197740 – REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory

RESOLVED FIXED Bug 197740

REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory

https://bugs.webkit.org/show_bug.cgi?id=197740

Summary REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api...

Ryan Haddad

Reported 2019-05-09 09:30:17 PDT

wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: ASSERTION FAILED: m_ptr wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: /Volumes/Data/slave/highsierra-debug/build/WebKitBuild/Debug/usr/local/include/wtf/CagedPtr.h(53) : T *WTF::CagedPtr<Gigacage::Kind::Primitive, void, true, WTF::DumbPtrTraits<void> >::get(unsigned int) const [passedKind = Gigacage::Kind::Primitive, T = void, shouldTag = true, PtrTraits = WTF::DumbPtrTraits<void>] wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 1 0x1059636c9 WTFCrash wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 2 0x1059666ab WTFCrashWithInfo(int, char const*, char const*, int) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 3 0x106ebf85e WTF::CagedPtr<(Gigacage::Kind)1, void, true, WTF::DumbPtrTraits<void> >::get(unsigned int) const wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 4 0x106ead782 JSC::JSArrayBufferView::ConstructionContext::vector() const wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 5 0x106eadbe7 JSC::JSArrayBufferView::JSArrayBufferView(JSC::VM&, JSC::JSArrayBufferView::ConstructionContext&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 6 0x105f43920 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::JSGenericTypedArrayView(JSC::VM&, JSC::JSArrayBufferView::ConstructionContext&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 7 0x105f436c5 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::JSGenericTypedArrayView(JSC::VM&, JSC::JSArrayBufferView::ConstructionContext&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 8 0x105f41b42 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::create(JSC::ExecState*, JSC::Structure*, WTF::RefPtr<JSC::ArrayBuffer, WTF::DumbPtrTraits<JSC::ArrayBuffer> >&&, unsigned int, unsigned int) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 9 0x106778d5d JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> >(JSC::ExecState*, JSC::Structure*, long long, unsigned int, WTF::Optional<unsigned int>) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 10 0x106778b0a operationNewUint8ArrayWithOneArgument wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 11 0x1572c2cae2d wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 12 0x105e80344 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 13 0x105e80344 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 14 0x105e6d1c3 vmEntryToJavaScript wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 15 0x106aea5ee JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 16 0x106aec524 JSC::Interpreter::executeModuleProgram(JSC::ModuleProgramExecutable*, JSC::ExecState*, JSC::JSModuleEnvironment*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 17 0x106f50caa JSC::JSModuleRecord::evaluate(JSC::ExecState*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 18 0x106d70bae JSC::AbstractModuleRecord::evaluate(JSC::ExecState*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 19 0x106f4d5f5 JSC::JSModuleLoader::evaluateNonVirtual(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 20 0x106f4d548 JSC::JSModuleLoader::evaluate(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 21 0x106f6e331 JSC::moduleLoaderEvaluate(JSC::ExecState*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 22 0x1572c25716b wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 23 0x105e802b3 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 24 0x105e80344 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 25 0x105e80344 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 26 0x105e802b3 llint_entry wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 27 0x1572c263691 wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 28 0x105e6d1c3 vmEntryToJavaScript wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 29 0x106aea5ee JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 30 0x106aeac1f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: 31 0x106dbf4ac JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory: test_script_51902: line 2: 38013 Segmentation fault: 11 ( "$@" ../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useIntlPluralRules\=true -m --useWebAssemblyFastMemory\=false --useFTLJIT\=true test_Data.js ) https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20(Tests)/builds/2762

Attachments
Patch (1.82 KB, patch) 2019-05-09 10:35 PDT, Keith Miller	saam: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ryan Haddad

Comment 1 2019-05-09 09:31:54 PDT

Likely caused by "Remove Gigacage from arm64 and use PAC for arm64e instead" https://trac.webkit.org/changeset/245064/webkit

Radar WebKit Bug Importer

Comment 2 2019-05-09 09:32:06 PDT

<rdar://problem/50624630>

Radar WebKit Bug Importer

Comment 3 2019-05-09 09:32:19 PDT

<rdar://problem/50624640>

Keith Miller

Comment 4 2019-05-09 09:48:06 PDT

Looking now.

Keith Miller

Comment 5 2019-05-09 10:35:05 PDT

Created attachment 369496 [details] Patch

Saam Barati

Comment 6 2019-05-09 10:39:58 PDT

Comment on attachment 369496 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=369496&action=review > Source/JavaScriptCore/runtime/JSArrayBufferView.h:138 > + void* vector() const { return m_vector.getMayBeNull(m_length); } Worth saying why this can be null now in changelog

Keith Miller

Comment 7 2019-05-09 10:52:55 PDT

Comment on attachment 369496 [details] Patch Sure, for reference it's because you can construct a typed array with length 0.

Keith Miller

Comment 8 2019-05-09 10:56:52 PDT

Committed r245145: <https://trac.webkit.org/changeset/245145>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Keith Miller

Reported

2019-05-09 09:30 PDT

Modified

2019-05-09 10:56 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks