I tried to generate GDB backtraces for these crashes on Qt, but unfortunately they pass if we run tests one by one, but crash if we run all fast/js tests.

I skipped them on Qt to paint the bots green - https://trac.webkit.org/changeset/128878 Please unskip them with the proper fix.

(In reply to comment #1) > I tried to generate GDB backtraces for these crashes on Qt, but unfortunately > they pass if we run tests one by one, but crash if we run all fast/js tests. Alternatively, if you just run the same test twice or more it crashes after the first run. Example backtrace: #0 0x080d3a5c in JSC::WriteBarrierBase<JSC::Structure>::unvalidatedGet (this=0x0) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:139 #1 0x080d24a1 in JSC::JSCell::unvalidatedStructure (this=0x0) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSCell.h:143 #2 0xb786f9bc in JSC::slowValidateCell (cell=0xabadf610) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSCell.cpp:167 #3 0x080d2072 in JSC::validateCell<JSC::JSCell*> (cell=0xabadf610) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:55 #4 0x080d3a98 in JSC::WriteBarrierBase<JSC::Structure>::get (this=0xabbcf420) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:103 #5 0xb787d74d in JSC::JSGlobalObject::haveABadTime (this=0xabbcf250, globalData=...) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:409 #6 0xb788ced7 in JSC::JSObject::notifyPresenceOfIndexedAccessors (this=0xabbef890, globalData=...) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSObject.cpp:470 #7 0xb788f84f in JSC::JSObject::defineOwnIndexedProperty (this=0xabbef890, exec=0xacee00d8, index=0, descriptor=..., throwException=true) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSObject.cpp:1105 #8 0xb786777f in JSC::JSArray::defineOwnProperty (object=0xabbef890, exec=0xacee00d8, propertyName=..., descriptor=..., throwException=true) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSArray.cpp:179 #9 0xb78bf776 in JSC::objectConstructorDefineProperty (exec=0xacee00d8) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/ObjectConstructor.cpp:304 #10 0xacebd72f in ?? () #11 0xb778e3d3 in JSC::JITCode::execute (this=0xabb5fe64, registerFile=0x822042c, callFrame=0xacee0038, globalData=0x8279128) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/jit/JITCode.h:134 #12 0xb778ab08 in JSC::Interpreter::execute (this=0x8220420, program=0xabb5fe50, callFrame=0xabbcf3ac, thisObj=0xabbefff0) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:992 #13 0xb784d07e in JSC::evaluate (exec=0xabbcf3ac, source=..., thisValue=..., returnedException=0xbfffe70c) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:75 #14 0xb35813fa in WebCore::JSMainThreadExecState::evaluate (exec=0xabbcf3ac, source=..., thisValue=..., exception=0xbfffe70c) at /home/rakuco/dev/WebKit/Source/WebCore/bindings/js/JSMainThreadExecState.h:77 #15 0xb359ea11 in WebCore::ScriptController::evaluateInWorld (this=0x81d9b34, sourceCode=..., world=0x821dea0) at /home/rakuco/dev/WebKit/Source/WebCore/bindings/js/ScriptController.cpp:148 #16 0xb359eb08 in WebCore::ScriptController::evaluate (this=0x81d9b34, sourceCode=...) at /home/rakuco/dev/WebKit/Source/WebCore/bindings/js/ScriptController.cpp:165 #17 0xb2b7ece4 in WebCore::ScriptElement::executeScript (this=0x8421604, sourceCode=...) at /home/rakuco/dev/WebKit/Source/WebCore/dom/ScriptElement.cpp:301 #18 0xb2d64db1 in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent (this=0x81f6470, pendingScript=...) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:139 #19 0xb2d64c29 in WebCore::HTMLScriptRunner::executeParsingBlockingScript (this=0x81f6470) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:118 #20 0xb2d6512d in WebCore::HTMLScriptRunner::executeParsingBlockingScripts (this=0x81f6470) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:190 #21 0xb2d650d9 in WebCore::HTMLScriptRunner::execute (this=0x81f6470, scriptElement=..., scriptStartPosition=...) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:178 #22 0xb2d560bb in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0x81ecc88) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:200 #23 0xb2d56160 in WebCore::HTMLDocumentParser::canTakeNextToken (this=0x81ecc88, mode=WebCore::HTMLDocumentParser::AllowYield, session=...) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:217 #24 0xb2d56556 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x81ecc88, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:254 #25 0xb2d55f4a in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x81ecc88, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:173 #26 0xb2d570d3 in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution (this=0x81ecc88) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:476 #27 0xb2d573a4 in WebCore::HTMLDocumentParser::notifyFinished (this=0x81ecc88, cachedResource=0x8257350) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:516 #28 0xb2f27f4b in WebCore::CachedResource::checkNotify (this=0x8257350) at /home/rakuco/dev/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:248 #29 0xb2f3bccf in WebCore::CachedScript::data (this=0x8257350, data=..., allDataReceived=true) at /home/rakuco/dev/WebKit/Source/WebCore/loader/cache/CachedScript.cpp:90 #30 0xb2eeb897 in WebCore::SubresourceLoader::didFinishLoading (this=0x824ece8, finishTime=0) at /home/rakuco/dev/WebKit/Source/WebCore/loader/SubresourceLoader.cpp:300 #31 0xb2ee6cf5 in WebCore::ResourceLoader::didFinishLoading (this=0x824ece8, finishTime=0) at /home/rakuco/dev/WebKit/Source/WebCore/loader/ResourceLoader.cpp:441 #32 0xb3a19bc0 in WebCore::readCallback (asyncResult=0x8273b60, data=0x8275a78) at /home/rakuco/dev/WebKit/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:953 #33 0xb01c62e8 in async_ready_callback_wrapper (source_object=0x8261980, res=0x8273b60, user_data=user_data@entry=0x8275a78) at ginputstream.c:529 #34 0xb01dd200 in g_simple_async_result_complete (simple=simple@entry=0x8273b60) at gsimpleasyncresult.c:767 #35 0xb01dd273 in complete_in_idle_cb_for_thread (_data=_data@entry=0x81f3cd0) at gsimpleasyncresult.c:835 #36 0xb03c0af0 in g_idle_dispatch (source=source@entry=0xac561db8, callback=0xb01dd240 <complete_in_idle_cb_for_thread>, user_data=0x81f3cd0) at gmain.c:4657 #37 0xb03c3033 in g_main_dispatch (context=0x81c4a68) at gmain.c:2539 #38 g_main_context_dispatch (context=context@entry=0x81c4a68) at gmain.c:3075 #39 0xb09af09c in _ecore_glib_select__locked (ecore_timeout=0xbfffee08, efds=0xbfffef10, wfds=0xbfffee90, rfds=0xbfffee10, ecore_fds=10, ctx=0x81c4a68) at ecore_glib.c:171 #40 _ecore_glib_select (ecore_fds=10, rfds=0xbfffee10, wfds=0xbfffee90, efds=0xbfffef10, ecore_timeout=0xbfffee08) at ecore_glib.c:205#41 0xb09a8d9f in _ecore_main_select (timeout=0) at ecore_main.c:1370 #42 0xb09a9875 in _ecore_main_loop_iterate_internal (once_only=once_only@entry=0) at ecore_main.c:1786 #43 0xb09a9c0f in ecore_main_loop_begin () at ecore_main.c:931 #44 0x080b7bd7 in runTest (inputLine=0xbffff4cb "LayoutTests/ietestcenter/Javascript/15.4.4.14-9-b-i-5.html") at /home/rakuco/dev/WebKit/Tools/DumpRenderTree/efl/DumpRenderTree.cpp:289 #45 0x080b8463 in main (argc=3, argv=0xbffff2d4) at /home/rakuco/dev/WebKit/Tools/DumpRenderTree/efl/DumpRenderTree.cpp:457

