[Webkit-unassigned] [Bug 143960] REGRESSION (r182899): icloud.com crashes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 21 14:57:07 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=143960

--- Comment #17 from Basile Clement <basile_clement at apple.com> ---
(In reply to comment #16)
> (In reply to comment #15)
> > (In reply to comment #14)
> > > I'm seeing this crash in r183071:
> > > 
> > > stress/dfg-rare-data.js.always-trigger-copy-phase: test_script_8421: line 2:
> > > 47158 Segmentation fault: 11  "$@"
> > > ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false
> > > --enableFunctionDotArguments\=true --minHeapUtilization\=2.0
> > > --minCopiedBlockUtilization\=2.0 dfg-rare-data.js
> > > stress/dfg-rare-data.js.always-trigger-copy-phase: ERROR: Unexpected exit
> > > code: 139
> > 
> > I don't see it in r183076 ; checking out r183071 to test.
> 
> It appears flaky.  I got it on one run and haven't seen it since.  Maybe
> your "don't reallocate" work will fix it.

Running

while true; do
  DYLD_FRAMEWORK_PATH=WebKitBuild/Debug/ WebKitBuild/Debug/jsc Source/JavaScriptCore/tests/stress/dfg-rare-data.js --useFTLJIT=false --enableFunctionDotArguments=true --minHeapUtilization=2.0 --minCopiedBlockUtilization=2.0;
done

on r183071 dies frequently, while it doesn't happen in r183076, so I think this is the race condition incidently fixed in https://bugs.webkit.org/show_bug.cgi?id=143999.

The backtrace seems to support this:

ASSERTION FAILED: m_rareData
/Volumes/Data/SVN/WIP/OpenSource/Source/JavaScriptCore/runtime/JSFunction.h(129) : JSC::InlineWatchpointSet &JSC::JSFunction::allocationProfileWatchpointSet()
1   0x109e1fce0 WTFCrash
2   0x10982ce86 JSC::JSFunction::allocationProfileWatchpointSet()
3   0x10982cb9a JSC::DFG::WatchpointCollectionPhase::handle()
4   0x10982c7c9 JSC::DFG::WatchpointCollectionPhase::run()
5   0x10982c675 bool JSC::DFG::runAndLog<JSC::DFG::WatchpointCollectionPhase>(JSC::DFG::WatchpointCollectionPhase&)
6   0x10982c605 bool JSC::DFG::runPhase<JSC::DFG::WatchpointCollectionPhase>(JSC::DFG::Graph&)
7   0x10982c598 JSC::DFG::performWatchpointCollection(JSC::DFG::Graph&)
8   0x109764bfb JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
9   0x109763bf1 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*)
10  0x10982efc0 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*)
11  0x10982d5a4 JSC::DFG::Worklist::threadFunction(void*)
12  0x109e76f99 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const
13  0x109e76f6c std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()()
14  0x1099437aa std::__1::function<void ()>::operator()() const
15  0x109e75eee WTF::threadEntryPoint(void*)
16  0x109e778c8 WTF::wtfThreadEntryPoint(void*)
17  0x7fff8d91b268 _pthread_body
18  0x7fff8d91b1e5 _pthread_body
19  0x7fff8d91941d thread_start
Segmentation fault: 11

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150421/d88f17a7/attachment-0001.html>

More information about the webkit-unassigned mailing list