NEW 278738
[ Sonoma wk2 x86_64]: fast/canvas/image-buffer-backend-variants.html is a flaky crash. 
https://bugs.webkit.org/show_bug.cgi?id=278738
Summary [ Sonoma wk2 x86_64]: fast/canvas/image-buffer-backend-variants.html is a fla...
Anfernee Viduya
Reported 2024-08-27 11:45:39 PDT
fast/canvas/image-buffer-backend-variants.html has been a flaky crash. HISTORY: https://results.webkit.org/?platform=mac&suite=layout-tests&test=fast%2Fcanvas%2Fimage-buffer-backend-variants.html SYMBOLICATED LOG: 0 com.apple.JavaScriptCore 0x59be75778 WTFCrashWithInfoImpl(int, char const*, char const*, int, unsigned long long) 1 com.apple.JavaScriptCore 0x59c3ccd26 JSC::LinkBuffer::linkCode(JSC::MacroAssembler&, JSC::JITCompilationEffort) 2 com.apple.JavaScriptCore 0x59cba2fa4 JSC::JIT::compileAndLinkWithoutFinalizing(JSC::JITCompilationEffort) 3 com.apple.JavaScriptCore 0x59cb8633c JSC::BaselineJITPlan::compileInThreadImpl(JSC::JITCompilationEffort) 4 com.apple.JavaScriptCore 0x59cc7aefe JSC::JITPlan::compileInThread(JSC::JITWorklistThread*) LINK: https://build.webkit.org/results/Apple-Sonoma-Release-WK2-Tests/282788@main%20(4335)/fast/canvas/image-buffer-backend-variants-crash-log.txt REPRODUCIBILITY: Currently I am setting up a machine that can reproduce this crash. Will Update bug when updated. DESCRIPTION: This test has been crashing on this queue for some time now. No exact regression point was determined.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-08-27 11:45:48 PDT
<rdar://problem/134796136>
EWS
Comment 2 2024-08-27 12:01:49 PDT
Test gardening commit 282808@main (a1ca824c11c2): <https://commits.webkit.org/282808@main> Reviewed commits have been landed. Closing PR #32775 and removing active labels.
Anfernee Viduya
Comment 3 2024-08-27 13:22:16 PDT
REPRODUCIBILITY: I was able to reproduce this issue on ToT using command. run-webkit-test fast/canvas/image-buffer-backend-variants.html --iterations=10
Fujii Hironori
Comment 4 2024-08-27 13:34:24 PDT
The release assertion fails in performJITMemcpy: > RELEASE_ASSERT(runLength <= maxZeroByteRunLength, buffer);
Kimmo Kinnunen
Comment 5 2024-09-02 05:57:45 PDT
Marcus, could you take a look. Is the added release assert exposing an older issue or is it a problem from the commit in bug 276913?
Marcus Plutowski
Comment 6 2024-09-03 10:54:20 PDT
I'll take a look. This assert firing means that the AssemblerBuffer (where we emit code before it gets linked) contains an unexpectedly long string of 0s -- 16 or more, which should not be valid x86 ASM. A few questions: 1. Does this reproduce locally, or just on the test runner? 2. Does this reproduce when run alone, or only when run as part of a large batch of tests running in parallel? 3. Is it possible for me to see the .ips files which resulted from the crashes in the link https://results.webkit.org/?platform=mac&suite=layout-tests&test=fast%2Fcanvas%2Fimage-buffer-backend-variants.html ?
Anfernee Viduya
Comment 7 2024-09-03 11:08:56 PDT
(In reply to Marcus Plutowski from comment #6) > 1. Does this reproduce locally, or just on the test runner? It reproduces locally on specified machine configurations > 2. Does this reproduce when run alone, or only when run as part of a large > batch of tests running in parallel? It does reproduce on its own, not needing a test batch to crash. > 3. Is it possible for me to see the .ips files which resulted from the > crashes in the link > https://results.webkit.org/?platform=mac&suite=layout- > tests&test=fast%2Fcanvas%2Fimage-buffer-backend-variants.html ? I'll try to get that file.
Note You need to log in before you can comment on or make changes to this bug.