151440 2015-11-19 03:03:52 -0800 REGRESSION(r192599): It made 34 JSC tests crash on ARM Linux 2015-11-20 02:38:57 -0800 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified Unspecified RESOLVED DUPLICATE 151445 P1 Critical --- 108645 151415 1 ossy webkit-unassigned cgarcia clopez ggaren mark.lam mcatanzaro ossy zan oldest_to_newest 1143244 0 ossy 2015-11-19 03:03:52 -0800 https://trac.webkit.org/changeset/192599 made 34 JSC stress tests crash at least on ARM Linux platforms. (ARMv7 - ARM and Thumb2 instruction sets too; AArch64) Maybe these tests fail on iOS too, but unfortunately there is no public iOS buildbot, so I don't know. - https://build.webkit.org/builders/EFL%20Linux%20ARMv7%20Traditional%20Release/builds/16061 - https://build.webkit.org/builders/EFL%20Linux%20ARMv7%20Thumb2%20Release/builds/16212 - https://build.webkit.org/builders/EFL%20Linux%20AArch64%20Release/builds/4416 (note: there were 25-30 failures on AArch64 before this change) ** The following JSC stress test failures have been introduced: jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-osr-exit.js.layout jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-osr-exit.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-osr-exit.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-osr-exit.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-overwrite-arguments.js.layout jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-overwrite-arguments.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-overwrite-arguments.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-arguments-alias-one-block-overwrite-arguments.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js.layout jsc-layout-tests.yaml/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js.layout-no-llint regress/script-tests/v8-raytrace-with-empty-try-catch.js.dfg-maximal-flush-validate-no-cjit stress/double-rep-with-null.js.always-trigger-copy-phase stress/double-rep-with-null.js.default stress/double-rep-with-undefined.js.dfg-maximal-flush-validate-no-cjit stress/double-rep-with-undefined.js.no-cjit-validate-phases stress/double-rep-with-undefined.js.no-llint stress/op_add.js.always-trigger-copy-phase stress/op_add.js.default stress/op_add.js.dfg-eager stress/op_add.js.dfg-eager-no-cjit-validate stress/op_add.js.dfg-maximal-flush-validate-no-cjit stress/op_add.js.no-cjit-validate-phases stress/op_add.js.no-llint stress/op_sub.js.always-trigger-copy-phase stress/op_sub.js.default stress/op_sub.js.dfg-eager stress/op_sub.js.dfg-eager-no-cjit-validate stress/op_sub.js.dfg-maximal-flush-validate-no-cjit stress/op_sub.js.no-cjit-validate-phases stress/op_sub.js.no-llint stress/v8-raytrace-strict.js.dfg-maximal-flush-validate-no-cjit v8-v6/v8-raytrace.js.dfg-maximal-flush-validate-no-cjit I'll try to create debug backtraces in the following week to help fixing this regression. 1143245 1 ossy 2015-11-19 03:04:34 -0800 ah, the forgot the GTK ARM link: - https://build.webkit.org/builders/GTK%20Linux%20ARM%20Release/builds/9377 1143274 2 mcatanzaro 2015-11-19 05:29:25 -0800 Looks serious enough for a rollout? What do you think, Mark? 1143276 3 ossy 2015-11-19 05:35:05 -0800 (In reply to comment #2) > Looks serious enough for a rollout? What do you think, Mark? Generally we don't rollout any JSC patch which cause build failure or test regression on non Apple ports. 1143279 4 mark.lam 2015-11-19 05:44:11 -0800 Can someone run run-javascriptcore-tests manually on ARM, and post an actual crash trace? Thanks. 1143284 5 mark.lam 2015-11-19 08:22:37 -0800 I just finished a release build run on ARMv7 without any issues. I will also do runs with debug builds and ARM64, but I suspect that this issue needs to be debugged on the EFL port. 1143285 6 mark.lam 2015-11-19 08:24:26 -0800 (In reply to comment #5) > I just finished a release build run on ARMv7 without any issues. I will > also do runs with debug builds and ARM64, but I suspect that this issue > needs to be debugged on the EFL port. I take that back. My build did not include the change. Will re-test. 1143286 7 ossy 2015-11-19 08:28:54 -0800 (In reply to comment #4) > Can someone run run-javascriptcore-tests manually on ARM, and post an actual > crash trace? Thanks. I tried to generate backtrack on ARMv7, but unfortunately gdb crashes on debug build of JSC. :( But it seems the bug is in the DFG JIT somewhere, because stress/op_sub.js passes with disable DFG, but crashes by default. I had a release backtrace. I don't think if it helps, but who knows. #0 0x00000000 in ?? () (gdb) bt #0 0x00000000 in ?? () #1 0xb6d83d56 in llint_entry () from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1 #2 0xb6d83d56 in llint_entry () from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1 #3 0xb6d83da0 in llint_entry () from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1 #4 0xb6d7ebe0 in vmEntryToJavaScript () from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1 #5 0xb6b4956a in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) () from /home/webkitbuildbot/slaves/efl-thumb2-official/buildslave/efl-linux-armv7-thumb2-release/build/WebKitBuild/Release/lib/libjavascriptcore_efl.so.1 #6 0xdfacb3fc in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) I'll try to create a debug backtrace on AArch64, but I will have time for it only tomorrow morning (in CET timezone). 1143333 8 mark.lam 2015-11-19 10:29:12 -0800 I found one issue in https://bugs.webkit.org/show_bug.cgi?id=151445 which is now fixed. With that fix, I was able to run the JSC tests with a release build of ToT r192631 to completion without any of the failures reported in this bug. Let me know if you're still seeing any failures. 1143354 9 zan 2015-11-19 11:28:07 -0800 (In reply to comment #8) > I found one issue in https://bugs.webkit.org/show_bug.cgi?id=151445 which is > now fixed. With that fix, I was able to run the JSC tests with a release > build of ToT r192631 to completion without any of the failures reported in > this bug. Let me know if you're still seeing any failures. This does fix the problem for me locally, ARMv7 with Thumb2. I'll leave it to Ossy to confirm, and to close the bug. Thanks for the prompt fix. 1143607 10 ossy 2015-11-20 02:38:57 -0800 bug151445 fixed all tests, thanks. *** This bug has been marked as a duplicate of bug 151445 ***