RESOLVED DUPLICATE of bug 98722 98596
[GTK][EFL] Crash in JSC::checkOffset, originating from LLInt 
https://bugs.webkit.org/show_bug.cgi?id=98596
Summary [GTK][EFL] Crash in JSC::checkOffset, originating from LLInt
Zan Dobersek
Reported 2012-10-06 04:45:27 PDT
The crash occurred on GTK 64-bit Debug builder, it seems to be first such crash in this test and it's also the first time I see such crash. http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&showAllRuns=true&tests=http%2Ftests%2Finspector-enabled%2Fdedicated-workers-list http://build.webkit.org/builders/GTK%20Linux%2064-bit%20Debug/builds/37359 http://build.webkit.org/results/GTK%20Linux%2064-bit%20Debug/r130578%20(37359)/results.html Here's the crash log: Crash log for DumpRenderTree (pid 26961): ... [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'. Program terminated with signal 11, Segmentation fault. #0 0x00007ff0f1125f2c in JSC::checkOffset (offset=49, inlineCapacity=15) at ../../Source/JavaScriptCore/runtime/PropertyOffset.h:71 71 ASSERT(offset == invalidOffset ... Thread 1 (Thread 0x7ff0e2c9b900 (LWP 26961)): #0 0x00007ff0f1125f2c in JSC::checkOffset (offset=49, inlineCapacity=15) at ../../Source/JavaScriptCore/runtime/PropertyOffset.h:71 #1 0x00007ff0f12395dc in JSC::validateOffset (offset=49, inlineCapacity=15) at ../../Source/JavaScriptCore/runtime/PropertyOffset.h:84 #2 0x00007ff0f1239790 in JSC::JSObject::offsetForLocation (this=0x7ff09764fee0, location=0x7ff097650078) at ../../Source/JavaScriptCore/runtime/JSObject.h:468 #3 0x00007ff0f1237bec in JSC::JSFunction::getOwnPropertySlot (cell=0x7ff09764fee0, exec=0x7ff09f69a038, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:218 #4 0x00007ff0f1238771 in JSC::JSFunction::put (cell=0x7ff09764fee0, exec=0x7ff09f69a038, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:342 #5 0x00007ff0f10987d4 in JSC::JSValue::put (this=0x7fff9b194580, exec=0x7ff09f69a038, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1201 #6 0x00007ff0f118d52e in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7ff09f69a038, pc=0x5322310) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:933 #7 0x00007ff0f11968d3 in llint_op_put_by_id () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #8 0x00007fff9b194640 in ?? () #9 0x00007fff9b194670 in ?? () #10 0x0000000000000000 in ?? () ...
Attachments
Add attachment proposed patch, testcase, etc.
Zan Dobersek
Comment 1 2012-10-06 04:48:01 PDT
Also, not adding any crash expectation just to see if this will actually incur again in the same test or anywhere else.
Chris Dumez
Comment 2 2012-10-08 01:06:25 PDT
We have the same intermittent crashes on EFL port for: fast/workers/worker-replace-global-constructor.html fast/scrolling/scrollable-area-frame.html fast/scrolling/scrollable-area-frame-inherited-visibility-hidden.html fast/table/padding-height-and-override-height.html (And probably others) Backtrace: crash log for WebProcess (pid <unknown>): STDOUT: <empty> STDERR: ASSERTION FAILED: offset == invalidOffset || offset < inlineCapacity || isOutOfLineOffset(offset) STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/runtime/PropertyOffset.h(73) : void JSC::checkOffset(JSC::PropertyOffset, JSC::PropertyOffset) STDERR: 1 0x7fea6a4bed92 JSC::checkOffset(int, int) STDERR: 2 0x7fea64aff92e JSC::validateOffset(int, int) STDERR: 3 0x7fea64affae2 JSC::JSObject::offsetForLocation(JSC::WriteBarrierBase<JSC::Unknown>*) const STDERR: 4 0x7fea64b4460d JSC::setUpStaticFunctionSlot(JSC::ExecState*, JSC::HashEntry const*, JSC::JSObject*, JSC::PropertyName, JSC::PropertySlot&) STDERR: 5 0x7fea64b6b23c bool JSC::getStaticFunctionSlot<JSC::StringObject>(JSC::ExecState*, JSC::HashTable const*, JSC::JSObject*, JSC::PropertyName, JSC::PropertySlot&) STDERR: 6 0x7fea64b63460 JSC::StringPrototype::getOwnPropertySlot(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) STDERR: 7 0x7fea64b30ad2 JSC::JSString::getOwnPropertySlot(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) STDERR: 8 0x7fea6da069db JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) STDERR: 9 0x7fea6a4d0742 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const STDERR: 10 0x7fea64bb8fcd STDERR: 11 0x7fea64bc2a00 STDERR: LEAK: 1 WebPageProxy STDERR: LEAK: 1 WebContext
Dominik Röttsches (drott)
Comment 3 2012-10-17 05:14:44 PDT
I propose to mark this duplicate of bug 98722 since this one has revision information and best root cause info. *** This bug has been marked as a duplicate of bug 98722 ***
Note You need to log in before you can comment on or make changes to this bug.