RESOLVED DUPLICATE of bug 132470 152752
Crash in regress/script-tests/Int16Array-bubble-sort.js.ftl-eager 
https://bugs.webkit.org/show_bug.cgi?id=152752
Summary Crash in regress/script-tests/Int16Array-bubble-sort.js.ftl-eager
Filip Pizlo
Reported 2016-01-05 12:37:39 PST
I'm seeing this test failure every time on my machine: regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 1 0x10bf865c9 WTF::CrashOnOverflow::overflowed() regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 2 0x10c0b47bb JSC::CodeBlock::resultProfileForBytecodeOffset(int) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 3 0x10c14611d JSC::DFG::ByteCodeParser::makeDivSafe(JSC::DFG::Node*) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 4 0x10c137ebd JSC::DFG::ByteCodeParser::parseBlock(unsigned int) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 5 0x10c14259a JSC::DFG::ByteCodeParser::parseCodeBlock() regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 6 0x10c142906 JSC::DFG::ByteCodeParser::parse() regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 7 0x10c142b7d JSC::DFG::parse(JSC::DFG::Graph&) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 8 0x10c250cb3 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 9 0x10c250895 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 10 0x10c309cfc JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 11 0x10c803f73 WTF::threadEntryPoint(void*) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 12 0x10c80433f WTF::wtfThreadEntryPoint(void*) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 13 0x7fff8b5b8268 _pthread_body regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 14 0x7fff8b5b81e5 _pthread_body regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: 15 0x7fff8b5b641d thread_start regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: test_script_22385: line 2: 53407 Segmentation fault: 11 ( "$@" ../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --useFTLJIT\=true --ftlCrashesIfCantInitializeLLVM\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 Int16Array-bubble-sort.js ) regress/script-tests/Int16Array-bubble-sort.js.ftl-eager: ERROR: Unexpected exit code: 139 The failure appears to require the test to run concurrently to something. It doesn't crash when you just do a standalone run. In fact, I can run the test standalone >700 times without seeing a crash.
Attachments
Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2016-01-05 12:46:34 PST
It looks like this is due to us now being able to add result profiles not in bytecode order. This will be fixed in my patch for https://bugs.webkit.org/show_bug.cgi?id=132470. *** This bug has been marked as a duplicate of bug 132470 ***
Mark Lam
Comment 2 2016-01-07 13:29:29 PST
Found another source of a crasher. De-dupping to apply the fix.
Mark Lam
Comment 3 2016-01-07 13:37:39 PST
Nevermind. This specific crash is indeed fixed in the patch for https://bugs.webkit.org/show_bug.cgi?id=132470. I'll handle the other crasher bug separately. *** This bug has been marked as a duplicate of bug 132470 ***
Note You need to log in before you can comment on or make changes to this bug.