98859 – [Qt][WK2]REGRESSION(r130826): It made fast/js/sparse-array.html crash on 64 bit

Bug 98859 - [Qt][WK2]REGRESSION(r130826): It made fast/js/sparse-array.html crash on 64 bit

Summary: [Qt][WK2]REGRESSION(r130826): It made fast/js/sparse-array.html crash on 64 bit

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	420+
Hardware:	All All

Importance:	P1 Critical
Assignee:	Nobody

URL:
Keywords:	Qt, QtTriaged

Depends on:
Blocks:	79668 97288
	Show dependency tree / graph

Reported:	2012-10-09 22:35 PDT by Csaba Osztrogonác
Modified:	2012-11-21 02:50 PST (History)
CC List:	8 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Csaba Osztrogonác 2012-10-09 22:35:48 PDT

crash log for WebProcess (pid <unknown>):
STDOUT: <empty>
STDERR: 1   0x7f7d912b4038 /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/lib/libQtWebKit.so.5(+0x1a60038) [0x7f7d912b4038]
STDERR: 2   0x7f7d8e19a420 /lib/x86_64-linux-gnu/libc.so.6(+0x36420) [0x7f7d8e19a420]
STDERR: 3   0x7f7d91243792 /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/lib/libQtWebKit.so.5(JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&)+0x2d2) [0x7f7d91243792]
STDERR: 4   0x7f7d91059dd7 /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/lib/libQtWebKit.so.5(+0x1805dd7) [0x7f7d91059dd7]
STDERR: 5   0x7f7d9104ad9a /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/lib/libQtWebKit.so.5(+0x17f6d9a) [0x7f7d9104ad9a]
STDERR: 6   0x7f7d9104e20e /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/lib/libQtWebKit.so.5(+0x17fa20e) [0x7f7d9104e20e]
STDERR: 7   0x7f7d8fee7ed4 /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/lib/libQtWebKit.so.5(+0x693ed4) [0x7f7d8fee7ed4]
STDERR: 8   0x7f7d905b992a /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/lib/libQtWebKit.so.5(+0xd6592a) [0x7f7d905b992a]
STDERR: 9   0x7f7d8ec5caf9 /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QObject::event(QEvent*)+0x69) [0x7f7d8ec5caf9]
STDERR: 10  0x7f7d8f177744 /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtWidgets.so.5(QApplicationPrivate::notify_helper(QObject*, QEvent*)+0xb4) [0x7f7d8f177744]
STDERR: 11  0x7f7d8f17a7c1 /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtWidgets.so.5(QApplication::notify(QObject*, QEvent*)+0x3b1) [0x7f7d8f17a7c1]
STDERR: 12  0x7f7d8ec35f34 /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QCoreApplication::notifyInternal(QObject*, QEvent*)+0x84) [0x7f7d8ec35f34]
STDERR: 13  0x7f7d8ec7ce1c /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QTimerInfoList::activateTimers()+0x47c) [0x7f7d8ec7ce1c]
STDERR: 14  0x7f7d8ec7d6ad /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(+0x2596ad) [0x7f7d8ec7d6ad]
STDERR: 15  0x7f7d88ee6a5d /lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_dispatch+0x1dd) [0x7f7d88ee6a5d]
STDERR: 16  0x7f7d88ee7258 /lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x45258) [0x7f7d88ee7258]
STDERR: 17  0x7f7d88ee7429 /lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_iteration+0x69) [0x7f7d88ee7429]
STDERR: 18  0x7f7d8ec7ddd4 /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)+0x64) [0x7f7d8ec7ddd4]
STDERR: 19  0x7f7d8ec34d5b /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)+0xcb) [0x7f7d8ec34d5b]
STDERR: 20  0x7f7d8ec38660 /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QCoreApplication::exec()+0x80) [0x7f7d8ec38660]
STDERR: 21  0x7f7d907d12ac /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/lib/libQtWebKit.so.5(+0xf7d2ac) [0x7f7d907d12ac]
STDERR: 22  0x7f7d8fe7702d /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/lib/libQtWebKit.so.5(WebKit::WebProcessMainQt(QGuiApplication*)+0x36d) [0x7f7d8fe7702d]
STDERR: 23  0x400b99 /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/bin/QtWebProcess() [0x400b99]
STDERR: 24  0x7f7d8e18530d /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed) [0x7f7d8e18530d]
STDERR: 25  0x400c21 /home/webkitbuildbot/slaves/release64bitWebKit2_EC2/buildslave/qt-linux-64-release-webkit2/build/WebKitBuild/Release/bin/QtWebProcess() [0x400c21]

