The following layout test is crashing on MacOS workers/bomb.html Probable cause: This test is known to timeout on some platforms but is now crashing recently. I was able to reproduce the crashing on tip of tree using command: run-webkit-tests --root testbuild-238565 workers/bomb.html --iterations 500 -f --exit-after-n-crashes 1 I am attempting to find the regression point Flakiness Dashboard: https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=workers%2Fbomb.html crash log: https://build.webkit.org/results/Apple%20Sierra%20Release%20WK2%20(Tests)/r238565%20(13016)/workers/bomb-crash-log.txt
This test began crashing with r238525. Running the previous command using a spade of 238525 yields a crash eventually. Running this on 238524 yields no crashes.
https://trac.webkit.org/changeset/238525/webkit
Crashed Thread: 39 WebCore: Worker Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000159325 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Thread 39 Crashed:: WebCore: Worker 0 com.apple.JavaScriptCore 0x0000000110d59b65 JSC::speculationFromValue(JSC::JSValue) + 213 (SpeculatedType.cpp:477) 1 com.apple.JavaScriptCore 0x0000000110d2c356 JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&) + 4950 (CodeBlock.cpp:2577) 2 com.apple.JavaScriptCore 0x0000000110d26386 JSC::CodeBlock::updateAllPredictions() + 22 (CodeBlock.cpp:2624) 3 com.apple.JavaScriptCore 0x000000011112869c operationOptimize + 348 (JITOperations.cpp:1422) 4 ??? 0x000003fdbb2baff5 0 + 4388301811701 5 com.apple.JavaScriptCore 0x0000000110b382c8 llint_entry + 62053 6 com.apple.JavaScriptCore 0x0000000110b28ea9 vmEntryToJavaScript + 200 7 com.apple.JavaScriptCore 0x00000001110ba4e4 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 11172 (Interpreter.cpp:832) 8 com.apple.JavaScriptCore 0x00000001112f28a3 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 307 (Completion.cpp:106) 9 com.apple.WebCore 0x000000010cf853c4 WebCore::JSExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 84 (JSExecState.h:80) 10 com.apple.WebCore 0x000000010cfcc19c WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::NakedPtr<JSC::Exception>&, WTF::String*) + 156 (WorkerScriptController.cpp:148) 11 com.apple.WebCore 0x000000010cfcc09c WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::String*) + 44 (WorkerScriptController.cpp:131) 12 com.apple.WebCore 0x000000010dba40ac WebCore::WorkerThread::workerThread() + 556 (RefPtr.h:69) 13 com.apple.JavaScriptCore 0x000000011096ac34 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 212 (Threading.cpp:137) 14 com.apple.JavaScriptCore 0x000000011096c7d9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:203) 15 libsystem_pthread.dylib 0x00007fff9e2db93b _pthread_body + 180 16 libsystem_pthread.dylib 0x00007fff9e2db887 _pthread_start + 286 17 libsystem_pthread.dylib 0x00007fff9e2db08d thread_start + 13 Definitely does not look related to https://trac.webkit.org/changeset/238525/webkit. Adding a few JSC people in cc given where it crashes.
This test has been flaky for a while, but something definitely made it crash more frequently in the past 2-3 days.
(In reply to Ryan Haddad from comment #4) > This test has been flaky for a while, but something definitely made it crash > more frequently in the past 2-3 days. My patch may impact the how fast you get a new process (by disabling process-prewarming for some clients) but it should not matter here since this test does not create new processes, just dedicated workers.
<rdar://problem/46312674>
This crash is being hit very frequently by the commit queue with workers/bomb.html as well as various inspector and webGL tests.
*** Bug 192269 has been marked as a duplicate of this bug. ***
*** Bug 192245 has been marked as a duplicate of this bug. ***
*** Bug 192244 has been marked as a duplicate of this bug. ***
*** Bug 192243 has been marked as a duplicate of this bug. ***
*** Bug 192239 has been marked as a duplicate of this bug. ***
*** Bug 192238 has been marked as a duplicate of this bug. ***
*** Bug 192237 has been marked as a duplicate of this bug. ***
*** Bug 192235 has been marked as a duplicate of this bug. ***
*** Bug 192225 has been marked as a duplicate of this bug. ***
*** Bug 192221 has been marked as a duplicate of this bug. ***
*** Bug 192220 has been marked as a duplicate of this bug. ***
*** Bug 192219 has been marked as a duplicate of this bug. ***
*** Bug 192218 has been marked as a duplicate of this bug. ***
*** Bug 192202 has been marked as a duplicate of this bug. ***
*** Bug 192199 has been marked as a duplicate of this bug. ***
*** Bug 192196 has been marked as a duplicate of this bug. ***
*** Bug 192195 has been marked as a duplicate of this bug. ***
*** Bug 192194 has been marked as a duplicate of this bug. ***
*** Bug 192188 has been marked as a duplicate of this bug. ***
*** Bug 192187 has been marked as a duplicate of this bug. ***
*** Bug 192186 has been marked as a duplicate of this bug. ***
*** Bug 192177 has been marked as a duplicate of this bug. ***
*** Bug 192176 has been marked as a duplicate of this bug. ***
*** Bug 192146 has been marked as a duplicate of this bug. ***
*** Bug 192145 has been marked as a duplicate of this bug. ***
*** Bug 192144 has been marked as a duplicate of this bug. ***
*** Bug 192142 has been marked as a duplicate of this bug. ***
*** Bug 192141 has been marked as a duplicate of this bug. ***
*** Bug 192140 has been marked as a duplicate of this bug. ***
*** Bug 192139 has been marked as a duplicate of this bug. ***
*** Bug 192125 has been marked as a duplicate of this bug. ***
*** Bug 192104 has been marked as a duplicate of this bug. ***
*** Bug 192098 has been marked as a duplicate of this bug. ***
*** Bug 192103 has been marked as a duplicate of this bug. ***
*** Bug 