Bug 152752
| Summary: | Crash in regress/script-tests/Int16Array-bubble-sort.js.ftl-eager | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> |
| Component: | JavaScriptCore | Assignee: | Mark Lam <mark.lam> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | ||
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
Filip Pizlo
I'm seeing this test failure every time on my machine:
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 1 0x10bf865c9 WTF::CrashOnOverflow::overflowed()
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 2 0x10c0b47bb JSC::CodeBlock::resultProfileForBytecodeOffset(int)
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 3 0x10c14611d JSC::DFG::ByteCodeParser::makeDivSafe(JSC::DFG::Node*)
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 4 0x10c137ebd JSC::DFG::ByteCodeParser::parseBlock(unsigned int)
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 5 0x10c14259a JSC::DFG::ByteCodeParser::parseCodeBlock()
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 6 0x10c142906 JSC::DFG::ByteCodeParser::parse()
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 7 0x10c142b7d JSC::DFG::parse(JSC::DFG::Graph&)
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 8 0x10c250cb3 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 9 0x10c250895 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*)
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 10 0x10c309cfc JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*)
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 11 0x10c803f73 WTF::threadEntryPoint(void*)
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 12 0x10c80433f WTF::wtfThreadEntryPoint(void*)
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 13 0x7fff8b5b8268 _pthread_body
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 14 0x7fff8b5b81e5 _pthread_body
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 15 0x7fff8b5b641d thread_start
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: test_script_22385: line 2: 53407 Segmentation fault: 11 ( "$@" ../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --useFTLJIT\=true --ftlCrashesIfCantInitializeLLVM\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 Int16Array-bubble-sort.js )
regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: ERROR: Unexpected exit code: 139
The failure appears to require the test to run concurrently to something. It doesn't crash when you just do a standalone run. In fact, I can run the test standalone >700 times without seeing a crash.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Mark Lam
It looks like this is due to us now being able to add result profiles not in bytecode order. This will be fixed in my patch for https://bugs.webkit.org/show_bug.cgi?id=132470.
*** This bug has been marked as a duplicate of bug 132470 ***
Mark Lam
Found another source of a crasher. De-dupping to apply the fix.
Mark Lam
Nevermind. This specific crash is indeed fixed in the patch for https://bugs.webkit.org/show_bug.cgi?id=132470. I'll handle the other crasher bug separately.
*** This bug has been marked as a duplicate of bug 132470 ***