119440 2013-08-02 05:41:36 -0700 REGRESSION(r153612): It made jsc and layout tests crash 2013-08-02 07:44:58 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P1 Critical --- 119140 1 ossy webkit-unassigned abrhm barraclough commit-queue fpizlo ggaren jbriance kadam mark.lam mhahnenberg msaboff oliver ossy zarvai oldest_to_newest 914099 0 ossy 2013-08-02 05:41:36 -0700 After http://trac.webkit.org/changeset/153612 jsc and layout tests started to crash on 64 bit bit in debug mode. (at least on Qt) Here is a GDB backtrace on r153636: gdb --args ../../../../WebKitBuild/Debug/bin/jsc -s -f ./ecma/shell.js -f ./ecma/Boolean/15.6.4.2-4-n.js GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>... Reading symbols from /home/webkitbuildbot/oszi/WebKit/WebKitBuild/Debug/bin/jsc...done. (gdb) run Starting program: /home/webkitbuildbot/oszi/WebKit/WebKitBuild/Debug/bin/jsc -s -f ./ecma/shell.js -f ./ecma/Boolean/15.6.4.2-4-n.js [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffb4309700 (LWP 29393)] [New Thread 0x7fffb3ae9700 (LWP 29394)] [New Thread 0x7fffb32e8700 (LWP 29395)] [New Thread 0x7fffb2ae7700 (LWP 29396)] [New Thread 0x7fffb22e6700 (LWP 29397)] [New Thread 0x7fffb1ae5700 (LWP 29398)] [New Thread 0x7fffb12e4700 (LWP 29399)] 15.6.4.2-4-n Boolean.prototype.toString() Program received signal SIGSEGV, Segmentation fault. 0x00007fffb06e4160 in ?? () (gdb) bt #0 0x00007fffb06e4160 in ?? () #1 0x00007fffffffb550 in ?? () #2 0x000000000068efcb in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #3 0x00000000006a0682 in JSC::JITCode::execute (this=0x1024bb0, stack=0xff2668, callFrame=0x7fffb06e4160, vm=0xfe1730) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46 #4 0x000000000068c9e3 in JSC::Interpreter::execute (this=0xff2650, eval=0x7ffff7e3fdf0, callFrame=0x7fffb06e4108, thisValue=..., scope=0x7fffb05fffc8) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1208 #5 0x0000000000687609 in JSC::eval (callFrame=0x7fffb06e4108) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:148 #6 0x00000000006dace6 in JSC::LLInt::llint_slow_path_call_eval (exec=0x7fffb06e40a0, pc=0x1026fc8) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1109 #7 0x0000000000ab5737 in llint_op_call_eval () #8 0x00007fffffffca80 in ?? () #9 0x000000000068efcb in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #10 0x00000000006a0682 in JSC::JITCode::execute (this=0x101c760, stack=0xff2668, callFrame=0x7fffb06e4058, vm=0xfe1730) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46 #11 0x000000000068af4f in JSC::Interpreter::execute (this=0xff2650, program=0x7ffff7e3fe70, callFrame=0x7ffff7f7f8e0, thisObj=0x7ffff7e7feb0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:856 #12 0x00000000007728fd in JSC::evaluate (exec=0x7ffff7f7f8e0, source=..., thisValue=..., returnedException=0x7fffffffe080) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:83 #13 0x000000000040ff8c in runWithScripts (globalObject=0x7ffff7f7f870, scripts=..., dump=false) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jsc.cpp:596 #14 0x0000000000410c97 in jscmain (argc=6, argv=0x7fffffffe348) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jsc.cpp:812 #15 0x000000000040fd68 in main (argc=6, argv=0x7fffffffe348) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jsc.cpp:554 (gdb) 914100 1 ossy 2013-08-02 05:42:29 -0700 r153611: http://build.webkit.sed.hu/builders/x86-64%20Linux%20Qt%20Debug/builds/29901 r153612: http://build.webkit.sed.hu/builders/x86-64%20Linux%20Qt%20Debug/builds/29888 914101 2 ossy 2013-08-02 05:47:53 -0700 +info: - pass with disabled JIT - fail with enabled JIT + enabled DFG JIT - fail with enabled JIT + disabled DFG JIT 914102 3 ossy 2013-08-02 06:01:32 -0700 Some related disassembly: 00000000006c4023 <cti_vm_throw_slowpath>: 6c4023: 55 push %rbp 6c4024: 48 89 e5 mov %rsp,%rbp 6c4027: 48 83 ec 40 sub $0x40,%rsp 6c402b: 48 89 7d d8 mov %rdi,-0x28(%rbp) 6c402f: 48 8b 45 d8 mov -0x28(%rbp),%rax 6c4033: 48 89 c7 mov %rax,%rdi 6c4036: e8 63 2a d9 ff callq 456a9e <JSC::ExecState::codeBlock() const> 6c403b: 48 89 c7 mov %rax,%rdi 6c403e: e8 ab 02 dc ff callq 4842ee <JSC::CodeBlock::vm()> 6c4043: 48 89 45 f8 mov %rax,-0x8(%rbp) 6c4047: 48 8b 45 f8 mov -0x8(%rbp),%rax 6c404b: 48 8b 55 d8 mov -0x28(%rbp),%rdx 6c404f: 48 89 90 80 90 00 00 mov %rdx,0x9080(%rax) 6c4056: 48 8b 45 f8 mov -0x8(%rbp),%rax 6c405a: 48 8b 90 50 aa 00 00 mov 0xaa50(%rax),%rdx 6c4061: 48 8b 4d d8 mov -0x28(%rbp),%rcx 6c4065: 48 8b 45 f8 mov -0x8(%rbp),%rax 6c4069: 48 89 ce mov %rcx,%rsi 6c406c: 48 89 c7 mov %rax,%rdi 6c406f: e8 4b 5b fe ff callq 6a9bbf <JSC::jitThrowNew(JSC::VM*, JSC::ExecState*, JSC::JSValue)> 6c4074: 48 89 c1 mov %rax,%rcx 6c4077: 48 89 d0 mov %rdx,%rax 6c407a: 48 89 4d c0 mov %rcx,-0x40(%rbp) 6c407e: 48 89 45 c8 mov %rax,-0x38(%rbp) 6c4082: 48 8b 45 c0 mov -0x40(%rbp),%rax 6c4086: 48 89 45 e0 mov %rax,-0x20(%rbp) 6c408a: 48 8b 45 c8 mov -0x38(%rbp),%rax 6c408e: 48 89 45 e8 mov %rax,-0x18(%rbp) 6c4092: 48 8b 55 e0 mov -0x20(%rbp),%rdx 6c4096: 48 8b 45 e8 mov -0x18(%rbp),%rax 6c409a: 48 89 d7 mov %rdx,%rdi 6c409d: 48 89 c6 mov %rax,%rsi 6c40a0: e8 33 59 fe ff callq 6a99d8 <JSC::encode(JSC::ExceptionHandler)> 6c40a5: c9 leaveq 6c40a6: c3 retq 00000000006a99d8 <JSC::encode(JSC::ExceptionHandler)>: 6a99d8: 55 push %rbp 6a99d9: 48 89 e5 mov %rsp,%rbp 6a99dc: 48 89 fa mov %rdi,%rdx 6a99df: 48 89 f0 mov %rsi,%rax 6a99e2: 48 89 55 e0 mov %rdx,-0x20(%rbp) 6a99e6: 48 89 45 e8 mov %rax,-0x18(%rbp) 6a99ea: 48 8b 45 e0 mov -0x20(%rbp),%rax 6a99ee: 48 89 45 f0 mov %rax,-0x10(%rbp) 6a99f2: 48 8b 45 e8 mov -0x18(%rbp),%rax 6a99f6: 48 89 45 f8 mov %rax,-0x8(%rbp) 6a99fa: 48 8b 45 f0 mov -0x10(%rbp),%rax 6a99fe: 5d pop %rbp 6a99ff: c3 retq 00000000006bc3fa <ctiVMThrowTrampolineSlowpath>: 6bc3fa: 4c 89 ef mov %r13,%rdi 