Comment 1 Csaba Osztrogonác 2012-10-09 23:43:17 PDT

Unfortunately reproduce the crash isn't so easy, because it passes in itself.
But you can reproduce it with the following command:
$Tools/Scripts/run-webkit-tests -2 fast/js/sort-stability.html fast/js/sort-with-side-effecting-comparisons.html LayoutTests/fast/js/sparse-array.html

Here is the debug backtrace:
-----------------------------
1   0x7ffff0262394 /home/oszi/WebKit/WebKitBuild/Debug/lib/libWTF.so.1(+0x56394) [0x7ffff0262394]
2   0x7fffe8523230 /lib/libc.so.6(+0x32230) [0x7fffe8523230]
3   0x7ffff7b10708 /home/oszi/WebKit/WebKitBuild/Debug/lib/libWebKit1.so.1(JSC::WriteBarrierBase<JSC::Structure>::get() const+0x10) [0x7ffff7b10708]
4   0x7ffff7b09eae /home/oszi/WebKit/WebKitBuild/Debug/lib/libWebKit1.so.1(JSC::JSCell::structure() const+0x18) [0x7ffff7b09eae]
5   0x7ffff0a25695 /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(JSC::SlotVisitor::validate(JSC::JSCell*)+0x4d) [0x7ffff0a25695]
6   0x7ffff3e0f31d /home/oszi/WebKit/WebKitBuild/Debug/lib/libWebCore.so.1(JSC::SlotVisitor::internalAppend(JSC::JSCell*)+0x71) [0x7ffff3e0f31d]
7   0x7ffff0c6a7d2 /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(void JSC::SlotVisitor::append<JSC::SparseArrayValueMap>(JSC::WriteBarrierBase<JSC::SparseArrayValueMap>*)+0x2e) [0x7ffff0c6a7d2]
8   0x7ffff0c6a4d8 /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(JSC::JSObject::visitButterfly(JSC::SlotVisitor&, JSC::Butterfly*, unsigned long)+0x61e) [0x7ffff0c6a4d8]
9   0x7ffff0c6030a /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&)+0x146) [0x7ffff0c6030a]
10  0x7ffff0a24c8b /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x532c8b) [0x7ffff0a24c8b]
11  0x7ffff0a24e3c /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(JSC::SlotVisitor::drain()+0x84) [0x7ffff0a24e3c]
12  0x7ffff0a0f694 /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(JSC::SlotVisitor::donateAndDrain()+0x24) [0x7ffff0a0f694]
13  0x7ffff0a0d6d7 /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(JSC::Heap::markRoots(bool)+0x48d) [0x7ffff0a0d6d7]
14  0x7ffff0a0ddaa /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(JSC::Heap::collect(JSC::Heap::SweepToggle)+0x1fc) [0x7ffff0a0ddaa]
15  0x7ffff0a0dba9 /home/oszi/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(JSC::Heap::collectAllGarbage()+0x2f) [0x7ffff0a0dba9]
16  0x7ffff3de3d37 /home/oszi/WebKit/WebKitBuild/Debug/lib/libWebCore.so.1(+0x201cd37) [0x7ffff3de3d37]
17  0x7ffff3de3f76 /home/oszi/WebKit/WebKitBuild/Debug/lib/libWebCore.so.1(WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController>*)+0x1a) [0x7ffff3de3f76]
18  0x7ffff3de41b0 /home/oszi/WebKit/WebKitBuild/Debug/lib/libWebCore.so.1(WebCore::Timer<WebCore::GCController>::fired()+0x6e) [0x7ffff3de41b0]
19  0x7ffff48caf05 /home/oszi/WebKit/WebKitBuild/Debug/lib/libWebCore.so.1(WebCore::ThreadTimers::sharedTimerFiredInternal()+0xd3) [0x7ffff48caf05]
20  0x7ffff48cae2f /home/oszi/WebKit/WebKitBuild/Debug/lib/libWebCore.so.1(WebCore::ThreadTimers::sharedTimerFired()+0x19) [0x7ffff48cae2f]
21  0x7ffff4c41914 /home/oszi/WebKit/WebKitBuild/Debug/lib/libWebCore.so.1(WebCore::SharedTimerQt::timerEvent(QTimerEvent*)+0x6a) [0x7ffff4c41914]
22  0x7fffe98f7da9 /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QObject::event(QEvent*)+0x99) [0x7fffe98f7da9]
23  0x7fffeac8c27c /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtWidgets.so.5(QApplicationPrivate::notify_helper(QObject*, QEvent*)+0xac) [0x7fffeac8c27c]
24  0x7fffeac93b3b /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtWidgets.so.5(QApplication::notify(QObject*, QEvent*)+0x11b) [0x7fffeac93b3b]
25  0x7fffe98d3584 /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QCoreApplication::notifyInternal(QObject*, QEvent*)+0x84) [0x7fffe98d3584]
26  0x7fffe991eb62 /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QTimerInfoList::activateTimers()+0x3d2) [0x7fffe991eb62]
27  0x7fffe991f5cd /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(+0x2715cd) [0x7fffe991f5cd]
28  0x7fffec6ee6f2 /lib/libglib-2.0.so.0(g_main_context_dispatch+0x1f2) [0x7fffec6ee6f2]
29  0x7fffec6f2568 /lib/libglib-2.0.so.0(+0x42568) [0x7fffec6f2568]
30  0x7fffec6f271c /lib/libglib-2.0.so.0(g_main_context_iteration+0x6c) [0x7fffec6f271c]
31  0x7fffe991f28b /usr/local/Trolltech/Qt5/Qt-5.0.0-r37/lib/libQtCore.so.5(QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)+0x6b) [0x7fffe991f28b]
LEAK: 1 WebFrame
LEAK: 1 WebPage
LEAK: 50 WebCoreNode
LEAK: 3 CachedResource
LEAK: 1 Frame
LEAK: 1 Page
LEAK: 37 RenderObject
#CRASHED - WebProcess
[Thread 0x7fffa2036700 (LWP 23659) exited]
LEAK: 1 WebContext
LEAK: 1 WebPageProxy
[Thread 0x7fffa2439700 (LWP 23657) exited]
[Thread 0x7fffa1e35700 (LWP 23661) exited]
[Thread 0x7fffa263a700 (LWP 23656) exited]
[Thread 0x7fffa283b700 (LWP 23655) exited]
[Thread 0x7ffff7ff7700 (LWP 23658) exited]

