[Webkit-unassigned] [Bug 190693] New: stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 17 16:24:36 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=190693

            Bug ID: 190693
           Summary: stress/const-semantics.js fails a dfg-eager /
                    ftl-eager run with an ASAN release build.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

I'm not sure if ASAN is needed, but that's what I saw this failure on.  It hasn't reproduced for me on a debug build though.  I ran it through the run-javascriptcore-tests harness:

$ ./Tools/Scripts/run-javascriptcore-tests --release --no-build --jsc-stress --filter const-semantics

stress/const-semantics.js.dfg-eager: AddressSanitizer:DEADLYSIGNAL
stress/const-semantics.js.dfg-eager: =================================================================
stress/const-semantics.js.dfg-eager: ==9196==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x000109bb2c7d bp 0x70000b860430 sp 0x70000b860430 T7)
stress/const-semantics.js.dfg-eager: ==9196==The signal is caused by a READ memory access.
stress/const-semantics.js.dfg-eager: ==9196==Hint: address points to the zero page.
stress/const-semantics.js.dfg-eager:     #0 0x109bb2c7c in JSC::ClassInfo const* WTF::Poisoned<WTF::Poison<g_GlobalDataPoison>, JSC::ClassInfo const*, void>::unpoisoned<JSC::ClassInfo const*>() const Poisoned.h:114
stress/const-semantics.js.dfg-eager:     #1 0x10a0c85cc in JSC::JSCell::methodTable(JSC::VM&) const JSCellInlines.h:297
stress/const-semantics.js.dfg-eager:     #2 0x10b20e099 in JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3::operator()(JSC::MarkStackArray&) const SlotVisitor.cpp:393
stress/const-semantics.js.dfg-eager:     #3 0x10b2032c7 in JSC::IterationStatus JSC::SlotVisitor::forEachMarkStack<JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3>(JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3 const&) SlotVisitorInlines.h:190
stress/const-semantics.js.dfg-eager:     #4 0x10b203198 in JSC::SlotVisitor::drain(WTF::MonotonicTime) SlotVisitor.cpp:493
stress/const-semantics.js.dfg-eager:     #5 0x10b204619 in JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) SlotVisitor.cpp:693
stress/const-semantics.js.dfg-eager:     #6 0x10b19b056 in JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18::operator()() const Heap.cpp:1269
stress/const-semantics.js.dfg-eager:     #7 0x1094630cf in WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) ParallelHelperPool.cpp:112
stress/const-semantics.js.dfg-eager:     #8 0x109464971 in WTF::ParallelHelperPool::Thread::work() ParallelHelperPool.cpp:200
stress/const-semantics.js.dfg-eager:     #9 0x1093fff21 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const AutomaticThread.cpp:223
stress/const-semantics.js.dfg-eager:     #10 0x1094af758 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:136
stress/const-semantics.js.dfg-eager:     #11 0x1094b52b8 in WTF::wtfThreadEntryPoint(void*) ThreadingPthreads.cpp:202
stress/const-semantics.js.dfg-eager:     #12 0x7fff5f5ea660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
stress/const-semantics.js.dfg-eager:     #13 0x7fff5f5ea50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
stress/const-semantics.js.dfg-eager:     #14 0x7fff5f5e9bf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)
stress/const-semantics.js.dfg-eager: 
stress/const-semantics.js.dfg-eager: ==9196==Register values:
stress/const-semantics.js.dfg-eager: rax = 0x0000000000000008  rbx = 0x00006310000008d0  rcx = 0x0000100000000008  rdx = 0x000062d00014f180  
stress/const-semantics.js.dfg-eager: rdi = 0x0000000000000040  rsi = 0x0000000000000000  rbp = 0x000070000b860430  rsp = 0x000070000b860430  
stress/const-semantics.js.dfg-eager:  r8 = 0x0000100000000000   r9 = 0x0000000000000001  r10 = 0x00007fff919721a8  r11 = 0x0000000000000198  
stress/const-semantics.js.dfg-eager: r12 = 0x00000000ffffff9d  r13 = 0x000062d00014f180  r14 = 0x0000000000000000  r15 = 0x0000611000002e80  
stress/const-semantics.js.dfg-eager: AddressSanitizer can not provide additional info.
stress/const-semantics.js.dfg-eager: SUMMARY: AddressSanitizer: SEGV Poisoned.h:114 in JSC::ClassInfo const* WTF::Poisoned<WTF::Poison<g_GlobalDataPoison>, JSC::ClassInfo const*, void>::unpoisoned<JSC::ClassInfo const*>() const
stress/const-semantics.js.dfg-eager: Thread T7 created by T5 here:
stress/const-semantics.js.dfg-eager:     #0 0x10f35650d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f50d)
stress/const-semantics.js.dfg-eager:     #1 0x1094b51d3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) ThreadingPthreads.cpp:214
stress/const-semantics.js.dfg-eager:     #2 0x1094af9e6 in WTF::Thread::create(char const*, WTF::Function<void ()>&&) Threading.cpp:152
stress/const-semantics.js.dfg-eager:     #3 0x1093fc2e4 in WTF::AutomaticThread::start(WTF::AbstractLocker const&) AutomaticThread.cpp:165
stress/const-semantics.js.dfg-eager:     #4 0x1093fc6a6 in WTF::AutomaticThreadCondition::notifyAll(WTF::AbstractLocker const&) AutomaticThread.cpp:76