192095 has been marked as a duplicate of this bug. ***
*** Bug 192096 has been marked as a duplicate of this bug. ***
*** Bug 171985 has been marked as a duplicate of this bug. ***
*** Bug 192072 has been marked as a duplicate of this bug. ***
*** Bug 192065 has been marked as a duplicate of this bug. ***
*** Bug 192064 has been marked as a duplicate of this bug. ***
*** Bug 192063 has been marked as a duplicate of this bug. ***
*** Bug 192058 has been marked as a duplicate of this bug. ***
*** Bug 192057 has been marked as a duplicate of this bug. ***
*** Bug 192052 has been marked as a duplicate of this bug. ***
*** Bug 192051 has been marked as a duplicate of this bug. ***
*** Bug 192048 has been marked as a duplicate of this bug. ***
*** Bug 192047 has been marked as a duplicate of this bug. ***
*** Bug 192043 has been marked as a duplicate of this bug. ***
*** Bug 191992 has been marked as a duplicate of this bug. ***
*** Bug 191991 has been marked as a duplicate of this bug. ***
*** Bug 192311 has been marked as a duplicate of this bug. ***
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356402 [details] on bug 192091. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6
Created attachment 356414 [details] Archive of layout-test-results from webkit-cq-02
*** Bug 192339 has been marked as a duplicate of this bug. ***
*** Bug 192338 has been marked as a duplicate of this bug. ***
*** Bug 192333 has been marked as a duplicate of this bug. ***
*** Bug 192332 has been marked as a duplicate of this bug. ***
The commit-queue just saw inspector/unit-tests/event-listener.html flake (DumpRenderTree crashed) while processing attachment 356454 [details] on bug 192346. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6
Created attachment 356462 [details] Archive of layout-test-results from webkit-cq-02
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356502 [details] on bug 192120. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6
Created attachment 356512 [details] Archive of layout-test-results from webkit-cq-02
*** Bug 192370 has been marked as a duplicate of this bug. ***
*** Bug 192368 has been marked as a duplicate of this bug. ***
*** Bug 192367 has been marked as a duplicate of this bug. ***
*** Bug 192365 has been marked as a duplicate of this bug. ***
*** Bug 192364 has been marked as a duplicate of this bug. ***
*** Bug 192369 has been marked as a duplicate of this bug. ***
*** Bug 192351 has been marked as a duplicate of this bug. ***
*** Bug 192350 has been marked as a duplicate of this bug. ***
*** Bug 192343 has been marked as a duplicate of this bug. ***
*** Bug 192383 has been marked as a duplicate of this bug. ***
*** Bug 192382 has been marked as a duplicate of this bug. ***
I can hit this crash running https://browserbench.org/Speedometer2.0/?suite=VueJS-TodoMVC&iterationCount=1000
*** Bug 192399 has been marked as a duplicate of this bug. ***
*** Bug 192442 has been marked as a duplicate of this bug. ***
*** Bug 192440 has been marked as a duplicate of this bug. ***
*** Bug 192423 has been marked as a duplicate of this bug. ***
*** Bug 192419 has been marked as a duplicate of this bug. ***
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356741 [details] on bug 187554. Bot: webkit-cq-03 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6
Created attachment 356744 [details] Archive of layout-test-results from webkit-cq-03
The commit-queue just saw workers/bomb.html flake (DumpRenderTree crashed) while processing attachment 356748 [details] on bug 192409. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6
Created attachment 356758 [details] Archive of layout-test-results from webkit-cq-02
The commit-queue just saw imported/w3c/web-platform-tests/WebCryptoAPI/generateKey/failures_AES-GCM.https.any.html flake (DumpRenderTree crashed) while processing attachment 356762 [details] on bug 192377. Bot: webkit-cq-02 Port: <class 'webkitpy.common.config.ports.MacPort'> Platform: Mac OS X 10.12.6
Created attachment 356768 [details] Archive of layout-test-results from webkit-cq-02
*** Bug 192475 has been marked as a duplicate of this bug. ***
*** Bug 192476 has been marked as a duplicate of this bug. ***
*** Bug 192477 has been marked as a duplicate of this bug. ***
*** Bug 192488 has been marked as a duplicate of this bug. ***
*** Bug 192485 has been marked as a duplicate of this bug. ***
*** Bug 192484 has been marked as a duplicate of this bug. ***
Created attachment 356847 [details] Patch
Comment on attachment 356847 [details] Patch r=me
Comment on attachment 356847 [details] Patch Clearing flags on attachment: 356847 Committed r238997: <https://trac.webkit.org/changeset/238997>
All reviewed patches have been landed. Closing bug.
Comment on attachment 356847 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=356847&action=review > Source/JavaScriptCore/ChangeLog:9 > + Although certain platforms don't require the metadata to be aligned, a nit on wording here -- I think the point here is actually more of: - Some platforms don't trap on unaligned accesses - However, *all platforms need* this because no platform we support is atomic on unaligned accesses. Otherwise, we may observe tearing which can lead us to crash. - This patch aligns all metadata. > Source/JavaScriptCore/bytecode/Opcode.cpp:-196 > -#if CPU(NEEDS_ALIGNED_ACCESS) Not pertinent to this patch, but we should really rename this #define. "Needs" is a super convoluted word in this context. "Needs" depends on the workload. We should probably have something along the lines of CPU(TRAPS_ON_UNALIGNED_ACCESSES)
*** Bug 192506 has been marked as a duplicate of this bug. ***
*** Bug 192505 has been marked as a duplicate of this bug. ***
*** Bug 192882 has been marked as a duplicate of this bug. ***