197740 – REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory

Bug 197740 - REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory

Summary: REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Keith Miller

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-05-09 09:30 PDT by Ryan Haddad
Modified:	2019-05-09 10:56 PDT (History)
CC List:	7 users (show)

See Also:	197110

Attachments
Patch (1.82 KB, patch) 2019-05-09 10:35 PDT, Keith Miller	saam: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryan Haddad 2019-05-09 09:30:17 PDT

wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: ASSERTION FAILED: m_ptr
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: /Volumes/Data/slave/highsierra-debug/build/WebKitBuild/Debug/usr/local/include/wtf/CagedPtr.h(53) : T *WTF::CagedPtr<Gigacage::Kind::Primitive, void, true, WTF::DumbPtrTraits<void> >::get(unsigned int) const [passedKind = Gigacage::Kind::Primitive, T = void, shouldTag = true, PtrTraits = WTF::DumbPtrTraits<void>]
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 1   0x1059636c9 WTFCrash
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 2   0x1059666ab WTFCrashWithInfo(int, char const*, char const*, int)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 3   0x106ebf85e WTF::CagedPtr<(Gigacage::Kind)1, void, true, WTF::DumbPtrTraits<void> >::get(unsigned int) const
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 4   0x106ead782 JSC::JSArrayBufferView::ConstructionContext::vector() const
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 5   0x106eadbe7 JSC::JSArrayBufferView::JSArrayBufferView(JSC::VM&, JSC::JSArrayBufferView::ConstructionContext&)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 6   0x105f43920 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::JSGenericTypedArrayView(JSC::VM&, JSC::JSArrayBufferView::ConstructionContext&)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 7   0x105f436c5 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::JSGenericTypedArrayView(JSC::VM&, JSC::JSArrayBufferView::ConstructionContext&)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 8   0x105f41b42 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::create(JSC::ExecState*, JSC::Structure*, WTF::RefPtr<JSC::ArrayBuffer, WTF::DumbPtrTraits<JSC::ArrayBuffer> >&&, unsigned int, unsigned int)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 9   0x106778d5d JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> >(JSC::ExecState*, JSC::Structure*, long long, unsigned int, WTF::Optional<unsigned int>)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 10  0x106778b0a operationNewUint8ArrayWithOneArgument
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 11  0x1572c2cae2d
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 12  0x105e80344 llint_entry
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 13  0x105e80344 llint_entry
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 14  0x105e6d1c3 vmEntryToJavaScript
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 15  0x106aea5ee JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 16  0x106aec524 JSC::Interpreter::executeModuleProgram(JSC::ModuleProgramExecutable*, JSC::ExecState*, JSC::JSModuleEnvironment*)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 17  0x106f50caa JSC::JSModuleRecord::evaluate(JSC::ExecState*)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 18  0x106d70bae JSC::AbstractModuleRecord::evaluate(JSC::ExecState*)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 19  0x106f4d5f5 JSC::JSModuleLoader::evaluateNonVirtual(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 20  0x106f4d548 JSC::JSModuleLoader::evaluate(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 21  0x106f6e331 JSC::moduleLoaderEvaluate(JSC::ExecState*)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 22  0x1572c25716b
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 23  0x105e802b3 llint_entry
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 24  0x105e80344 llint_entry
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 25  0x105e80344 llint_entry
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 26  0x105e802b3 llint_entry
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 27  0x1572c263691
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 28  0x105e6d1c3 vmEntryToJavaScript
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 29  0x106aea5ee JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 30  0x106aeac1f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 31  0x106dbf4ac JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: test_script_51902: line 2: 38013 Segmentation fault: 11  ( "$@" ../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useIntlPluralRules\=true -m --useWebAssemblyFastMemory\=false --useFTLJIT\=true test_Data.js )


https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20(Tests)/builds/2762

Comment 1 Ryan Haddad 2019-05-09 09:31:54 PDT

Likely caused by "Remove Gigacage from arm64 and use PAC for arm64e instead"
https://trac.webkit.org/changeset/245064/webkit

Comment 2 Radar WebKit Bug Importer 2019-05-09 09:32:06 PDT

<rdar://problem/50624630>

Comment 3 Radar WebKit Bug Importer 2019-05-09 09:32:19 PDT

<rdar://problem/50624640>

Comment 4 Keith Miller 2019-05-09 09:48:06 PDT

Looking now.

Comment 5 Keith Miller 2019-05-09 10:35:05 PDT

Created attachment 369496 [details]
Patch

Comment 6 Saam Barati 2019-05-09 10:39:58 PDT

Comment on attachment 369496 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=369496&action=review

> Source/JavaScriptCore/runtime/JSArrayBufferView.h:138
> +        void* vector() const { return m_vector.getMayBeNull(m_length); }

Worth saying why this can be null now in changelog

Comment 7 Keith Miller 2019-05-09 10:52:55 PDT

Comment on attachment 369496 [details]
Patch

Sure, for reference it's because you can construct a typed array with length 0.

Comment 8 Keith Miller 2019-05-09 10:56:52 PDT

Committed r245145: <https://trac.webkit.org/changeset/245145>