Comment 2 Csaba Osztrogonác 2012-10-09 23:47:39 PDT

Great, one more GC related crash. :(

Is there any Qt engineer interested in fixing JSC crashes?
It seems everybody ignores all JSC GC related crash bugs:
- https://bugs.webkit.org/show_bug.cgi?id=90957
- https://bugs.webkit.org/show_bug.cgi?id=95723
- https://bugs.webkit.org/show_bug.cgi?id=95727

Comment 3 Filip Pizlo 2012-10-10 00:02:47 PDT

(In reply to comment #2)
> Great, one more GC related crash. :(
> 
> Is there any Qt engineer interested in fixing JSC crashes?
> It seems everybody ignores all JSC GC related crash bugs:
> - https://bugs.webkit.org/show_bug.cgi?id=90957
> - https://bugs.webkit.org/show_bug.cgi?id=95723
> - https://bugs.webkit.org/show_bug.cgi?id=95727

One of those is not Qt specific.  The others may or may not be.  I think a lot depends on the frequency with which GC is being invoked, and what the timing of GCs is.  I suspect you guys invoke it in a more random fashion than we do, so you get nailed with more bugs.

I've been wanting to set up a bot that runs Mac WebKit with the GC tweaked to be more aggressive - not so aggressive that it would increase execution times significantly, but aggressive enough that it should shake out more bugs.

Comment 4 Csaba Osztrogonác 2012-10-10 00:22:16 PDT

( I painted the Qt WK2 bot green with skipping 2 tests - r130865. )

Comment 5 Csaba Osztrogonác 2012-11-21 02:50:59 PST

It works now, so I unskipped the tests - r135370