Bug 98722 - REGRESSION (r130359): Assertion failure in JSC::checkOffset caused by removal of fixed inline slots count assumption
Summary: REGRESSION (r130359): Assertion failure in JSC::checkOffset caused by removal...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P1 Critical
Assignee: Geoffrey Garen
URL:
Keywords: InRadar, Regression
: 98596 99356 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-10-08 22:35 PDT by Mark Lam
Modified: 2013-01-11 14:39 PST (History)
14 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2012-10-08 22:35:02 PDT 
Change set <http://trac.webkit.org/changeset/130359> (https://bugs.webkit.org/show_bug.cgi?id=98332 Removed the assumption that "final" objects have a fixed number of inline slots) caused some mozilla  tests in run-javascriptcore-tests to fail intermittently when jsc is built with COLLECT_ON_EVERY_ALLOCATION enabled in heap/MarkedAllocator.cpp.  This issue does not manifest in r130344 which is the revision immediately before r130359 (as far as JavaScriptCore changes are concern).

I reproduced the issues by simply running the GC only one in 5 times in MarkedAllocator::allocateSlowCase() as follows (which runs a lot faster):
#if 1 // COLLECT_ON_EVERY_ALLOCATION // mlam
    static int count = 0;
    count = (count + 1) % 5;
    if (count == 0) {
        m_heap->collectAllGarbage();
        ASSERT(m_heap->m_operationInProgress == NoOperation);
    }
#endif

When I tried running an affected test in gdb, the test does not fail every time.  But if I re-run the test over and over again in gdb, it eventually fails with an assertion failure.  Here is an example backtrace from running the following (on a more recent build, r130716):

$ cd Source/JavaScriptCore/tests/mozilla
Source/JavaScriptCore/tests/mozilla$ DYLD_FRAMEWORK_PATH=/Volumes/Source/ws2/OpenSource/WebKitBuild/Debug/ gdb /Volumes/Source/ws2/OpenSource/WebKitBuild/Debug/jsc
...
(gdb) r -s  -f ./js1_6/shell.js -f ./js1_6/Array/shell.js -f ./js1_6/Array/regress-304828.js
Starting program: /Volumes/Source/ws2/OpenSource/WebKitBuild/Debug/jsc -s  -f ./js1_6/shell.js -f ./js1_6/Array/shell.js -f ./js1_6/Array/regress-304828.js
BUGNUMBER: 304828

STATUS: Array Generic Methods

ASSERTION FAILED: offset == invalidOffset || offset < inlineCapacity || isOutOfLineOffset(offset)
...

