RESOLVED FIXED95398
ASSERTION FAILURE in JSC::JSGlobalData::float32ArrayDescriptor when running fast/js/dfg-float64array.html 
https://bugs.webkit.org/show_bug.cgi?id=95398
Summary ASSERTION FAILURE in JSC::JSGlobalData::float32ArrayDescriptor when running f...
Jessie Berlin
Reported 2012-08-29 16:25:24 PDT
The prime suspect on this one is http://trac.webkit.org/changeset/126387, although current history does not allow me too look that far back to confirm my suspicions. I suspect this the same underlying issue is also affecting fast/js/dfg-int32array.html fast/js/dfg-float32array.html fast/js/dfg-uint8clampedarray.html fast/js/dfg-poison-fuzz.html fast/js/dfg-float64array.html fast/js/dfg-int32array-overflow-values.html fast/js/dfg-inline-function-dot-caller.html because the crash log links for them are all like "no crash log found for WebProcess:31005. Process failed to become responsive before timing out." http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r126586%20(192)/fast/js/dfg-float64array-crash-log.txt Process: WebProcess [31395] Path: /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.6+) Code Type: X86-64 (Native) Parent Process: WebKitTestRunner [31394] User ID: 501 Date/Time: 2012-08-24 08:40:09.699 -0700 OS Version: Mac OS X 10.8 (12A269) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 000000010de25000-000000010de26000 [ 4K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010efacd5c JSC::JSGlobalData::float32ArrayDescriptor() const + 92 (JSGlobalData.h:430) 1 com.apple.JavaScriptCore 0x000000010ef9c01d JSC::DFG::SpeculativeJIT::typedArrayDescriptor(JSC::DFG::Array::Mode) + 349 (DFGSpeculativeJIT.cpp:292) 2 com.apple.JavaScriptCore 0x000000010ef9c08b JSC::DFG::SpeculativeJIT::speculateArray(JSC::DFG::Array::Mode, JSC::DFG::Edge, JSC::X86Registers::RegisterID) + 43 (DFGSpeculativeJIT.cpp:300) 3 com.apple.JavaScriptCore 0x000000010efd0697 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) + 12727 (DFGSpeculativeJIT64.cpp:2543) 4 com.apple.JavaScriptCore 0x000000010efa0040 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) + 2992 (DFGSpeculativeJIT.cpp:1377) 5 com.apple.JavaScriptCore 0x000000010efa1ac8 JSC::DFG::SpeculativeJIT::compile() + 248 (DFGSpeculativeJIT.cpp:1585) 6 com.apple.JavaScriptCore 0x000000010ef6f8c9 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) + 25 (DFGJITCompiler.cpp:91) 7 com.apple.JavaScriptCore 0x000000010ef70b6a JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) + 314 (DFGJITCompiler.cpp:270) 8 com.apple.JavaScriptCore 0x000000010ef61690 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) + 1472 (DFGDriver.cpp:154) 9 com.apple.JavaScriptCore 0x000000010ef610bc JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) + 60 (DFGDriver.cpp:172) 10 com.apple.JavaScriptCore 0x000000010effaff9 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::SharedSymbolTable*&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) + 249 (JITDriver.h:95) 11 com.apple.JavaScriptCore 0x000000010effb992 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::SharedSymbolTable*&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) + 290 (ExecutionHarness.h:64) 12 com.apple.JavaScriptCore 0x000000010eff789a JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) + 810 (Executable.cpp:532) 13 com.apple.JavaScriptCore 0x000000010eff74fb JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) + 331 (Executable.cpp:442) 14 com.apple.JavaScriptCore 0x000000010eee9050 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int, JSC::CodeSpecializationKind) + 336 (Executable.h:611) 15 com.apple.JavaScriptCore 0x000000010eee1e3e JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) + 158 (CodeBlock.cpp:2744) 16 com.apple.JavaScriptCore 0x000000010f0544ec cti_optimize + 284 (JITStubs.cpp:2025) 17 com.apple.JavaScriptCore 0x000000010f05be10 0x10ee66000 + 2055696 18 com.apple.JavaScriptCore 0x000000010f022a24 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 84 (JITCode.h:133) 19 com.apple.JavaScriptCore 0x000000010f01edb2 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 4866 (Interpreter.cpp:1250) 20 com.apple.JavaScriptCore 0x000000010ef038cc JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 492 (Completion.cpp:75) 21 com.apple.WebCore 0x00000001108f943a WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 90 (JSMainThreadExecState.h:77) 22 com.apple.WebCore 0x00000001110a3192 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 370 (ScriptController.cpp:148) 23 com.apple.WebCore 0x00000001110a32c4 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 68 (ScriptController.cpp:165) 24 com.apple.WebCore 0x00000001110bb1f6 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 742 (ScriptElement.cpp:301) 25 com.apple.WebCore 0x0000000110497999 WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 361 (HTMLScriptRunner.cpp:139) 26 com.apple.WebCore 0x0000000110497816 WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 438 (HTMLScriptRunner.cpp:118) 27 com.apple.WebCore 0x0000000110498021 WebCore::HTMLScriptRunner::executeParsingBlockingScripts() + 97 (HTMLScriptRunner.cpp:190) 28 com.apple.WebCore 0x000000011049819d WebCore::HTMLScriptRunner::executeScriptsWaitingForLoad(WebCore::CachedResource*) + 365 (HTMLScriptRunner.cpp:200) 29 com.apple.WebCore 0x000000011040d432 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 290 (HTMLDocumentParser.cpp:515) 30 com.apple.WebCore 0x000000011040d4af non-virtual thunk to WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 47 31 com.apple.WebCore 0x000000010fd7334d WebCore::CachedResource::checkNotify() + 109 (CachedResource.cpp:248) 32 com.apple.WebCore 0x000000010fd8f2bb WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 187 (CachedScript.cpp:91) 33 com.apple.WebCore 0x000000011126cd7c WebCore::SubresourceLoader::didFinishLoading(double) + 524 (SubresourceLoader.cpp:298) 34 com.apple.WebCore 0x000000011105f3a5 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 53 (ResourceLoader.cpp:442) 35 com.apple.WebCore 0x000000011105bfea -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 186 (ResourceHandleMac.mm:861) 36 com.apple.Foundation 0x00007fff88cd11e8 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 + 28 37 com.apple.Foundation 0x00007fff88cd112c -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 227 38 com.apple.Foundation 0x00007fff88cd1028 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 63 39 com.apple.CFNetwork 0x00007fff89450181 ___delegate_didFinishLoading_block_invoke_0 + 40 40 com.apple.CFNetwork 0x00007fff894426fa ___withDelegateAsync_block_invoke_0 + 90 41 com.apple.CFNetwork 0x00007fff894d25ca __block_global_1 + 28 42 com.apple.CoreFoundation 0x00007fff8e2ade44 CFArrayApplyFunction + 68 43 com.apple.CFNetwork 0x00007fff89433894 RunloopBlockContext::perform() + 124 44 com.apple.CFNetwork 0x00007fff8943376b MultiplexerSource::perform() + 221 45 com.apple.CoreFoundation 0x00007fff8e28f841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 46 com.apple.CoreFoundation 0x00007fff8e28f165 __CFRunLoopDoSources0 + 245 47 com.apple.CoreFoundation 0x00007fff8e2b24e5 __CFRunLoopRun + 789 48 com.apple.CoreFoundation 0x00007fff8e2b1dd2 CFRunLoopRunSpecific + 290 49 com.apple.HIToolbox 0x00007fff896db774 RunCurrentEventLoopInMode + 209 50 com.apple.HIToolbox 0x00007fff896db512 ReceiveNextEventCommon + 356 51 com.apple.HIToolbox 0x00007fff896db3a3 BlockUntilNextEventMatchingListInMode + 62 52 com.apple.AppKit 0x00007fff881dffa3 _DPSNextEvent + 685 53 com.apple.AppKit 0x00007fff881df862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 54 com.apple.AppKit 0x00007fff881d6c03 -[NSApplication run] + 517 55 com.apple.WebCore 0x0000000111086dfc WebCore::RunLoop::run() + 92 (RunLoopMac.mm:37) 56 com.apple.WebKit2 0x000000010e15e40a WebKit::WebProcessMain(WebKit::CommandLine const&) + 3386 (WebProcessMainMac.mm:228) 57 com.apple.WebKit2 0x000000010e06f418 WebKitMain(WebKit::CommandLine const&) + 200 (WebKitMain.cpp:50) 58 com.apple.WebKit2 0x000000010e06f334 WebKitMain + 148 (WebKitMain.cpp:74) 59 com.apple.WebProcess 0x000000010de25da2 main + 274 60 libdyld.dylib 0x00007fff89da77e1 start + 1
Attachments
attempt to make more sense of the failures (2.88 KB, patch)
2012-08-30 16:50 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2012-08-29 16:26:05 PDT
<rdar://problem/12202429>
Jessie Berlin
Comment 2 2012-08-29 19:00:42 PDT
On the advice of pizlo, skipped a bunch of the affected tests: http://trac.webkit.org/changeset/127080
Filip Pizlo
Comment 3 2012-08-29 22:53:51 PDT
(In reply to comment #2) > On the advice of pizlo, skipped a bunch of the affected tests: http://trac.webkit.org/changeset/127080 Thanks Jessie! I am looking at this now.
Jessie Berlin
Comment 4 2012-08-30 08:22:19 PDT
Looks like skipping those tests only led to others failing: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r127135%20(434)/results.html fast/js/dfg-uint16array.html fast/js/dfg-int8array.html fast/js/dfg-uint32array.html fast/js/dfg-uint8array.html fast/js/dfg-int16array.html fast/js/dfg-uint32array-overflow-values.html Should I skip all the fast/js/dfg tests?
Filip Pizlo
Comment 5 2012-08-30 15:33:17 PDT
(In reply to comment #4) > Looks like skipping those tests only led to others failing: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r127135%20(434)/results.html > > fast/js/dfg-uint16array.html > fast/js/dfg-int8array.html > fast/js/dfg-uint32array.html > fast/js/dfg-uint8array.html > fast/js/dfg-int16array.html > fast/js/dfg-uint32array-overflow-values.html > > Should I skip all the fast/js/dfg tests? That's frustrating. Interestingly, I cannot get the tests to fail locally when I unskip them. I'll try harder though...
Filip Pizlo
Comment 6 2012-08-30 16:50:04 PDT
Created attachment 161589 [details] attempt to make more sense of the failures
Mark Hahnenberg
Comment 7 2012-08-30 16:50:55 PDT
Comment on attachment 161589 [details] attempt to make more sense of the failures rs=me
WebKit Review Bot
Comment 8 2012-08-30 18:14:49 PDT
Comment on attachment 161589 [details] attempt to make more sense of the failures Clearing flags on attachment: 161589 Committed r127222: <http://trac.webkit.org/changeset/127222>
WebKit Review Bot
Comment 9 2012-08-30 18:14:52 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.