Bug 242615

Summary: REGRESSION (252288@main?): 10 wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
Product: WebKit Reporter: Karl Rackler <rackler>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: webkit-bot-watchers-bugzilla, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Karl Rackler 2022-07-11 16:41:53 PDT 
The following JSC tests are failing on debug bots:
wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-bbqb3
wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-eager-jettison
stress/gc-invocation-with-transfer.js.ftl-no-cjit-validate-sampling-profiler
wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-slow-memory
wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-eager
wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-no-tls-context
wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-air
wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.default-wasm
wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-b3
wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js.wasm-no-cjit-yes-tls-context

https://build.webkit.org/#/builders/378/builds/1339

Crash Log:
ASSERTION FAILED: currentHeapSize >= m_sizeAfterLastCollect
heap/Heap.cpp(2364) : void JSC::Heap::updateAllocationLimits()
1   0x1154fde54 WTFCrash
2   0x115b103f0 JSC::IntlListFormat::initializeListFormat(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue)
3   0x1168ef928 JSC::Heap::updateAllocationLimits()
4   0x1168ee11c JSC::Heap::runEndPhase(JSC::GCConductor)
5   0x1168ec94c JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*)
6   0x11693db7c JSC::Heap::collectInMutatorThread()::$_0::operator()(JSC::CurrentThreadState&) const
7   0x11693db10 WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&)
8   0x116999670 void WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(JSC::CurrentThreadState&) const
9   0x1169995f4 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&)
10  0x1168f1418 JSC::Heap::collectInMutatorThread()
11  0x1168f11dc JSC::Heap::stopIfNecessarySlow(unsigned int)
12  0x1168f0fc8 JSC::Heap::stopIfNecessarySlow()
13  0x1168ec178 JSC::Heap::stopIfNecessary()
14  0x1168e8e48 JSC::Heap::collectIfNecessaryOrDefer(JSC::GCDeferralContext*)
15  0x1168e8b94 JSC::Heap::reportExtraMemoryAllocatedSlowCase(unsigned long)
16  0x116edddc8 JSC::Heap::reportExtraMemoryAllocated(unsigned long)
17  0x117130f74 JSC::JSArrayBufferView::ConstructionContext::ConstructionContext(JSC::VM&, JSC::Structure*, unsigned long, unsigned int, JSC::JSArrayBufferView::ConstructionContext::InitializationMode)
18  0x11713113c JSC::JSArrayBufferView::ConstructionContext::ConstructionContext(JSC::VM&, JSC::Structure*, unsigned long, unsigned int, JSC::JSArrayBufferView::ConstructionContext::InitializationMode)
19  0x116735c14 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::create(JSC::JSGlobalObject*, JSC::Structure*, unsigned long)
20  0x116676d94 JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> >(JSC::JSGlobalObject*, JSC::Structure*, long long, unsigned long, std::__1::optional<unsigned long>)
21  0x1172bf108 long long JSC::constructGenericTypedArrayViewImpl<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> >(JSC::JSGlobalObject*, JSC::CallFrame*)
22  0x1172bebf0 JSC::constructUint8Array(JSC::JSGlobalObject*, JSC::CallFrame*)
23  0x11e6040f0
24  0x115b6c894 llint_entry
25  0x115b46340 vmEntryToJavaScript
26  0x116b503fc JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
27  0x116b4fa14 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
28  0x116fe5908 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
29  0x102f97030 runWithOptions(GlobalObject*, CommandLine&, bool&)
30  0x102f4aac8 jscmain(int, char**)::$_12::operator()(JSC::VM&, GlobalObject*, bool&) const
31  0x102f15080 int runJSC<jscmain(int, char**)::$_12>(CommandLine const&, bool, jscmain(int, char**)::$_12 const&)
test_script_36349: line 2: 89561 Segmentation fault: 11  ( "$@" ../../.vm/JavaScriptCore.framework/Helpers/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --validateGraph\=true --validateBCE\=true --useSamplingProfiler\=true --airForceIRCAllocator\=true --useDataICInFTL\=true --forceUnlinkedDFG\=true --useFTLJIT\=true --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --scribbleFreeCells\=true gc-invocation-with-transfer.js )
Comment 1 Radar WebKit Bug Importer 2022-07-11 16:42:11 PDT 
<rdar://problem/96850434>
Comment 2 Ryan Haddad 2022-07-11 17:08:34 PDT 
https://commits.webkit.org/252262@main looks like it could be related, it added the stress/gc-invocation-with-transfer.js test.
Comment 3 Yusuke Suzuki 2022-07-12 20:55:18 PDT 
Fixed in bug 242630

*** This bug has been marked as a duplicate of bug 242630 ***