Bug 69897 - Layout tests crashing in DFG JIT code
Summary: Layout tests crashing in DFG JIT code
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Tools / Tests (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.6
: P2 Normal
Assignee: Nobody
URL: http://build.webkit.org/results/SnowL...
Keywords: LayoutTestFailure, MakingBotsRed, Regression
Depends on:
Blocks:
 
Reported: 2011-10-11 21:51 PDT by Simon Fraser (smfr)
Modified: 2011-10-12 01:00 PDT (History)
6 users (show)

See Also:

Attachments
the patch for fast/dom/prototype-inheritance-2 (2.04 KB, patch)
2011-10-11 23:21 PDT, Filip Pizlo 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fraser (smfr) 2011-10-11 21:51:48 PDT 
The following tests are crashing in com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator on the SnowLeopard leaks bot:

fast/canvas/webgl/tex-image-with-format-and-type.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) + 871)
fast/dom/prototype-inheritance-2.html: crash log (com.apple.JavaScriptCore: JSC::DFG::AbstractValue::clobberStructures() + 100)
fast/harness/results.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) + 871)
inspector/debugger/linkifier.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) + 871)
inspector/debugger/script-formatter.html: crash log (com.apple.JavaScriptCore: JSC::DFG::JITCodeGenerator::silentFillGPR(JSC::DFG::VirtualRegister, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID) +
Comment 1 Simon Fraser (smfr) 2011-10-11 21:53:43 PDT 
Most are an assertion in JITCodeGenerator::silentFillGPR:

http://build.webkit.org/results/SnowLeopard%20Intel%20Leaks/r97218%20(19479)/fast/canvas/webgl/tex-image-with-format-and-type-crash-log.txt
Comment 2 Simon Fraser (smfr) 2011-10-11 22:17:00 PDT 
Also on http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r97221%20(1193)/results.html
fast/dom/prototype-inheritance-2.html
is asserting in JavaScriptCore: JSC::DFG::AbstractValue::clobberStructures() + 125)
Comment 3 Gavin Barraclough 2011-10-11 22:30:07 PDT 
The silentFillGPR regressions are likely my bad; clobberStructures is likely due to Filip's last change.

I'll revert my last patch to get the tree green & investigate in the morning, Filip, I'll leave it up to you to choose whether you want to revert or to just land a fix.
Comment 4 Filip Pizlo 2011-10-11 22:32:00 PDT 
(In reply to comment #3)
> The silentFillGPR regressions are likely my bad; clobberStructures is likely due to Filip's last change.
> 
> I'll revert my last patch to get the tree green & investigate in the morning, Filip, I'll leave it up to you to choose whether you want to revert or to just land a fix.

I'm trying to figure this out right now...
Comment 5 Gavin Barraclough 2011-10-11 23:09:16 PDT 
The silentFillGPR change is reverted in 97235.
Comment 6 Filip Pizlo 2011-10-11 23:21:49 PDT 
Created attachment 110643 [details]
the patch for fast/dom/prototype-inheritance-2
Comment 7 WebKit Review Bot 2011-10-12 01:00:20 PDT 
Comment on attachment 110643 [details]
the patch for fast/dom/prototype-inheritance-2

Clearing flags on attachment: 110643

Committed r97240: <http://trac.webkit.org/changeset/97240>
Comment 8 WebKit Review Bot 2011-10-12 01:00:24 PDT 
All reviewed patches have been landed.  Closing bug.