(gdb) bt
#0  0x00000001002433e7 in JSC::checkOffset (offset=37, inlineCapacity=13) at PropertyOffset.h:71
#1  0x00000001002b7209 in JSC::validateOffset (offset=37, inlineCapacity=13) at PropertyOffset.h:84
#2  0x00000001002b6f6e in JSC::JSObject::offsetForLocation (this=0x101dcffe0, location=0x101dd0118) at JSObject.h:468
#3  0x000000010032869d in JSC::setUpStaticFunctionSlot (exec=0x104800058, entry=0x102802060, thisObj=0x101dcffe0, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/Lookup.cpp:87
#4  0x000000010035729a in JSC::getStaticFunctionSlot<JSC::JSNonFinalObject> (exec=0x104800058, table=0x101901680, thisObj=0x101dcffe0, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at Lookup.h:294
#5  0x0000000100356089 in JSC::ObjectPrototype::getOwnPropertySlot (cell=0x101dcffe0, exec=0x104800058, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/ObjectPrototype.cpp:82
#6  0x000000010008c2e6 in JSC::JSCell::fastGetOwnPropertySlot (this=0x101dcffe0, exec=0x104800058, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at JSObject.h:905
#7  0x000000010008c0b0 in JSC::JSObject::getPropertySlot (this=0x101dcfe20, exec=0x104800058, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}, slot=@0x7fff5fbfdbf8) at JSObject.h:930
#8  0x0000000100085518 in JSC::JSObject::get (this=0x101dcfe20, exec=0x104800058, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}) at JSObject.h:955
#9  0x00000001002db1a0 in callDefaultValueFunction (exec=0x104800058, object=0x101dcfe20, propertyName={m_impl = 0x101902630, static NotAnIndex = 4294967295}) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/JSObject.cpp:736
#10 0x00000001002d833d in JSC::JSObject::defaultValue (object=0x101dcfe20, exec=0x104800058, hint=JSC::NoPreference) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/JSObject.cpp:775
#11 0x00000001002a9dd4 in JSC::JSObject::toPrimitive (this=0x101dcfe20, exec=0x104800058, preferredType=JSC::NoPreference) at JSObject.h:1142
#12 0x00000001002a971f in JSC::JSCell::toPrimitive (this=0x101dcfe20, exec=0x104800058, preferredType=JSC::NoPreference) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/JSCell.cpp:140
#13 0x000000010012c038 in JSC::JSValue::toPrimitive (this=0x7fff5fbfdef8, exec=0x104800058, preferredType=JSC::NoPreference) at JSCell.h:264
#14 0x000000010035796b in JSC::jsAddSlowCase (callFrame=0x104800058, v1={u = {asInt64 = 4326227488, ptr = 0x101dcfe20, asBits = {payload = 31260192, tag = 1}}}, v2={u = {asInt64 = 4321181664, ptr = 0x1018fffe0, asBits = {payload = 26214368, tag = 1}}}) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/Operations.cpp:54
#15 0x000000010042b467 in llint_slow_path_add (exec=0x104800058, pc=0x1020193f8) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:633
#16 0x00000001004362dc in llint_op_add ()
#17 0x000000010024bc14 in JSC::JITCode::execute (this=0x100efdd00, stack=0x1036090e0, callFrame=0x104800058, globalData=0x101007e00) at JITCode.h:134
#18 0x000000010024846b in JSC::Interpreter::execute (this=0x1036090c0, program=0x100efdce0, callFrame=0x1018cfb88, thisObj=0x1018efd80) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/interpreter/Interpreter.cpp:878
#19 0x000000010012885f in JSC::evaluate (exec=0x1018cfb88, source=@0x7fff5fbff770, thisValue={u = {asInt64 = 4320983424, ptr = 0x1018cf980, asBits = {payload = 26016128, tag = 1}}}, returnedException=0x7fff5fbff790) at /Volumes/Source/ws2/OpenSource/Source/JavaScriptCore/runtime/Completion.cpp:77
#20 0x00000001000087c9 in runWithScripts (globalObject=0x1018cf980, scripts=@0x7fff5fbff880, dump=false) at jsc.cpp:567
#21 0x0000000100008008 in jscmain (argc=8, argv=0x7fff5fbff910) at jsc.cpp:755
#22 0x0000000100007efe in main (argc=8, argv=0x7fff5fbff910) at jsc.cpp:530
(gdb)
Comment 1 Mark Lam 2012-10-11 14:01:39 PDT 
This is also causing a crash in the layout test: inspector/styles/import-pseudoclass-crash.html
Comment 2 Mark Lam 2012-10-11 14:04:41 PDT 
The inspector/styles/import-pseudoclass-crash.html  crash seems to be intermittent.  I'm not seeing it on the ews bots.
Comment 3 Dominik Röttsches (drott) 2012-10-17 05:14:32 PDT 
*** Bug 99356 has been marked as a duplicate of this bug. ***
Comment 4 Dominik Röttsches (drott) 2012-10-17 05:14:44 PDT 
*** Bug 98596 has been marked as a duplicate of this bug. ***
Comment 5 Geoffrey Garen 2012-10-17 10:19:02 PDT 
<rdar://problem/12518688>
Comment 6 Geoffrey Garen 2012-10-18 16:16:18 PDT 
I tried reproducing this @r131809, using the COLLECT_ON_EVERY_ALLOCATION change above:
    - run-javascriptcore-tests --debug: no crash
    - r -s  -f ./js1_6/shell.js -f ./js1_6/Array/shell.js -f ./js1_6/Array/regress-304828.js: no crash
    - r -s  -f ./js1_6/shell.js -f ./js1_6/Array/shell.js -f ./js1_6/Array/regress-304828.js....: no crash
Comment 7 Geoffrey Garen 2012-10-19 11:22:25 PDT 
I can reproduce this using run-javascriptcore-tests @r130359, on many sub-tests.
Comment 8 Simon Fraser (smfr) 2012-10-19 11:42:11 PDT 
Frequently seeing this while debugging facebook.
Comment 10 Chris Dumez 2012-11-05 08:19:19 PST 
This crash still occurs regularly on EFL EWS:
http://build.webkit.org/results/EFL%20Linux%2064-bit%20Debug/r133475%20(8160)/results.html
http://build.webkit.org/results/EFL%20Linux%2064-bit%20Debug/r133460%20(8156)/results.html

It makes it tough to keep the bots green since it affects random tests.
Comment 12 Ryosuke Niwa 2013-01-03 10:32:05 PST 
inspector/extensions/extensions-panel.html and inspector/extensions/extensions-api.html crashed on this run:
http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r138709%20(4272)/results.html

fast/dom/gc-acid3.html and inspector/profiler/webgl/webgl-profiler-get-error.html crashed on this run:
http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r138709%20(5405)/results.html
Comment 15 Ryosuke Niwa 2013-01-04 10:29:22 PST 
Another one: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r138805%20(4304)/results.html

This bug is preventing us from making debug bots green.
Comment 16 Geoffrey Garen 2013-01-11 12:20:19 PST 
Bug 106686 should fix most of these reports. A related bug remains in JSObject::offsetForLocation() (coming soon).
Comment 17 Geoffrey Garen 2013-01-11 13:18:09 PST 
Bug 106692 removes JSObject::offsetForLocation().
Comment 18 Geoffrey Garen 2013-01-11 13:18:34 PST 
I believe this issue is fixed; we'll reopen if more buildbot issues appear.
Comment 19 Geoffrey Garen 2013-01-11 13:19:46 PST 
BTW, Phil is the one who diagnosed this bug.
Comment 20 Ryosuke Niwa 2013-01-11 14:39:24 PST 
(In reply to comment #17)
> Bug 106692 removes JSObject::offsetForLocation().

Exciting!

(In reply to comment #19)
> BTW, Phil is the one who diagnosed this bug.

Thanks a lot for following up on this bug. I really hope this flaky crash goes away in the next cycle.