6bc3fd: e8 21 7c 00 00 callq 6c4023 <cti_vm_throw_slowpath> 6bc402: ff e2 jmpq *%rdx 914111 4 msaboff 2013-08-02 06:36:59 -0700 *** Bug 119441 has been marked as a duplicate of this bug. *** 914113 5 208008 msaboff 2013-08-02 06:38:33 -0700 Created attachment 208008 Patch 914117 6 jbriance 2013-08-02 06:48:47 -0700 LGTM: - run-javascriptcore-tests is OK on X86 64-bit release build - run-javascriptcore-tests is OK on X86 64-bit debug build - run-javascriptcore-tests is OK on X86 32-bit release build - run-javascriptcore-tests is OK on X86 32-bit debug build 914118 7 208008 ossy 2013-08-02 06:50:13 -0700 Comment on attachment 208008 Patch LGTM, r=me. 914142 8 208008 commit-queue 2013-08-02 07:44:55 -0700 Comment on attachment 208008 Patch Clearing flags on attachment: 208008 Committed r153646: <http://trac.webkit.org/changeset/153646> 914143 9 commit-queue 2013-08-02 07:44:58 -0700 All reviewed patches have been landed. Closing bug. 208008 2013-08-02 06:38:33 -0700 2013-08-02 07:44:55 -0700 Patch 119440.patch text/plain 3791 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTUzNjQ1KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBA CisyMDEzLTA4LTAyICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIFJFR1JFU1NJT04ocjE1MzYxMik6IEl0IG1hZGUganNjIGFuZCBsYXlvdXQgdGVzdHMgY3Jh c2gKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTExOTQ0 MAorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIE1hZGUg dGhlIGNoYW5nZXMgaWYgY2hhbmdlc2V0IHIxNTM2MTIgb25seSBhcHBseSB0byAzMiBiaXQgYnVp bGRzLgorCisgICAgICAgICogaml0L0pJVEV4Y2VwdGlvbnMuY3BwOgorICAgICAgICAqIGppdC9K SVRFeGNlcHRpb25zLmg6CisgICAgICAgICogaml0L0pJVFN0dWJzLmNwcDoKKyAgICAgICAgKEpT Qzo6Y3RpX3ZtX3Rocm93X3Nsb3dwYXRoKToKKyAgICAgICAgKiBqaXQvSklUU3R1YnMuaDoKKwog MjAxMy0wOC0wMiAgUGF0cmljayBHYW5zdGVyZXIgIDxwYXJvZ2FAd2Via2l0Lm9yZz4KIAogICAg ICAgICBBZGQgSlNDVGVzdFJ1bm5lclV0aWxzIHRvIHRoZSBsaXN0IG9mIGZvcndhcmRpbmcgaGVh ZGVycyB0byBmaXggYnVpbGQuCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaml0L0pJVEV4 Y2VwdGlvbnMuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9qaXQvSklU RXhjZXB0aW9ucy5jcHAJKHJldmlzaW9uIDE1MzYxMikKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29y ZS9qaXQvSklURXhjZXB0aW9ucy5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTUxLDEyICs1MSwxNCBA QCBzdGF0aWMgdW5zaWduZWQgZ2V0RXhjZXB0aW9uTG9jYXRpb24oVk0qCiAgICAgcmV0dXJuIGNh bGxGcmFtZS0+bG9jYXRpb25Bc0J5dGVjb2RlT2Zmc2V0KCk7CiB9CiAKKyNpZiBVU0UoSlNWQUxV RTMyXzY0KQogRW5jb2RlZEV4Y2VwdGlvbkhhbmRsZXIgZW5jb2RlKEV4Y2VwdGlvbkhhbmRsZXIg aGFuZGxlcikKIHsKICAgICBFeGNlcHRpb25IYW5kbGVyVW5pb24gdTsKICAgICB1LmhhbmRsZXIg PSBoYW5kbGVyOwogICAgIHJldHVybiB1LmVuY29kZWRIYW5kbGVyOwogfQorI2VuZGlmCiAKIEV4 Y2VwdGlvbkhhbmRsZXIgZ2VuZXJpY1Rocm93KFZNKiB2bSwgRXhlY1N0YXRlKiBjYWxsRnJhbWUs IEpTVmFsdWUgZXhjZXB0aW9uVmFsdWUsIHVuc2lnbmVkIHZQQ0luZGV4KQogewpJbmRleDogU291 cmNlL0phdmFTY3JpcHRDb3JlL2ppdC9KSVRFeGNlcHRpb25zLmgKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL2ppdC9KSVRFeGNlcHRpb25zLmgJKHJldmlzaW9uIDE1MzYxMikK KysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9qaXQvSklURXhjZXB0aW9ucy5oCSh3b3JraW5nIGNv cHkpCkBAIC00NCw2ICs0NCw3IEBAIHN0cnVjdCBFeGNlcHRpb25IYW5kbGVyIHsKICAgICB2b2lk KiBjYXRjaFJvdXRpbmU7CiB9OwogCisjaWYgVVNFKEpTVkFMVUUzMl82NCkKIC8vIEVuY29kZWRF eGNlcHRpb25IYW5kbGVyIGlzIHVzZWQgdG8gY29udmluY2UgdGhlIGNvbXBpbGVyIHRvIHJldHVy biBhbiBFeGNlcHRpb25IYW5kZXIKIC8vIHN0cnVjdCBpbiB0d28gcmVnaXN0ZXJzIGZvciAzMiBi aXQgYnVpbGRzLgogdHlwZWRlZiBpbnQ2NF90IEVuY29kZWRFeGNlcHRpb25IYW5kbGVyOwpAQCAt NTQsNiArNTUsNyBAQCB1bmlvbiBFeGNlcHRpb25IYW5kbGVyVW5pb24gewogfTsKIAogRW5jb2Rl ZEV4Y2VwdGlvbkhhbmRsZXIgZW5jb2RlKEV4Y2VwdGlvbkhhbmRsZXIpOworI2VuZGlmCiAKIEV4 Y2VwdGlvbkhhbmRsZXIgZ2VuZXJpY1Rocm93KFZNKiwgRXhlY1N0YXRlKiwgSlNWYWx1ZSBleGNl cHRpb25WYWx1ZSwgdW5zaWduZWQgdlBDSW5kZXgpOwogCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlw dENvcmUvaml0L0pJVFN0dWJzLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENv cmUvaml0L0pJVFN0dWJzLmNwcAkocmV2aXNpb24gMTUzNjEyKQorKysgU291cmNlL0phdmFTY3Jp cHRDb3JlL2ppdC9KSVRTdHVicy5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTIxNTYsMTIgKzIxNTYs MjEgQEAgREVGSU5FX1NUVUJfRlVOQ1RJT04odm9pZCosIHZtX3Rocm93KQogICAgIHJldHVybiBo YW5kbGVyLmNhbGxGcmFtZTsKIH0KIAorI2lmIFVTRShKU1ZBTFVFMzJfNjQpCiBFbmNvZGVkRXhj ZXB0aW9uSGFuZGxlciBKSVRfU1RVQiBjdGlfdm1fdGhyb3dfc2xvd3BhdGgoQ2FsbEZyYW1lKiBj YWxsRnJhbWUpCiB7CiAgICAgVk0qIHZtID0gY2FsbEZyYW1lLT5jb2RlQmxvY2soKS0+dm0oKTsK ICAgICB2bS0+dG9wQ2FsbEZyYW1lID0gY2FsbEZyYW1lOwogICAgIHJldHVybiBlbmNvZGUoaml0 VGhyb3dOZXcodm0sIGNhbGxGcmFtZSwgdm0tPmV4Y2VwdGlvbikpOwogfQorI2Vsc2UKK0V4Y2Vw dGlvbkhhbmRsZXIgSklUX1NUVUIgY3RpX3ZtX3Rocm93X3Nsb3dwYXRoKENhbGxGcmFtZSogY2Fs bEZyYW1lKQoreworICAgIFZNKiB2bSA9IGNhbGxGcmFtZS0+Y29kZUJsb2NrKCktPnZtKCk7Cisg ICAgdm0tPnRvcENhbGxGcmFtZSA9IGNhbGxGcmFtZTsKKyAgICByZXR1cm4gaml0VGhyb3dOZXco dm0sIGNhbGxGcmFtZSwgdm0tPmV4Y2VwdGlvbik7Cit9CisjZW5kaWYKIAogREVGSU5FX1NUVUJf RlVOQ1RJT04oRW5jb2RlZEpTVmFsdWUsIHRvX29iamVjdCkKIHsKSW5kZXg6IFNvdXJjZS9KYXZh U2NyaXB0Q29yZS9qaXQvSklUU3R1YnMuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlw dENvcmUvaml0L0pJVFN0dWJzLmgJKHJldmlzaW9uIDE1MzYxMikKKysrIFNvdXJjZS9KYXZhU2Ny aXB0Q29yZS9qaXQvSklUU3R1YnMuaAkod29ya2luZyBjb3B5KQpAQCAtNDE2LDcgKzQxNiwxMiBA QCBFbmNvZGVkSlNWYWx1ZSBKSVRfU1RVQiBjdGlfb3BfcmVzb2x2ZV9zCiBFbmNvZGVkSlNWYWx1 ZSBKSVRfU1RVQiBjdGlfb3BfZ2V0X2Zyb21fc2NvcGUoU1RVQl9BUkdTX0RFQ0xBUkFUSU9OKSBX VEZfSU5URVJOQUw7CiB2b2lkIEpJVF9TVFVCIGN0aV9vcF9wdXRfdG9fc2NvcGUoU1RVQl9BUkdT X0RFQ0xBUkFUSU9OKSBXVEZfSU5URVJOQUw7CiAKKyNpZiBVU0UoSlNWQUxVRTMyXzY0KQogRW5j b2RlZEV4Y2VwdGlvbkhhbmRsZXIgSklUX1NUVUIgY3RpX3ZtX3Rocm93X3Nsb3dwYXRoKENhbGxG cmFtZSopIFJFRkVSRU5DRURfRlJPTV9BU00gV1RGX0lOVEVSTkFMOworI2Vsc2UKK0V4Y2VwdGlv bkhhbmRsZXIgSklUX1NUVUIgY3RpX3ZtX3Rocm93X3Nsb3dwYXRoKENhbGxGcmFtZSopIFJFRkVS RU5DRURfRlJPTV9BU00gV1RGX0lOVEVSTkFMOworI2VuZGlmCisKIH0gLy8gZXh0ZXJuICJDIgog CiAjZWxpZiBFTkFCTEUoTExJTlRfQ19MT09QKQo=