190693 – stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.

Bug 190693 - stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.

Summary: stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN rele...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-10-17 16:24 PDT by Mark Lam
Modified:	2019-01-24 14:49 PST (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (8.71 KB, patch) 2019-01-24 13:57 PST, Yusuke Suzuki	msaboff: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2018-10-17 16:24:36 PDT

I'm not sure if ASAN is needed, but that's what I saw this failure on.  It hasn't reproduced for me on a debug build though.  I ran it through the run-javascriptcore-tests harness:

$ ./Tools/Scripts/run-javascriptcore-tests --release --no-build --jsc-stress --filter const-semantics

stress/const-semantics.js.dfg-eager: AddressSanitizer:DEADLYSIGNAL
stress/const-semantics.js.dfg-eager: =================================================================
stress/const-semantics.js.dfg-eager: ==9196==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x000109bb2c7d bp 0x70000b860430 sp 0x70000b860430 T7)
stress/const-semantics.js.dfg-eager: ==9196==The signal is caused by a READ memory access.
stress/const-semantics.js.dfg-eager: ==9196==Hint: address points to the zero page.
stress/const-semantics.js.dfg-eager:     #0 0x109bb2c7c in JSC::ClassInfo const* WTF::Poisoned<WTF::Poison<g_GlobalDataPoison>, JSC::ClassInfo const*, void>::unpoisoned<JSC::ClassInfo const*>() const Poisoned.h:114
stress/const-semantics.js.dfg-eager:     #1 0x10a0c85cc in JSC::JSCell::methodTable(JSC::VM&) const JSCellInlines.h:297
stress/const-semantics.js.dfg-eager:     #2 0x10b20e099 in JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3::operator()(JSC::MarkStackArray&) const SlotVisitor.cpp:393
stress/const-semantics.js.dfg-eager:     #3 0x10b2032c7 in JSC::IterationStatus JSC::SlotVisitor::forEachMarkStack<JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3>(JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3 const&) SlotVisitorInlines.h:190
stress/const-semantics.js.dfg-eager:     #4 0x10b203198 in JSC::SlotVisitor::drain(WTF::MonotonicTime) SlotVisitor.cpp:493
stress/const-semantics.js.dfg-eager:     #5 0x10b204619 in JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) SlotVisitor.cpp:693
stress/const-semantics.js.dfg-eager:     #6 0x10b19b056 in JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18::operator()() const Heap.cpp:1269
stress/const-semantics.js.dfg-eager:     #7 0x1094630cf in WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) ParallelHelperPool.cpp:112
stress/const-semantics.js.dfg-eager:     #8 0x109464971 in WTF::ParallelHelperPool::Thread::work() ParallelHelperPool.cpp:200
stress/const-semantics.js.dfg-eager:     #9 0x1093fff21 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const AutomaticThread.cpp:223
stress/const-semantics.js.dfg-eager:     #10 0x1094af758 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:136
stress/const-semantics.js.dfg-eager:     #11 0x1094b52b8 in WTF::wtfThreadEntryPoint(void*) ThreadingPthreads.cpp:202
stress/const-semantics.js.dfg-eager:     #12 0x7fff5f5ea660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
stress/const-semantics.js.dfg-eager:     #13 0x7fff5f5ea50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
stress/const-semantics.js.dfg-eager:     #14 0x7fff5f5e9bf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)
stress/const-semantics.js.dfg-eager: 
stress/const-semantics.js.dfg-eager: ==9196==Register values:
stress/const-semantics.js.dfg-eager: rax = 0x0000000000000008  rbx = 0x00006310000008d0  rcx = 0x0000100000000008  rdx = 0x000062d00014f180  
stress/const-semantics.js.dfg-eager: rdi = 0x0000000000000040  rsi = 0x0000000000000000  rbp = 0x000070000b860430  rsp = 0x000070000b860430  
stress/const-semantics.js.dfg-eager:  r8 = 0x0000100000000000   r9 = 0x0000000000000001  r10 = 0x00007fff919721a8  r11 = 0x0000000000000198  
stress/const-semantics.js.dfg-eager: r12 = 0x00000000ffffff9d  r13 = 0x000062d00014f180  r14 = 0x0000000000000000  r15 = 0x0000611000002e80  
stress/const-semantics.js.dfg-eager: AddressSanitizer can not provide additional info.
stress/const-semantics.js.dfg-eager: SUMMARY: AddressSanitizer: SEGV Poisoned.h:114 in JSC::ClassInfo const* WTF::Poisoned<WTF::Poison<g_GlobalDataPoison>, JSC::ClassInfo const*, void>::unpoisoned<JSC::ClassInfo const*>() const
stress/const-semantics.js.dfg-eager: Thread T7 created by T5 here:
stress/const-semantics.js.dfg-eager:     #0 0x10f35650d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f50d)
stress/const-semantics.js.dfg-eager:     #1 0x1094b51d3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) ThreadingPthreads.cpp:214
stress/const-semantics.js.dfg-eager:     #2 0x1094af9e6 in WTF::Thread::create(char const*, WTF::Function<void ()>&&) Threading.cpp:152