(In reply to comment #2) > I skipped them on Qt to paint the bots green - https://trac.webkit.org/changeset/128878 > > Please unskip them with the proper fix. Tests skipped on EFL as well: <http://trac.webkit.org/changeset/128881>

Yup, I'm looking at it. Strange that I didn't see these on Mac. :-/

Which test were you running? (In reply to comment #3) > (In reply to comment #1) > > I tried to generate GDB backtraces for these crashes on Qt, but unfortunately > > they pass if we run tests one by one, but crash if we run all fast/js tests. > > Alternatively, if you just run the same test twice or more it crashes after the first run. Example backtrace: > > #0 0x080d3a5c in JSC::WriteBarrierBase<JSC::Structure>::unvalidatedGet (this=0x0) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:139 > #1 0x080d24a1 in JSC::JSCell::unvalidatedStructure (this=0x0) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSCell.h:143 > #2 0xb786f9bc in JSC::slowValidateCell (cell=0xabadf610) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSCell.cpp:167 > #3 0x080d2072 in JSC::validateCell<JSC::JSCell*> (cell=0xabadf610) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:55 > #4 0x080d3a98 in JSC::WriteBarrierBase<JSC::Structure>::get (this=0xabbcf420) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:103 > #5 0xb787d74d in JSC::JSGlobalObject::haveABadTime (this=0xabbcf250, globalData=...) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:409 > #6 0xb788ced7 in JSC::JSObject::notifyPresenceOfIndexedAccessors (this=0xabbef890, globalData=...) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSObject.cpp:470 > #7 0xb788f84f in JSC::JSObject::defineOwnIndexedProperty (this=0xabbef890, exec=0xacee00d8, index=0, descriptor=..., throwException=true) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSObject.cpp:1105 > #8 0xb786777f in JSC::JSArray::defineOwnProperty (object=0xabbef890, exec=0xacee00d8, propertyName=..., descriptor=..., throwException=true) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/JSArray.cpp:179 > #9 0xb78bf776 in JSC::objectConstructorDefineProperty (exec=0xacee00d8) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/ObjectConstructor.cpp:304 > #10 0xacebd72f in ?? () > #11 0xb778e3d3 in JSC::JITCode::execute (this=0xabb5fe64, registerFile=0x822042c, callFrame=0xacee0038, globalData=0x8279128) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/jit/JITCode.h:134 > #12 0xb778ab08 in JSC::Interpreter::execute (this=0x8220420, program=0xabb5fe50, callFrame=0xabbcf3ac, thisObj=0xabbefff0) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:992 > #13 0xb784d07e in JSC::evaluate (exec=0xabbcf3ac, source=..., thisValue=..., returnedException=0xbfffe70c) at /home/rakuco/dev/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:75 > #14 0xb35813fa in WebCore::JSMainThreadExecState::evaluate (exec=0xabbcf3ac, source=..., thisValue=..., exception=0xbfffe70c) at /home/rakuco/dev/WebKit/Source/WebCore/bindings/js/JSMainThreadExecState.h:77 > #15 0xb359ea11 in WebCore::ScriptController::evaluateInWorld (this=0x81d9b34, sourceCode=..., world=0x821dea0) at /home/rakuco/dev/WebKit/Source/WebCore/bindings/js/ScriptController.cpp:148 > #16 0xb359eb08 in WebCore::ScriptController::evaluate (this=0x81d9b34, sourceCode=...) at /home/rakuco/dev/WebKit/Source/WebCore/bindings/js/ScriptController.cpp:165 > #17 0xb2b7ece4 in WebCore::ScriptElement::executeScript (this=0x8421604, sourceCode=...) at /home/rakuco/dev/WebKit/Source/WebCore/dom/ScriptElement.cpp:301 > #18 0xb2d64db1 in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent (this=0x81f6470, pendingScript=...) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:139 > #19 0xb2d64c29 in WebCore::HTMLScriptRunner::executeParsingBlockingScript (this=0x81f6470) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:118 > #20 0xb2d6512d in WebCore::HTMLScriptRunner::executeParsingBlockingScripts (this=0x81f6470) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:190 > #21 0xb2d650d9 in WebCore::HTMLScriptRunner::execute (this=0x81f6470, scriptElement=..., scriptStartPosition=...) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:178 > #22 0xb2d560bb in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0x81ecc88) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:200 > #23 0xb2d56160 in WebCore::HTMLDocumentParser::canTakeNextToken (this=0x81ecc88, mode=WebCore::HTMLDocumentParser::AllowYield, session=...) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:217 > #24 0xb2d56556 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x81ecc88, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:254 > #25 0xb2d55f4a in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x81ecc88, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:173 > #26 0xb2d570d3 in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution (this=0x81ecc88) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:476 > #27 0xb2d573a4 in WebCore::HTMLDocumentParser::notifyFinished (this=0x81ecc88, cachedResource=0x8257350) at /home/rakuco/dev/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:516 > #28 0xb2f27f4b in WebCore::CachedResource::checkNotify (this=0x8257350) at /home/rakuco/dev/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:248 > #29 0xb2f3bccf in WebCore::CachedScript::data (this=0x8257350, data=..., allDataReceived=true) at /home/rakuco/dev/WebKit/Source/WebCore/loader/cache/CachedScript.cpp:90 > #30 0xb2eeb897 in WebCore::SubresourceLoader::didFinishLoading (this=0x824ece8, finishTime=0) at /home/rakuco/dev/WebKit/Source/WebCore/loader/SubresourceLoader.cpp:300 > #31 0xb2ee6cf5 in WebCore::ResourceLoader::didFinishLoading (this=0x824ece8, finishTime=0) at /home/rakuco/dev/WebKit/Source/WebCore/loader/ResourceLoader.cpp:441 > #32 0xb3a19bc0 in WebCore::readCallback (asyncResult=0x8273b60, data=0x8275a78) at /home/rakuco/dev/WebKit/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:953 > #33 0xb01c62e8 in async_ready_callback_wrapper (source_object=0x8261980, res=0x8273b60, user_data=user_data@entry=0x8275a78) at ginputstream.c:529 > #34 0xb01dd200 in g_simple_async_result_complete (simple=simple@entry=0x8273b60) at gsimpleasyncresult.c:767 > #35 0xb01dd273 in complete_in_idle_cb_for_thread (_data=_data@entry=0x81f3cd0) at gsimpleasyncresult.c:835 > #36 0xb03c0af0 in g_idle_dispatch (source=source@entry=0xac561db8, callback=0xb01dd240 <complete_in_idle_cb_for_thread>, user_data=0x81f3cd0) at gmain.c:4657 > #37 0xb03c3033 in g_main_dispatch (context=0x81c4a68) at gmain.c:2539 > #38 g_main_context_dispatch (context=context@entry=0x81c4a68) at gmain.c:3075 > #39 0xb09af09c in _ecore_glib_select__locked (ecore_timeout=0xbfffee08, efds=0xbfffef10, wfds=0xbfffee90, rfds=0xbfffee10, ecore_fds=10, ctx=0x81c4a68) at ecore_glib.c:171 > #40 _ecore_glib_select (ecore_fds=10, rfds=0xbfffee10, wfds=0xbfffee90, efds=0xbfffef10, ecore_timeout=0xbfffee08) at ecore_glib.c:205#41 0xb09a8d9f in _ecore_main_select (timeout=0) at ecore_main.c:1370 > #42 0xb09a9875 in _ecore_main_loop_iterate_internal (once_only=once_only@entry=0) at ecore_main.c:1786 > #43 0xb09a9c0f in ecore_main_loop_begin () at ecore_main.c:931 > #44 0x080b7bd7 in runTest (inputLine=0xbffff4cb "LayoutTests/ietestcenter/Javascript/15.4.4.14-9-b-i-5.html") at /home/rakuco/dev/WebKit/Tools/DumpRenderTree/efl/DumpRenderTree.cpp:289 > #45 0x080b8463 in main (argc=3, argv=0xbffff2d4) at /home/rakuco/dev/WebKit/Tools/DumpRenderTree/efl/DumpRenderTree.cpp:457

