Bug 223401 - Enhance --verboseVerifyGC=true to make it easier to debug GC verifier errors.
Summary: Enhance --verboseVerifyGC=true to make it easier to debug GC verifier errors.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-03-17 15:44 PDT by Mark Lam
Modified: 2021-03-17 17:05 PDT (History)
6 users (show)

See Also:

Attachments
proposed patch. (40.80 KB, patch)
2021-03-17 16:02 PDT, Mark Lam 		saam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2021-03-17 15:44:08 PDT 
Previously, --verboseVerifyGC=true only dumps the stack trace of the immediate code path (in the verifier GC) that marked the object that the real GC did not.  With this patch, we'll also dump the trace of the marking chain all the way back to a root.  This patch also adds support for tracing the marking chain through opaque roots.

Here's an example of the new dump of a GC verifier error:

    GC Verifier: ERROR cell 0x12c570500 was not marked
    Object: 0x12c570500 with butterfly 0x0 (Structure 0x108eb6d10:[0x3ba8, ArrayBuffer, {}, NonArray, Proto:0x108ed7d90, Leaf]), StructureID: 15272
    Cell 0x12c570500 was visited via opaque root 0x10e4b52c0 at:
        1   0x100acccdc JSC::VerifierSlotVisitor::appendUnbarriered(JSC::JSCell*)
        2   0x100ad0c2f void JSC::WeakBlock::specializedVisit<JSC::MarkedBlock, JSC::AbstractSlotVisitor>(JSC::MarkedBlock&, JSC::AbstractSlotVisitor&)
        3   0x100abec2b void JSC::MarkedSpace::visitWeakSets<JSC::AbstractSlotVisitor>(JSC::AbstractSlotVisitor&)
        4   0x100aa5167 WTF::Detail::CallableWrapper<JSC::Heap::addCoreConstraints()::$_38, void, JSC::AbstractSlotVisitor&>::call(JSC::AbstractSlotVisitor&)
        5   0x100ac1411 JSC::MarkingConstraintSet::executeAllSynchronously(JSC::AbstractSlotVisitor&)
        6   0x100a9bd7b JSC::Heap::verifyGC()
        7   0x100a9b2f7 JSC::Heap::runEndPhase(JSC::GCConductor)
        8   0x100a99434 JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*)
        9   0x100aa332d WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&)
        10  0x100ab8794 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&)
        11  0x100a9d2cd JSC::Heap::collectInMutatorThread()
        12  0x100a99217 JSC::Heap::waitForCollection(unsigned long long)
        13  0x100a98cb1 JSC::Heap::collectNow(JSC::Synchronousness, JSC::GCRequest)
        14  0x100ab7b4d JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)
        15  0x100ec0785 void* JSC::allocateCell<JSC::JSDataView>(JSC::Heap&, unsigned long)
        16  0x100ec0629 JSC::JSDataView::create(JSC::JSGlobalObject*, JSC::Structure*, WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&, unsigned int, unsigned int)
        17  0x100f893d6 JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSDataView>(JSC::JSGlobalObject*, JSC::Structure*, long long, unsigned int, WTF::Optional<unsigned int>)
        18  0x100f731dc JSC::constructDataView(JSC::JSGlobalObject*, JSC::CallFrame*)
        19  0x5e4a38a010c7
        20  0x5e4a38a02095
        21  0x1004888d6 vmEntryToJavaScript
        22  0x100b83690 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
        23  0x100e39a82 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
        24  0x100007606 jscmain(int, char**)
        25  0x10000644b main

    In the real GC, opaque root0x10e4b52c0 was NOT added to the heap's opaque roots.
    Opaque root 0x10e4b52c0 was added via cell 0x12c577720 at:
        1   0x100ea4fc9 JSC::JSArrayBufferView::visitChildren(JSC::JSCell*, JSC::AbstractSlotVisitor&)
        2   0x100acd4e9 JSC::VerifierSlotVisitor::drain()
        3   0x100a9bd48 JSC::Heap::verifyGC()
        4   0x100a9b2f7 JSC::Heap::runEndPhase(JSC::GCConductor)
        5   0x100a99434 JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*)
        6   0x100aa332d WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&)
        7   0x100ab8794 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&)
        8   0x100a9d2cd JSC::Heap::collectInMutatorThread()
        9   0x100a99217 JSC::Heap::waitForCollection(unsigned long long)
        10  0x100a98cb1 JSC::Heap::collectNow(JSC::Synchronousness, JSC::GCRequest)
        11  0x100ab7b4d JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)
        12  0x100ec0785 void* JSC::allocateCell<JSC::JSDataView>(JSC::Heap&, unsigned long)
        13  0x100ec0629 JSC::JSDataView::create(JSC::JSGlobalObject*, JSC::Structure*, WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&, unsigned int, unsigned int)
        14  0x100f893d6 JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSDataView>(JSC::JSGlobalObject*, JSC::Structure*, long long, unsigned int, WTF::Optional<unsigned int>)
        15  0x100f731dc JSC::constructDataView(JSC::JSGlobalObject*, JSC::CallFrame*)
        16  0x5e4a38a010c7
        17  0x5e4a38a02095
        18  0x1004888d6 vmEntryToJavaScript
        19  0x100b83690 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
        20  0x100e39a82 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
        21  0x100007606 jscmain(int, char**)
        22  0x10000644b main
        23  0x7fff203b4f3d start

