RESOLVED FIXED 206650
Regression: 30+ web-platform-tests crashing on mac debug wk1 
https://bugs.webkit.org/show_bug.cgi?id=206650
Summary Regression: 30+ web-platform-tests crashing on mac debug wk1
Attachments
Add attachment proposed patch, testcase, etc.
Aakash Jain
Comment 1 2020-01-23 04:31:45 PST
Crash seems to be in JSC::DFG::ByteCodeParser From https://build.webkit.org/results/Apple-Catalina-Debug-WK2-GPUProcess-Tests/r254969%20(402)/imported/w3c/web-platform-tests/resource-timing/idlharness.any.worker-crash-log.txt 1 0x243d4d8f9 WTFCrash 2 0x244485a1b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x24497ef2e JSC::Operand::asBits() const 4 0x2449987a1 JSC::DFG::OpInfo::OpInfo(JSC::Operand) 5 0x24499870d JSC::DFG::OpInfo::OpInfo(JSC::Operand) 6 0x2449bac27 JSC::DFG::ByteCodeParser::setDirect(JSC::Operand, JSC::DFG::Node*, JSC::DFG::ByteCodeParser::SetMode) 7 0x244a02288 JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3::operator()(JSC::CodeBlock*) const 8 0x2449b9bfa void JSC::DFG::ByteCodeParser::inlineCall<JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3>(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallVariant, int, int, JSC::InlineCallFrame::Kind, JSC::DFG::BasicBlock*, JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3 const&) 9 0x2449b98d5 JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind) From https://build.webkit.org/results/Apple-Catalina-Debug-WK2-GPUProcess-Tests/r254969%20(402)/imported/w3c/web-platform-tests/dom/ranges/Range-mutations-deleteData-crash-log.txt Thread 8 Crashed:: DFG Worklist Worker Thread 0 com.apple.JavaScriptCore 0x00000004de86b8fe WTFCrash + 14 (Assertions.cpp:305) 1 com.apple.JavaScriptCore 0x00000004defa3a1b WTFCrashWithInfo(int, char const*, char const*, int) + 27 2 com.apple.JavaScriptCore 0x00000004df49cf2e JSC::Operand::asBits() const + 126 (Operands.h:79) 3 com.apple.JavaScriptCore 0x00000004df4b67a1 JSC::DFG::OpInfo::OpInfo(JSC::Operand) + 33 (DFGOpInfo.h:47) 4 com.apple.JavaScriptCore 0x00000004df4b670d JSC::DFG::OpInfo::OpInfo(JSC::Operand) + 29 (DFGOpInfo.h:47) 5 com.apple.JavaScriptCore 0x00000004df4d8c27 JSC::DFG::ByteCodeParser::setDirect(JSC::Operand, JSC::DFG::Node*, JSC::DFG::ByteCodeParser::SetMode) + 55 (DFGByteCodeParser.cpp:386) 6 com.apple.JavaScriptCore 0x00000004df520288 JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3::operator()(JSC::CodeBlock*) const + 1176 (DFGByteCodeParser.cpp:1965) 7 com.apple.JavaScriptCore 0x00000004df4d7bfa void JSC::DFG::ByteCodeParser::inlineCall<JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3>
Aakash Jain
Comment 2 2020-01-23 04:35:33 PST
https://trac.webkit.org/changeset/254968/webkit seems like most likely candidate for the regression.
Yusuke Suzuki
Comment 3 2020-01-23 04:49:06 PST
Committed r254975: <https://trac.webkit.org/changeset/254975>
Radar WebKit Bug Importer
Comment 4 2020-01-23 04:50:14 PST
<rdar://problem/58831303>
Note You need to log in before you can comment on or make changes to this bug.