<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - REGRESSION (r182899): icloud.com crashes"
href="https://bugs.webkit.org/show_bug.cgi?id=143960#c17">Comment # 17</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - REGRESSION (r182899): icloud.com crashes"
href="https://bugs.webkit.org/show_bug.cgi?id=143960">bug 143960</a>
from <span class="vcard"><a class="email" href="mailto:basile_clement@apple.com" title="Basile Clement <basile_clement@apple.com>"> <span class="fn">Basile Clement</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=143960#c16">comment #16</a>)
<span class="quote">> (In reply to <a href="show_bug.cgi?id=143960#c15">comment #15</a>)
> > (In reply to <a href="show_bug.cgi?id=143960#c14">comment #14</a>)
> > > I'm seeing this crash in r183071:
> > >
> > > stress/dfg-rare-data.js.always-trigger-copy-phase: test_script_8421: line 2:
> > > 47158 Segmentation fault: 11 "$@"
> > > ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false
> > > --enableFunctionDotArguments\=true --minHeapUtilization\=2.0
> > > --minCopiedBlockUtilization\=2.0 dfg-rare-data.js
> > > stress/dfg-rare-data.js.always-trigger-copy-phase: ERROR: Unexpected exit
> > > code: 139
> >
> > I don't see it in r183076 ; checking out r183071 to test.
>
> It appears flaky. I got it on one run and haven't seen it since. Maybe
> your "don't reallocate" work will fix it.</span >
Running
while true; do
DYLD_FRAMEWORK_PATH=WebKitBuild/Debug/ WebKitBuild/Debug/jsc Source/JavaScriptCore/tests/stress/dfg-rare-data.js --useFTLJIT=false --enableFunctionDotArguments=true --minHeapUtilization=2.0 --minCopiedBlockUtilization=2.0;
done
on r183071 dies frequently, while it doesn't happen in r183076, so I think this is the race condition incidently fixed in <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - Remove AllocationProfileWatchpoint node"
href="show_bug.cgi?id=143999">https://bugs.webkit.org/show_bug.cgi?id=143999</a>.
The backtrace seems to support this:
ASSERTION FAILED: m_rareData
/Volumes/Data/SVN/WIP/OpenSource/Source/JavaScriptCore/runtime/JSFunction.h(129) : JSC::InlineWatchpointSet &JSC::JSFunction::allocationProfileWatchpointSet()
1 0x109e1fce0 WTFCrash
2 0x10982ce86 JSC::JSFunction::allocationProfileWatchpointSet()
3 0x10982cb9a JSC::DFG::WatchpointCollectionPhase::handle()
4 0x10982c7c9 JSC::DFG::WatchpointCollectionPhase::run()
5 0x10982c675 bool JSC::DFG::runAndLog<JSC::DFG::WatchpointCollectionPhase>(JSC::DFG::WatchpointCollectionPhase&)
6 0x10982c605 bool JSC::DFG::runPhase<JSC::DFG::WatchpointCollectionPhase>(JSC::DFG::Graph&)
7 0x10982c598 JSC::DFG::performWatchpointCollection(JSC::DFG::Graph&)
8 0x109764bfb JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
9 0x109763bf1 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*)
10 0x10982efc0 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*)
11 0x10982d5a4 JSC::DFG::Worklist::threadFunction(void*)
12 0x109e76f99 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const
13 0x109e76f6c std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()()
14 0x1099437aa std::__1::function<void ()>::operator()() const
15 0x109e75eee WTF::threadEntryPoint(void*)
16 0x109e778c8 WTF::wtfThreadEntryPoint(void*)
17 0x7fff8d91b268 _pthread_body
18 0x7fff8d91b1e5 _pthread_body
19 0x7fff8d91941d thread_start
Segmentation fault: 11</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>