    Object: 0x12c577720 with butterfly 0x0 (Structure 0x108eb6e60:[0xe135, DataView, {}, NonArray, Proto:0x108ed7da0, Leaf]), StructureID: 57653
    Cell 0x12c577720 was visited via cell 0x108b528e8 at:
        1   0x100acccdc JSC::VerifierSlotVisitor::appendUnbarriered(JSC::JSCell*)
        2   0x100f1623c JSC::JSObject::visitChildren(JSC::JSCell*, JSC::AbstractSlotVisitor&)
        3   0x100acd4e9 JSC::VerifierSlotVisitor::drain()
        4   0x100a9bd48 JSC::Heap::verifyGC()
        5   0x100a9b2f7 JSC::Heap::runEndPhase(JSC::GCConductor)
        6   0x100a99434 JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*)
        7   0x100aa332d WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&)
        8   0x100ab8794 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&)
        9   0x100a9d2cd JSC::Heap::collectInMutatorThread()
        10  0x100a99217 JSC::Heap::waitForCollection(unsigned long long)
        11  0x100a98cb1 JSC::Heap::collectNow(JSC::Synchronousness, JSC::GCRequest)
        12  0x100ab7b4d JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)
        13  0x100ec0785 void* JSC::allocateCell<JSC::JSDataView>(JSC::Heap&, unsigned long)
        14  0x100ec0629 JSC::JSDataView::create(JSC::JSGlobalObject*, JSC::Structure*, WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&, unsigned int, unsigned int)
        15  0x100f893d6 JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSDataView>(JSC::JSGlobalObject*, JSC::Structure*, long long, unsigned int, WTF::Optional<unsigned int>)
        16  0x100f731dc JSC::constructDataView(JSC::JSGlobalObject*, JSC::CallFrame*)
        17  0x5e4a38a010c7
        18  0x5e4a38a02095
        19  0x1004888d6 vmEntryToJavaScript
        20  0x100b83690 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
        21  0x100e39a82 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
        22  0x100007606 jscmain(int, char**)
        23  0x10000644b main

    Object: 0x108b528e8 with butterfly 0x1806e93070 (Structure 0x108efb090:[0xde87, Array, {}, ArrayWithContiguous, Proto:0x108baf5e8]), StructureID: 56967
    Cell 0x108b528e8 was visited via cell 0x108e8fcc0 at:
        1   0x100accdd8 JSC::VerifierSlotVisitor::appendUnbarriered(JSC::JSCell*)
        2   0x10070634e void JSC::CodeBlock::stronglyVisitWeakReferences<JSC::AbstractSlotVisitor>(JSC::ConcurrentJSLocker const&, JSC::AbstractSlotVisitor&)
        3   0x1006eacd7 JSC::CodeBlock::visitChildren(JSC::JSCell*, JSC::AbstractSlotVisitor&)
        4   0x100acd4e9 JSC::VerifierSlotVisitor::drain()
        5   0x100a9bd48 JSC::Heap::verifyGC()
        6   0x100a9b2f7 JSC::Heap::runEndPhase(JSC::GCConductor)
        7   0x100a99434 JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*)
        8   0x100aa332d WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&)
        9   0x100ab8794 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&)
        10  0x100a9d2cd JSC::Heap::collectInMutatorThread()
        11  0x100a99217 JSC::Heap::waitForCollection(unsigned long long)
        12  0x100a98cb1 JSC::Heap::collectNow(JSC::Synchronousness, JSC::GCRequest)
        13  0x100ab7b4d JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)
        14  0x100ec0785 void* JSC::allocateCell<JSC::JSDataView>(JSC::Heap&, unsigned long)
        15  0x100ec0629 JSC::JSDataView::create(JSC::JSGlobalObject*, JSC::Structure*, WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&, unsigned int, unsigned int)
        16  0x100f893d6 JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSDataView>(JSC::JSGlobalObject*, JSC::Structure*, long long, unsigned int, WTF::Optional<unsigned int>)
        17  0x100f731dc JSC::constructDataView(JSC::JSGlobalObject*, JSC::CallFrame*)
        18  0x5e4a38a010c7
        19  0x5e4a38a02095
        20  0x1004888d6 vmEntryToJavaScript
        21  0x100b83690 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
        22  0x100e39a82 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
        23  0x100007606 jscmain(int, char**)
        24  0x10000644b main

