RESOLVED FIXED80993
REGRESSION(r110383): ASSERTION failures in JSCell::finishCreation causing multiple tests to "crash" on the Lion Intel Debug Bots 
https://bugs.webkit.org/show_bug.cgi?id=80993
Summary REGRESSION(r110383): ASSERTION failures in JSCell::finishCreation causing mul...
Jessie Berlin
Reported 2012-03-13 08:52:56 PDT
There is a spike in tests that "crash" on the Lion Intel Debug testers after http://trac.webkit.org/changeset/110383: http://build.webkit.org/old-results/Lion%20Intel%20Debug%20(Tests)/r110381%20(4324)/results.html http://build.webkit.org/old-results/Lion%20Intel%20Debug%20(Tests)/r110383%20(4325)/results.html Here is what the log looks like for http://build.webkit.org/old-results/Lion%20Intel%20Debug%20(Tests)/r110383%20(4325)/http/tests/plugins/cross-frame-object-access-crash-log.txt Process: DumpRenderTree [84343] Path: /Volumes/VOLUME/*/DumpRenderTree Identifier: DumpRenderTree Version: ??? (???) Code Type: X86-64 (Native) Parent Process: Python [83710] Date/Time: 2012-03-10 17:18:51.815 -0800 OS Version: Mac OS X 10.7.2 (11C74) Report Version: 9 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 0000000106316000-00000001063ab000 [ 596K] r-x/rwx SM=COW /Volumes/VOLUME/* Application Specific Information: objc[84343]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001078afcb4 JSC::JSCell::finishCreation(JSC::JSGlobalData&) + 100 (JSCell.h:180) 1 com.apple.WebCore 0x00000001082389a6 JSC::JSObject::finishCreation(JSC::JSGlobalData&, JSC::WriteBarrierBase<JSC::Unknown>*) + 54 (JSObject.h:246) 2 com.apple.WebCore 0x0000000108230d04 JSC::JSNonFinalObject::finishCreation(JSC::JSGlobalData&) + 52 (JSObject.h:339) 3 com.apple.WebCore 0x0000000108c72067 JSC::Bindings::RuntimeObject::finishCreation(JSC::JSGlobalObject*) + 55 (runtime_object.cpp:48) 4 com.apple.WebKit 0x0000000107111aa7 WebKit::ProxyRuntimeObject::finishCreation(JSC::JSGlobalObject*) + 39 (ProxyRuntimeObject.mm:46) 5 com.apple.WebKit 0x0000000107109181 WebKit::ProxyRuntimeObject::create(JSC::ExecState*, JSC::JSGlobalObject*, WTF::PassRefPtr<WebKit::ProxyInstance>) + 257 (ProxyRuntimeObject.h:49) 6 com.apple.WebKit 0x00000001071075b0 WebKit::ProxyInstance::newRuntimeObject(JSC::ExecState*) + 80 (ProxyInstance.mm:137) 7 com.apple.WebCore 0x00000001078ae635 JSC::Bindings::Instance::createRuntimeObject(JSC::ExecState*) + 341 (BridgeJSC.cpp:97) 8 com.apple.WebCore 0x0000000108541b44 WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*) + 244 (JSPluginElementFunctions.cpp:100) 9 com.apple.WebCore 0x0000000108541c95 WebCore::runtimeObjectCustomGetOwnPropertySlot(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&, WebCore::JSHTMLElement*) + 37 (JSPluginElementFunctions.cpp:115) 10 com.apple.WebCore 0x0000000108482a0d WebCore::JSHTMLObjectElement::getOwnPropertySlotDelegate(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) + 45 (JSHTMLObjectElementCustom.cpp:38) 11 com.apple.WebCore 0x000000010847f870 WebCore::JSHTMLObjectElement::getOwnPropertySlot(JSC::JSCell*, JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) + 272 (JSHTMLObjectElement.cpp:161) 12 com.apple.JavaScriptCore 0x000000010651e546 JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) + 134 (JSObject.h:562) 13 com.apple.JavaScriptCore 0x0000000106532d9f JSC::JSValue::get(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) const + 175 (JSObject.h:800) 14 com.apple.JavaScriptCore 0x00000001068f4bc4 llint_slow_path_get_by_id + 228 (LLIntSlowPaths.cpp:865) 15 com.apple.JavaScriptCore 0x00000001068fd7fd llint_op_get_by_id + 127 16 com.apple.JavaScriptCore 0x00000001066d8659 