stress/const-semantics.js.dfg-eager:     #3 0x1093fc2e4 in WTF::AutomaticThread::start(WTF::AbstractLocker const&) AutomaticThread.cpp:165
stress/const-semantics.js.dfg-eager:     #4 0x1093fc6a6 in WTF::AutomaticThreadCondition::notifyAll(WTF::AbstractLocker const&) AutomaticThread.cpp:76
stress/const-semantics.js.dfg-eager:     #5 0x1094627e1 in WTF::ParallelHelperPool::didMakeWorkAvailable(WTF::AbstractLocker const&) ParallelHelperPool.cpp:216
stress/const-semantics.js.dfg-eager:     #6 0x1094622d0 in WTF::ParallelHelperClient::setTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) ParallelHelperPool.cpp:62
stress/const-semantics.js.dfg-eager:     #7 0x10b17b58e in void WTF::ParallelHelperClient::setFunction<JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18>(JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18 const&) ParallelHelperPool.h:142
stress/const-semantics.js.dfg-eager:     #8 0x10b178c4e in JSC::Heap::runBeginPhase(JSC::GCConductor) Heap.cpp:1256
stress/const-semantics.js.dfg-eager:     #9 0x10b177e53 in JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) Heap.cpp:1168
stress/const-semantics.js.dfg-eager:     #10 0x10b177ce7 in JSC::Heap::collectInCollectorThread() Heap.cpp:1111
stress/const-semantics.js.dfg-eager:     #11 0x10b1852b8 in JSC::Heap::Thread::work() Heap.cpp:261
stress/const-semantics.js.dfg-eager:     #12 0x1093fff21 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const AutomaticThread.cpp:223
stress/const-semantics.js.dfg-eager:     #13 0x1094af758 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:136
stress/const-semantics.js.dfg-eager:     #14 0x1094b52b8 in WTF::wtfThreadEntryPoint(void*) ThreadingPthreads.cpp:202
stress/const-semantics.js.dfg-eager:     #15 0x7fff5f5ea660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
stress/const-semantics.js.dfg-eager:     #16 0x7fff5f5ea50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
stress/const-semantics.js.dfg-eager:     #17 0x7fff5f5e9bf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)
stress/const-semantics.js.dfg-eager: 
stress/const-semantics.js.dfg-eager: Thread T5 created by T4 here:
stress/const-semantics.js.dfg-eager:     #0 0x10f35650d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f50d)
stress/const-semantics.js.dfg-eager:     #1 0x1094b51d3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) ThreadingPthreads.cpp:214
stress/const-semantics.js.dfg-eager:     #2 0x1094af9e6 in WTF::Thread::create(char const*, WTF::Function<void ()>&&) Threading.cpp:152
stress/const-semantics.js.dfg-eager:     #3 0x1093fc2e4 in WTF::AutomaticThread::start(WTF::AbstractLocker const&) AutomaticThread.cpp:165
stress/const-semantics.js.dfg-eager:     #4 0x10b1adbfe in JSC::Heap::notifyIsSafeToCollect()::$_37::operator()() const Heap.cpp:2827
stress/const-semantics.js.dfg-eager:     #5 0x1094af758 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:136
stress/const-semantics.js.dfg-eager:     #6 0x1094b52b8 in WTF::wtfThreadEntryPoint(void*) ThreadingPthreads.cpp:202
stress/const-semantics.js.dfg-eager:     #7 0x7fff5f5ea660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
stress/const-semantics.js.dfg-eager:     #8 0x7fff5f5ea50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
stress/const-semantics.js.dfg-eager:     #9 0x7fff5f5e9bf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)
stress/const-semantics.js.dfg-eager: 
stress/const-semantics.js.dfg-eager: Thread T4 created by T0 here:
stress/const-semantics.js.dfg-eager:     #0 0x10f35650d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f50d)
stress/const-semantics.js.dfg-eager:     #1 0x1094b51d3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) ThreadingPthreads.cpp:214
stress/const-semantics.js.dfg-eager:     #2 0x1094af9e6 in WTF::Thread::create(char const*, WTF::Function<void ()>&&) Threading.cpp:152
stress/const-semantics.js.dfg-eager:     #3 0x10b183967 in JSC::Heap::notifyIsSafeToCollect() Heap.cpp:2816
stress/const-semantics.js.dfg-eager:     #4 0x10bda7be8 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType) VM.cpp:470
stress/const-semantics.js.dfg-eager:     #5 0x10bdaed89 in JSC::VM::create(JSC::HeapType) VM.cpp:643
stress/const-semantics.js.dfg-eager:     #6 0x1092ad4b3 in int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&) jsc.cpp:2733
stress/const-semantics.js.dfg-eager:     #7 0x1092ab58e in jscmain(int, char**) jsc.cpp:2841
stress/const-semantics.js.dfg-eager:     #8 0x1092ab3ea in main jsc.cpp:2271
stress/const-semantics.js.dfg-eager:     #9 0x7fff5f2d2014 in start (libdyld.dylib:x86_64+0x1014)
stress/const-semantics.js.dfg-eager: 
stress/const-semantics.js.dfg-eager: ==9196==ABORTING
stress/const-semantics.js.dfg-eager: test_script_4: line 2:  9196 Abort trap: 6           ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --collectContinuously\=true --useGenerationalGC\=false --useProbeOSRExit\=true const-semantics.js )
stress/const-semantics.js.dfg-eager: ERROR: Unexpected exit code: 134
16/16 (failed 1)    

** The following JSC stress test failures have been introduced:
	stress/const-semantics.js.dfg-eager

Results for JSC stress tests:
    1 failure found.

I'm seeing this on an unmodified ASAN release build of ToT r237236.

Comment 1 Radar WebKit Bug Importer 2018-10-17 16:25:24 PDT

<rdar://problem/45355615>

Comment 2 Mark Lam 2018-10-17 16:34:48 PDT

(In reply to Mark Lam from comment #0)
> I'm seeing this on an unmodified ASAN release build of ToT r237236.

Note: I first saw this failure on the JSC EWS bot.  So, ASAN is probably not needed.

Comment 3 Saam Barati 2018-10-18 11:41:42 PDT

(In reply to Mark Lam from comment #2)
> (In reply to Mark Lam from comment #0)
> > I'm seeing this on an unmodified ASAN release build of ToT r237236.
> 
> Note: I first saw this failure on the JSC EWS bot.  So, ASAN is probably not
> needed.

Agreed. I've seen EWS flake on this many times.

Comment 4 Yusuke Suzuki 2019-01-24 13:57:58 PST

Created attachment 360035 [details]
Patch

Comment 5 Michael Saboff 2019-01-24 14:05:01 PST

Comment on attachment 360035 [details]
Patch

r=me

Comment 6 Yusuke Suzuki 2019-01-24 14:37:12 PST

Committed r240449: <https://trac.webkit.org/changeset/240449>

Comment 7 Mark Lam 2019-01-24 14:37:55 PST

Comment on attachment 360035 [details]
Patch

I see the ChangeLog for stress/regress-190693.js but don't see the file itself.  Do you have a missing file?

Comment 8 Mark Lam 2019-01-24 14:47:53 PST

(In reply to Mark Lam from comment #7)
> Comment on attachment 360035 [details]
> Patch
> 
> I see the ChangeLog for stress/regress-190693.js but don't see the file
> itself.  Do you have a missing file?

Correction: it was landed in https://trac.webkit.org/browser/webkit/trunk/JSTests/stress/regress-190693.js?rev=240449, just not included in the patch.  All is well.

Comment 9 Yusuke Suzuki 2019-01-24 14:49:43 PST

(In reply to Mark Lam from comment #8)
> (In reply to Mark Lam from comment #7)
> > Comment on attachment 360035 [details]
> > Patch
> > 
> > I see the ChangeLog for stress/regress-190693.js but don't see the file
> > itself.  Do you have a missing file?
> 
> Correction: it was landed in
> https://trac.webkit.org/browser/webkit/trunk/JSTests/stress/regress-190693.
> js?rev=240449, just not included in the patch.  All is well.

Oops! Sorry. Maybe, I performed `webkit-patch upload --update-changelogs` before doing `git commit`.