    Cell: 0x108e8fcc0 (0x108ef8c40:[0xc0e7, ProgramCodeBlock, {}, NonArray, Leaf]), StructureID: 49383
    Cell 0x108e8fcc0 was visited from scan of ConservativeScan roots at:
        1   0x100accaf8 JSC::VerifierSlotVisitor::append(JSC::ConservativeRoots const&)
        2   0x100aa42a2 WTF::Detail::CallableWrapper<JSC::Heap::addCoreConstraints()::$_31, void, JSC::SlotVisitor&>::call(JSC::SlotVisitor&)
        3   0x100ac1db2 JSC::MarkingConstraintSolver::runExecutionThread(JSC::SlotVisitor&, JSC::MarkingConstraintSolver::SchedulerPreference, WTF::ScopedLambda<WTF::Optional<unsigned int> ()>)
        4   0x100a9f2de JSC::Heap::runTaskInParallel(WTF::RefPtr<WTF::SharedTask<void (JSC::SlotVisitor&)>, WTF::RawPtrTraits<WTF::SharedTask<void (JSC::SlotVisitor&)> >, WTF::DefaultRefDerefTraits<WTF::SharedTask<void (JSC::SlotVisitor&)> > >)
        5   0x100ac188f JSC::MarkingConstraintSolver::execute(JSC::MarkingConstraintSolver::SchedulerPreference, WTF::ScopedLambda<WTF::Optional<unsigned int> ()>)
        6   0x100ac125c JSC::MarkingConstraintSet::executeConvergenceImpl(JSC::SlotVisitor&)
        7   0x100ac0f9b JSC::MarkingConstraintSet::executeConvergence(JSC::SlotVisitor&)
        8   0x100a99f24 JSC::Heap::runFixpointPhase(JSC::GCConductor)
        9   0x100a99418 JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*)
        10  0x100aa332d WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&)
        11  0x100ab8794 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&)
        12  0x100a9d2cd JSC::Heap::collectInMutatorThread()
        13  0x100a99217 JSC::Heap::waitForCollection(unsigned long long)
        14  0x100a98cb1 JSC::Heap::collectNow(JSC::Synchronousness, JSC::GCRequest)
        15  0x100ab7b4d JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)
        16  0x100ec0785 void* JSC::allocateCell<JSC::JSDataView>(JSC::Heap&, unsigned long)
        17  0x100ec0629 JSC::JSDataView::create(JSC::JSGlobalObject*, JSC::Structure*, WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&, unsigned int, unsigned int)
        18  0x100f893d6 JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSDataView>(JSC::JSGlobalObject*, JSC::Structure*, long long, unsigned int, WTF::Optional<unsigned int>)
        19  0x100f731dc JSC::constructDataView(JSC::JSGlobalObject*, JSC::CallFrame*)
        20  0x5e4a38a010c7
        21  0x5e4a38a02095
        22  0x1004888d6 vmEntryToJavaScript
        23  0x100b83690 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
        24  0x100e39a82 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
        25  0x100007606 jscmain(int, char**)
        26  0x10000644b main

Note that in this example, the stack trace was for an opaque root, and the verifier also noted that the opaque root (which was added for the verifier GC) was not added for the real GC.  This pointed to the bug that caused the error (this bug was fixed in https://bugs.webkit.org/show_bug.cgi?id=223241).
Comment 1 Mark Lam 2021-03-17 15:49:24 PDT 
> Note that in this example, the stack trace was for an opaque root, and the verifier also noted that the opaque root (which was added for the verifier GC) was not added for the real GC.  This pointed to the bug that caused the error (this bug was fixed in https://bugs.webkit.org/show_bug.cgi?id=223241).

I meant "the 2nd stack trace".
Comment 2 Mark Lam 2021-03-17 16:02:21 PDT 
Created attachment 423533 [details]
proposed patch.
Comment 3 Mark Lam 2021-03-17 17:04:37 PDT 
Thanks for the review.  Landed in r274601: <http://trac.webkit.org/r274601>.
Comment 4 Radar WebKit Bug Importer 2021-03-17 17:05:19 PDT 
<rdar://problem/75551237>