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 121 (JITCode.h:127) 17 com.apple.JavaScriptCore 0x00000001066cfee0 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::ScopeChainNode*, int) + 2432 (Interpreter.cpp:1579) 18 com.apple.JavaScriptCore 0x00000001066cf53c JSC::eval(JSC::ExecState*) + 1484 (Interpreter.cpp:460) 19 com.apple.JavaScriptCore 0x00000001068f8a07 llint_slow_path_call_eval + 471 (LLIntSlowPaths.cpp:1422) 20 com.apple.JavaScriptCore 0x00000001068ff5d1 llint_op_call_eval + 23 21 com.apple.JavaScriptCore 0x00000001066d8659 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 121 (JITCode.h:127) 22 com.apple.JavaScriptCore 0x00000001066d468d JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 5373 (Interpreter.cpp:1198) 23 com.apple.JavaScriptCore 0x00000001065bb152 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 482 (Completion.cpp:73) 24 com.apple.WebCore 0x00000001084c56c1 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 81 (JSMainThreadExecState.h:76) 25 com.apple.WebCore 0x0000000108c8c519 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 489 (ScriptController.cpp:145) 26 com.apple.WebCore 0x0000000108c8c674 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 68 (ScriptController.cpp:163) 27 com.apple.WebCore 0x0000000108c9565c WebCore::ScriptController::executeScript(WebCore::ScriptSourceCode const&) + 140 (ScriptControllerBase.cpp:68) 28 com.apple.WebCore 0x0000000108c955a4 WebCore::ScriptController::executeScript(WTF::String const&, bool) + 228 (ScriptSourceCode.h:45) 29 com.apple.WebCore 0x0000000108c95844 WebCore::ScriptController::executeIfJavaScriptURL(WebCore::KURL const&, WebCore::ShouldReplaceDocumentIfJavaScriptURL) + 452 (ScriptControllerBase.cpp:90) 30 com.apple.WebCore 0x0000000107e8efec WebCore::FrameLoader::urlSelected(WebCore::FrameLoadRequest const&, WTF::PassRefPtr<WebCore::Event>, bool, bool, WebCore::ShouldSendReferrer, WebCore::ShouldReplaceDocumentIfJavaScriptURL) + 268 (FrameLoader.cpp:273) 31 com.apple.WebCore 0x0000000107e8ee97 WebCore::FrameLoader::changeLocation(WebCore::SecurityOrigin*, WebCore::KURL const&, WTF::String const&, bool, bool, bool) + 359 (FrameLoader.cpp:254) 32 com.apple.WebCore 0x00000001088b5e18 WebCore::ScheduledURLNavigation::fire(WebCore::Frame*) + 296 (NavigationScheduler.cpp:109) 33 com.apple.WebCore 0x00000001088b31cf WebCore::NavigationScheduler::timerFired(WebCore::Timer<WebCore::NavigationScheduler>*) + 175 (NavigationScheduler.cpp:419) 34 com.apple.WebCore 0x00000001088b5243 WebCore::Timer<WebCore::NavigationScheduler>::fired() + 115 (Timer.h:100) 35 com.apple.WebCore 0x0000000108f41397 WebCore::ThreadTimers::sharedTimerFiredInternal() + 311 (ThreadTimers.cpp:118) 36 com.apple.WebCore 0x0000000108f410d9 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:94) 37 com.apple.WebCore 0x0000000108d1fa63 _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 67 (SharedTimerMac.mm:167) 38 com.apple.CoreFoundation 0x00007fff85e30f84 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 39 com.apple.CoreFoundation 0x00007fff85e30ad6 __CFRunLoopDoTimer + 534 40 com.apple.CoreFoundation 0x00007fff85e11471 __CFRunLoopRun + 1617 41 com.apple.CoreFoundation 0x00007fff85e10ae6 CFRunLoopRunSpecific + 230 42 com.apple.Foundation 0x00007fff8a9f504f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 267 43 DumpRenderTree 0x000000010632de19 _ZL7runTestRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE + 5769 (DumpRenderTree.mm:1354) 44 DumpRenderTree 0x000000010632c70a _ZL20runTestingServerLoopv + 282 (DumpRenderTree.mm:817) 45 DumpRenderTree 0x000000010632bf79 dumpRenderTree(int, char const**) + 377 (DumpRenderTree.mm:866) 46 DumpRenderTree 0x000000010632e67c main + 124 (DumpRenderTree.mm:904) 47 DumpRenderTree 0x0000000106318264 start + 52