Found it. IndexingHeaderInlineMethods was incorrectly assuming that if the HasArrayStorage bit is clear, then that means that indexing payload capacity is zero.

Created attachment 164617 [details] the patch

Comment on attachment 164617 [details] the patch r=me

Fix landed in http://trac.webkit.org/changeset/128928 Will land unskippage in separate revision.

Bunch of unskippage in http://trac.webkit.org/changeset/128929

Reopen, because unfortunately these tests still crash on Qt: http://build.webkit.sed.hu/results/x86-64%20Linux%20Qt%20Debug/r128935%20%2825217%29/results.html and on EFL too: http://build.webkit.org/results/EFL%20Linux%2064-bit%20Debug/r128933%20%286069%29/results.html

(In reply to comment #12) > Reopen, because unfortunately these tests still crash on Qt: > http://build.webkit.sed.hu/results/x86-64%20Linux%20Qt%20Debug/r128935%20%2825217%29/results.html > > and on EFL too: http://build.webkit.org/results/EFL%20Linux%2064-bit%20Debug/r128933%20%286069%29/results.html That is unfortunate! I will look.

Skipping those tests again for EFL port in Bug 97074 since they crash consistently on the debug bots.

Still seeing crashes here: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r129007%20(1227)/ietestcenter/Javascript/15.4.4.14-9-b-i-6-crash-log.txt

OK. I think I've found the real problem. Testing now.

Created attachment 164800 [details] patch for landing Already reviewed by Mark in person.

Landed in http://trac.webkit.org/changeset/129065