stress/const-semantics.js.dfg-eager:     #5 0x1094627e1 in WTF::ParallelHelperPool::didMakeWorkAvailable(WTF::AbstractLocker const&) ParallelHelperPool.cpp:216
stress/const-semantics.js.dfg-eager:     #6 0x1094622d0 in WTF::ParallelHelperClient::setTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) ParallelHelperPool.cpp:62
stress/const-semantics.js.dfg-eager:     #7 0x10b17b58e in void WTF::ParallelHelperClient::setFunction<JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18>(JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18 const&) ParallelHelperPool.h:142
stress/const-semantics.js.dfg-eager:     #8 0x10b178c4e in JSC::Heap::runBeginPhase(JSC::GCConductor) Heap.cpp:1256
stress/const-semantics.js.dfg-eager:     #9 0x10b177e53 in JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) Heap.cpp:1168
stress/const-semantics.js.dfg-eager:     #10 0x10b177ce7 in JSC::Heap::collectInCollectorThread() Heap.cpp:1111
stress/const-semantics.js.dfg-eager:     #11 0x10b1852b8 in JSC::Heap::Thread::work() Heap.cpp:261
stress/const-semantics.js.dfg-eager:     #12 0x1093fff21 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const AutomaticThread.cpp:223
stress/const-semantics.js.dfg-eager:     #13 0x1094af758 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:136
stress/const-semantics.js.dfg-eager:     #14 0x1094b52b8 in WTF::wtfThreadEntryPoint(void*) ThreadingPthreads.cpp:202
stress/const-semantics.js.dfg-eager:     #15 0x7fff5f5ea660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
stress/const-semantics.js.dfg-eager:     #16 0x7fff5f5ea50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
stress/const-semantics.js.dfg-eager:     #17 0x7fff5f5e9bf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)
stress/const-semantics.js.dfg-eager: 
stress/const-semantics.js.dfg-eager: Thread T5 created by T4 here:
stress/const-semantics.js.dfg-eager:     #0 0x10f35650d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f50d)
stress/const-semantics.js.dfg-eager:     #1 0x1094b51d3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) ThreadingPthreads.cpp:214
stress/const-semantics.js.dfg-eager:     #2 0x1094af9e6 in WTF::Thread::create(char const*, WTF::Function<void ()>&&) Threading.cpp:152
stress/const-semantics.js.dfg-eager:     #3 0x1093fc2e4 in WTF::AutomaticThread::start(WTF::AbstractLocker const&) AutomaticThread.cpp:165
stress/const-semantics.js.dfg-eager:     #4 0x10b1adbfe in JSC::Heap::notifyIsSafeToCollect()::$_37::operator()() const Heap.cpp:2827
stress/const-semantics.js.dfg-eager:     #5 0x1094af758 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:136
stress/const-semantics.js.dfg-eager:     #6 0x1094b52b8 in WTF::wtfThreadEntryPoint(void*) ThreadingPthreads.cpp:202
stress/const-semantics.js.dfg-eager:     #7 0x7fff5f5ea660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
stress/const-semantics.js.dfg-eager:     #8 0x7fff5f5ea50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
stress/const-semantics.js.dfg-eager:     #9 0x7fff5f5e9bf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)
stress/const-semantics.js.dfg-eager: 
stress/const-semantics.js.dfg-eager: Thread T4 created by T0 here:
stress/const-semantics.js.dfg-eager:     #0 0x10f35650d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f50d)
stress/const-semantics.js.dfg-eager:     #1 0x1094b51d3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) ThreadingPthreads.cpp:214
stress/const-semantics.js.dfg-eager:     #2 0x1094af9e6 in WTF::Thread::create(char const*, WTF::Function<void ()>&&) Threading.cpp:152
stress/const-semantics.js.dfg-eager:     #3 0x10b183967 in JSC::Heap::notifyIsSafeToCollect() Heap.cpp:2816
stress/const-semantics.js.dfg-eager:     #4 0x10bda7be8 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType) VM.cpp:470
stress/const-semantics.js.dfg-eager:     #5 0x10bdaed89 in JSC::VM::create(JSC::HeapType) VM.cpp:643
stress/const-semantics.js.dfg-eager:     #6 0x1092ad4b3 in int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&) jsc.cpp:2733
stress/const-semantics.js.dfg-eager:     #7 0x1092ab58e in jscmain(int, char**) jsc.cpp:2841
stress/const-semantics.js.dfg-eager:     #8 0x1092ab3ea in main jsc.cpp:2271
stress/const-semantics.js.dfg-eager:     #9 0x7fff5f2d2014 in start (libdyld.dylib:x86_64+0x1014)
stress/const-semantics.js.dfg-eager: 
stress/const-semantics.js.dfg-eager: ==9196==ABORTING
stress/const-semantics.js.dfg-eager: test_script_4: line 2:  9196 Abort trap: 6           ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --collectContinuously\=true --useGenerationalGC\=false --useProbeOSRExit\=true const-semantics.js )
stress/const-semantics.js.dfg-eager: ERROR: Unexpected exit code: 134
16/16 (failed 1)    

** The following JSC stress test failures have been introduced:
        stress/const-semantics.js.dfg-eager

Results for JSC stress tests:
    1 failure found.

I'm seeing this on an unmodified ASAN release build of ToT r237236.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181017/90c74db0/attachment-0001.html>

More information about the webkit-unassigned mailing list