp:165 stress/const-semantics.js.dfg-eager: #4 0x10b1adbfe in JSC::Heap::notifyIsSafeToCollect()::$_37::operator()() const Heap.cpp:2827 stress/const-semantics.js.dfg-eager: #5 0x1094af758 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:136 stress/const-semantics.js.dfg-eager: #6 0x1094b52b8 in WTF::wtfThreadEntryPoint(void*) ThreadingPthreads.cpp:202 stress/const-semantics.js.dfg-eager: #7 0x7fff5f5ea660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660) stress/const-semantics.js.dfg-eager: #8 0x7fff5f5ea50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c) stress/const-semantics.js.dfg-eager: #9 0x7fff5f5e9bf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8) stress/const-semantics.js.dfg-eager: stress/const-semantics.js.dfg-eager: Thread T4 created by T0 here: stress/const-semantics.js.dfg-eager: #0 0x10f35650d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f50d) stress/const-semantics.js.dfg-eager: #1 0x1094b51d3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) ThreadingPthreads.cpp:214 stress/const-semantics.js.dfg-eager: #2 0x1094af9e6 in WTF::Thread::create(char const*, WTF::Function<void ()>&&) Threading.cpp:152 stress/const-semantics.js.dfg-eager: #3 0x10b183967 in JSC::Heap::notifyIsSafeToCollect() Heap.cpp:2816 stress/const-semantics.js.dfg-eager: #4 0x10bda7be8 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType) VM.cpp:470 stress/const-semantics.js.dfg-eager: #5 0x10bdaed89 in JSC::VM::create(JSC::HeapType) VM.cpp:643 stress/const-semantics.js.dfg-eager: #6 0x1092ad4b3 in int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&) jsc.cpp:2733 stress/const-semantics.js.dfg-eager: #7 0x1092ab58e in jscmain(int, char**) jsc.cpp:2841 stress/const-semantics.js.dfg-eager: #8 0x1092ab3ea in main jsc.cpp:2271 stress/const-semantics.js.dfg-eager: #9 0x7fff5f2d2014 in start (libdyld.dylib:x86_64+0x1014) stress/const-semantics.js.dfg-eager: stress/const-semantics.js.dfg-eager: ==9196==ABORTING stress/const-semantics.js.dfg-eager: test_script_4: line 2: 9196 Abort trap: 6 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --collectContinuously\=true --useGenerationalGC\=false --useProbeOSRExit\=true const-semantics.js ) stress/const-semantics.js.dfg-eager: ERROR: Unexpected exit code: 134 16/16 (failed 1) ** The following JSC stress test failures have been introduced: stress/const-semantics.js.dfg-eager Results for JSC stress tests: 1 failure found. I'm seeing this on an unmodified ASAN release build of ToT r237236.
Attachments
Patch (8.71 KB, patch)
2019-01-24 13:57 PST, Yusuke Suzuki 		msaboff: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-10-17 16:25:24 PDT
<rdar://problem/45355615>
Mark Lam
Comment 2 2018-10-17 16:34:48 PDT
(In reply to Mark Lam from comment #0) > I'm seeing this on an unmodified ASAN release build of ToT r237236. Note: I first saw this failure on the JSC EWS bot. So, ASAN is probably not needed.
Saam Barati
Comment 3 2018-10-18 11:41:42 PDT
(In reply to Mark Lam from comment #2) > (In reply to Mark Lam from comment #0) > > I'm seeing this on an unmodified ASAN release build of ToT r237236. > > Note: I first saw this failure on the JSC EWS bot. So, ASAN is probably not > needed. Agreed. I've seen EWS flake on this many times.
Yusuke Suzuki
Comment 4 2019-01-24 13:57:58 PST
Created attachment 360035 [details] Patch
Michael Saboff
Comment 5 2019-01-24 14:05:01 PST
Comment on attachment 360035 [details] Patch r=me
Yusuke Suzuki
Comment 6 2019-01-24 14:37:12 PST
Committed r240449: <https://trac.webkit.org/changeset/240449>
Mark Lam
Comment 7 2019-01-24 14:37:55 PST
Comment on attachment 360035 [details] Patch I see the ChangeLog for stress/regress-190693.js but don't see the file itself. Do you have a missing file?
Mark Lam
Comment 8 2019-01-24 14:47:53 PST
(In reply to Mark Lam from comment #7) > Comment on attachment 360035 [details] > Patch > > I see the ChangeLog for stress/regress-190693.js but don't see the file > itself. Do you have a missing file? Correction: it was landed in https://trac.webkit.org/browser/webkit/trunk/JSTests/stress/regress-190693.js?rev=240449, just not included in the patch. All is well.
Yusuke Suzuki
Comment 9 2019-01-24 14:49:43 PST
(In reply to Mark Lam from comment #8) > (In reply to Mark Lam from comment #7) > > Comment on attachment 360035 [details] > > Patch > > > > I see the ChangeLog for stress/regress-190693.js but don't see the file > > itself. Do you have a missing file? > > Correction: it was landed in > https://trac.webkit.org/browser/webkit/trunk/JSTests/stress/regress-190693. > js?rev=240449, just not included in the patch. All is well. Oops! Sorry. Maybe, I performed `webkit-patch upload --update-changelogs` before doing `git commit`.
Note You need to log in before you can comment on or make changes to this bug.