[Webkit-unassigned] [Bug 164440] New: DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure) in ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 4 17:46:11 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=164440

            Bug ID: 164440
           Summary: DFG ASSERTION FAILED:
                    m_plan.weakReferences.contains(structure) in
                    ChakraCore.yaml/ChakraCore/test/Array/array_includes.j
                    s.default
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

I saw this DFG assert while running the JSC tests on a debug build of 208404 with the patch from https://bugs.webkit.org/show_bug.cgi?id=164436.  I don't think the patch from https://bugs.webkit.org/show_bug.cgi?id=164436 matters here.  The issue seems to be intermittent (racy).  I have not been able to reproduce it yet, but just want to record it.

The crash info and trace dumped by the JSC test:

ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/dfg/DFGGraph.cpp(1526) : void JSC::DFG::Graph::assertIsRegistered(JSC::Structure *)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 1   0x10d96437d WTFCrash
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 2   0x10d964399 WTFCrashWithSecurityImplication
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 3   0x10cd6773f JSC::DFG::crash(JSC::DFG::Graph&, WTF::CString const&, char const*, int, char const*, char const*)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 4   0x10cd67549 JSC::DFG::Graph::handleAssertionFailure(std::nullptr_t, char const*, int, char const*, char const*)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 5   0x10cd63fd4 JSC::DFG::Graph::assertIsRegistered(JSC::Structure*)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 6   0x10cfe50a9 JSC::DFG::StructureAbstractValue::assertIsRegistered(JSC::DFG::Graph&) const
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 7   0x10cba76bd JSC::DFG::AbstractValue::assertIsRegistered(JSC::DFG::Graph&) const
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 8   0x10cba778e JSC::DFG::AbstractValue::set(JSC::DFG::Graph&, JSC::Structure*)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 9   0x10cc5a5ff JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 10  0x10cc4b65b JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 11  0x10cc4a505 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 12  0x10cc49e92 JSC::DFG::CFAPhase::performForwardCFA()
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 13  0x10cc49917 JSC::DFG::CFAPhase::run()
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 14  0x10cc49112 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 15  0x10cc4906e bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 16  0x10cc49035 JSC::DFG::performCFA(JSC::DFG::Graph&)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 17  0x10cec0065 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 18  0x10cebee69 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 19  0x10d031295 JSC::DFG::Worklist::ThreadBody::work()
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 20  0x10d9c2c35 WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 21  0x10d9c29fd void std::__1::__invoke_void_return_wrapper<void>::__call<WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0&>(WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0&&&)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 22  0x10d9c2799 std::__1::__function::__func<WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0, std::__1::allocator<WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0>, void ()>::operator()()
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 23  0x10cf006ba std::__1::function<void ()>::operator()() const
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 24  0x10d9d3a77 WTF::threadEntryPoint(void*)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 25  0x10d9d5441 WTF::wtfThreadEntryPoint(void*)
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 26  0x7fff97ec4aab _pthread_body
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 27  0x7fff97ec49f7 _pthread_body
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 28  0x7fff97ec41fd thread_start
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: test_script_30122: line 2: 74605 Segmentation fault: 11  ( "$@" ../../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true jsc-lib.js array_includes.js )
ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: ERROR: Unexpected exit code: 139

** The following JSC stress test failures have been introduced:
    ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161105/f17f6648/attachment-0001.html>

More information about the webkit-unassigned mailing list