Attachments
Patch (3.99 KB, patch)
2012-03-14 18:23 PDT, Michael Saboff 		mrowe: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2012-03-13 08:53:44 PDT
<rdar://problem/11038097>
Jessie Berlin
Comment 2 2012-03-13 08:54:35 PDT
The assertion that is failing appears to be ASSERT(globalData.isInitializingObject()): inline void JSCell::finishCreation(JSGlobalData& globalData) { #if ENABLE(GC_VALIDATION) ASSERT(globalData.isInitializingObject()); globalData.setInitializingObject(false); #else UNUSED_PARAM(globalData); #endif ASSERT(m_structure); }
Mark Hahnenberg
Comment 3 2012-03-13 13:27:05 PDT
I've verified that these failures go away when LLInt is disabled in Platform.h My guess would be that LLInt is calling allocateCell somewhere but is not calling the corresponding finishCreation, thus causing the next allocation to fail.
Sam Weinig
Comment 4 2012-03-13 21:32:29 PDT
Pizlo thinks this will go away with a clean build.
mitz
Comment 5 2012-03-13 21:49:39 PDT
(In reply to comment #4) > Pizlo thinks this will go away with a clean build. What’s the problem with the build system?
Filip Pizlo
Comment 6 2012-03-14 01:51:37 PDT
(In reply to comment #5) > (In reply to comment #4) > > Pizlo thinks this will go away with a clean build. > > What’s the problem with the build system? It's totally strange. If you had a checkout and a debug build prior to r110383 and then you updated to r110383 or later and did a build-webkit --debug without blowing away your prior build, you'll end up hitting this assertion.
Jessie Berlin
Comment 7 2012-03-14 07:52:50 PDT
(In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #4) > > > Pizlo thinks this will go away with a clean build. > > > > What’s the problem with the build system? > > It's totally strange. If you had a checkout and a debug build prior to r110383 and then you updated to r110383 or later and did a build-webkit --debug without blowing away your prior build, you'll end up hitting this assertion. This has NOT gone away with a clean build on the Lion Intel Debug WebKit2 Test bots: Tim and I cleaned these bots yesterday evening, and they are still seeing it: http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r110696%20(4895)/http/tests/inspector/network/network-content-replacement-embed-crash-log.txt http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r110696%20(4895)/fast/harness/results-crash-log.txt http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r110696%20(4895)/fast/replaced/invalid-object-with-fallback-crash-log.txt http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r110696%20(4895)/editing/input/reveal-edit-on-paste-vertically-crash-log.txt http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r110696%20(4895)/editing/input/reveal-contenteditable-on-paste-vertically-crash-log.txt
Michael Saboff
Comment 8 2012-03-14 18:23:51 PDT
Created attachment 131969 [details] Patch Believe the problem is that change set r110383 changed JavaScriptCore/wtf/Platform.h, but for some reason the change wasn't being reflected in all build products. This patch changes the header file search order so that the new location $(BUILT_PRODUCTS_DIR)/usr/local/include is search before the old location.
Michael Saboff
Comment 9 2012-03-14 18:28:52 PDT
Committed r110804: <http://trac.webkit.org/changeset/110804>
Note You need to log in before you can comment on or make changes to this bug.