136124 2014-08-21 01:04:45 -0700 New tests introduced in r172794 fail on 32 bit platforms 2014-08-26 11:32:25 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED InRadar P1 Critical --- 108645 136056 1 ossy mark.lam clopez fpizlo ggaren mark.lam msaboff ossy webkit-bug-importer oldest_to_newest 1030468 0 ossy 2014-08-21 01:04:45 -0700 The new tests fail on all 32 bit platforms. Apple Mac 32 bit: - before: http://build.webkit.org/builders/Apple%20Mavericks%2032-bit%20JSC%20%28BuildAndTest%29/builds/3679 (0 failures) - after: http://build.webkit.org/builders/Apple%20Mavericks%2032-bit%20JSC%20%28BuildAndTest%29/builds/3679 (22 failures) - failures: stress/for-in-tests.js and stress/for-in-base-reassigned-later-and-change-structure.js EFL ARM Thumb2: - before: http://build.webkit.sed.hu/builders/EFL%20ARMv7%20Linux%20Release%20%28Build%29/builds/5690 (165 failures) - after: http://build.webkit.sed.hu/builders/EFL%20ARMv7%20Linux%20Release%20%28Build%29/builds/5691 (171 failures) - only stress/for-in-base-reassigned-later-and-change-structure.js fails EFL ARM Traditional: - before: http://build.webkit.sed.hu/builders/EFL%20ARMv7%20Traditional%20Linux%20Release%20%28Build%29/builds/6372 (7 failures) - after: http://build.webkit.sed.hu/builders/EFL%20ARMv7%20Traditional%20Linux%20Release%20%28Build%29/builds/6372 (13 failures) - only stress/for-in-base-reassigned-later-and-change-structure.js fails 1030581 1 mark.lam 2014-08-21 16:22:27 -0700 The failure occurs at: (lldb) bt 15 * thread #1: tid = 0x64e02f, 0x008f8502 JavaScriptCore`WTFCrash + 50 at Assertions.cpp:329, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x008f8502 JavaScriptCore`WTFCrash + 50 at Assertions.cpp:329 frame #1: 0x003d82b8 JavaScriptCore`JSC::DFG::RegisterBank<JSC::GPRInfo>::allocate(this=0x028e2da8, spillMe=0xbfff8560) + 296 at DFGRegisterBank.h:138 frame #2: 0x003b4305 JavaScriptCore`JSC::DFG::SpeculativeJIT::allocate(this=0x028e2a00) + 85 at DFGSpeculativeJIT.h:189 frame #3: 0x003e1f0e JavaScriptCore`JSC::DFG::SpeculativeJIT::fillSpeculateCell(this=0x028e2a00, edge=Edge at 0xbfff8724) + 1422 at DFGSpeculativeJIT32_64.cpp:908 frame #4: 0x003b3e31 JavaScriptCore`JSC::DFG::SpeculateCellOperand::gpr(this=0xbfffa450) + 193 at DFGSpeculativeJIT.h:3094 frame #5: 0x004025fd JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x028e2a00, node=0x06002788) + 107133 at DFGSpeculativeJIT32_64.cpp:4726 frame #6: 0x003962e5 JavaScriptCore`JSC::DFG::SpeculativeJIT::compileCurrentBlock(this=0x028e2a00) + 1941 at DFGSpeculativeJIT.cpp:1449 frame #7: 0x00396c22 JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x028e2a00) + 226 at DFGSpeculativeJIT.cpp:1561 frame #8: 0x00311250 JavaScriptCore`JSC::DFG::JITCompiler::compileBody(this=0xbfffdcc0) + 48 at DFGJITCompiler.cpp:113 frame #9: 0x0031344d JavaScriptCore`JSC::DFG::JITCompiler::compileFunction(this=0xbfffdcc0) + 541 at DFGJITCompiler.cpp:349 frame #10: 0x00381c47 JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x06f7b610, longLivedState=0x01d735a0) + 1815 at DFGPlan.cpp:297 frame #11: 0x00381144 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x06f7b610, longLivedState=0x01d735a0, threadData=0x00000000) + 436 at DFGPlan.cpp:162 frame #12: 0x002cc09d JavaScriptCore`JSC::DFG::compileImpl(vm=0x020cd400, codeBlock=0x06f7ad40, profiledDFGCodeBlock=0x00000000, mode=DFGMode, osrEntryBytecodeIndex=85, mustHandleValues=0xbfffe828, callback=0xbfffe6b8) + 1853 at DFGDriver.cpp:104 frame #13: 0x002cb8f2 JavaScriptCore`JSC::DFG::compile(vm=0x020cd400, codeBlock=0x06f7ad40, profiledDFGCodeBlock=0x00000000, mode=DFGMode, osrEntryBytecodeIndex=85, mustHandleValues=0xbfffe828, passedCallback=0xbfffe7e8) + 194 at DFGDriver.cpp:122 frame #14: 0x00548b39 JavaScriptCore`operationOptimize(exec=0xbfffea08, bytecodeIndex=85) + 2793 at JITOperations.cpp:1196 (lldb) up [0x0000000000000000 - 0x0000000000000151) [0x0000000000000151 - 0x0000000000000288) [0x0000000000000288 - 0x00000000000002b2) [0x00000000000002b2 - 0x00000000000002bc) [0x00000000000002bc - 0x0000000000005576) frame #1: 0x003d82b8 JavaScriptCore`JSC::DFG::RegisterBank<JSC::GPRInfo>::allocate(this=0x028e2da8, spillMe=0xbfff8560) + 296 at DFGRegisterBank.h:138 135 } 136 137 // Deadlock check - this could only occur is all registers are locked! -> 138 ASSERT(currentLowest != NUM_REGS && currentSpillOrder != SpillHintInvalid); 139 // There were no available registers; currentLowest will need to be spilled. 140 return allocateInternal(currentLowest, spillMe); 141 } (lldb) p currentLowest (uint32_t) $0 = 6 (lldb) p currentSpillOrder (SpillHint) $1 = 4294967295 (lldb) p/x currentSpillOrder (SpillHint) $2 = 0xffffffff The comment explains the crash: "this could only occur is all registers are locked!" 1030582 2 webkit-bug-importer 2014-08-21 16:22:45 -0700 <rdar://problem/18095915> 1031380 3 mark.lam 2014-08-26 08:29:22 -0700 This issue has been fix in https://bugs.webkit.org/show_bug.cgi?id=136165 and https://bugs.webkit.org/show_bug.cgi?id=136187. Closing as a dup. *** This bug has been marked as a duplicate of bug 136165 *** 1031408 4 ossy 2014-08-26 10:56:30 -0700 Reopen, because https://trac.webkit.org/changeset/172959 fixes only X86, but not ARM Traditional and ARM Thumb2. 1031427 5 msaboff 2014-08-26 11:32:25 -0700 This defect is really a duplicate or covered by two other defects. <https://bugs.webkit.org/show_bug.cgi?id=136165> - "REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests." and <https://bugs.webkit.org/show_bug.cgi?id=136187> - "REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result". The fix for 136165 was landed in change set r172959: <http://trac.webkit.org/changeset/172959> The fix for 136187 was landed in change set r172962: <http://trac.webkit.org/changeset/172962>