187255 2018-07-02 10:19:56 -0700 [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)) 2018-07-03 12:26:28 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=186989 InRadar P2 Normal --- 1 realdawei mark.lam ews-watchlist keith_miller lforschler mark.lam msaboff ryanhaddad saam webkit-bug-importer oldest_to_newest 1438531 0 realdawei 2018-07-02 10:19:56 -0700 The 32-bit JSC bot has been seeing 3900+ regressions since around June 23rd (r233121 - r233122) Previously had been 25000+ regressions starting around June 18th (r232953 - r232954) Sample run: https://build.webkit.org/builders/Apple%20High%20Sierra%2032-bit%20JSC%20%28BuildAndTest%29/builds/2220/steps/webkit-32bit-jsc-test/logs/stdio slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: /Volumes/Data/slave/highsierra-32bitJSC-debug/build/Source/JavaScriptCore/runtime/JSObjectInlines.h(335) : bool JSC::JSObject::putDirectInternal(JSC::VM &, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot &) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 1 0x28e51b WTFCrash slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 2 0x3cc740 bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 3 0x9d51be JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 4 0xeb8d74 JSC::CommonSlowPaths::putDirectWithReify(JSC::VM&, JSC::ExecState*, JSC::JSObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&, JSC::Structure**) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 5 0xeb9cca operationPutByIdDirectStrictOptimize slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 6 0x3149f2a3 slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 7 0x3149f7f6 slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 8 0x38d708 llint_entry slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 9 0x38d6b1 llint_entry slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 10 0x38d708 llint_entry slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 11 0x3875d0 vmEntryToJavaScript slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 12 0xe34089 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 13 0xe33526 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 14 0x1147132 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 15 0x12909f runWithOptions(GlobalObject*, CommandLine&, bool&) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 16 0xf9d0a jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 17 0xdf0ea int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 18 0xdd880 jscmain(int, char**) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 19 0xdd7a7 main slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: 20 0xa73f4611 start slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: test_script_14: line 2: 36453 Segmentation fault: 11 ( "$@" ../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --validateBytecode\=true --validateGraph\=true --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --scribbleFreeCells\=true rest-parameter-allocation-elimination.js ) slowMicrobenchmarks.yaml/slowMicrobenchmarks/rest-parameter-allocation-elimination.js.no-cjit: ERROR: Unexpected exit code: 139 1438910 1 webkit-bug-importer 2018-07-03 11:50:28 -0700 <rdar://problem/41785257> 1438914 2 344201 mark.lam 2018-07-03 12:03:38 -0700 Created attachment 344201 proposed patch. 1438919 3 344201 saam 2018-07-03 12:15:57 -0700 Comment on attachment 344201 proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=344201&action=review > Source/JavaScriptCore/ChangeLog:9 > + The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties Do we really care about this assert on 32-bit since we don’t run concurrent JIT/GC? 1438922 4 mark.lam 2018-07-03 12:19:15 -0700 Thanks for the review. (In reply to Saam Barati from comment #3) > Comment on attachment 344201 [details] > proposed patch. > > View in context: > https://bugs.webkit.org/attachment.cgi?id=344201&action=review > > > Source/JavaScriptCore/ChangeLog:9 > > + The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties > > Do we really care about this assert on 32-bit since we don’t run concurrent > JIT/GC? Good point. I guess we don't care then, but it doesn't hurt to just have the code in parity with the 64-bit i.e. I won't make the change conditional on asserts being enabled. I'll land the patch shortly. 1438923 5 mark.lam 2018-07-03 12:21:35 -0700 (In reply to Mark Lam from comment #4) > (In reply to Saam Barati from comment #3) > > Do we really care about this assert on 32-bit since we don’t run concurrent > > JIT/GC? > > Good point. I guess we don't care then, but it doesn't hurt to just have > the code in parity with the 64-bit i.e. I won't make the change conditional > on asserts being enabled. I'll land the patch shortly. I'll also add a ChangeLog comment that this is only needed for an assertion, and not strictly needed because we son't useConcurrentGC on 32-bit. 1438926 6 mark.lam 2018-07-03 12:26:28 -0700 Landed in r233473: <http://trac.webkit.org/r233473>. 344201 2018-07-03 12:03:38 -0700 2018-07-03 12:15:57 -0700 proposed patch. bug-187255.patch text/plain 1934 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjMzNDY5KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIwIEBA CisyMDE4LTA3LTAzICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBb MzItYml0IEpTQyB0ZXN0c10gQVNTRVJUSU9OIEZBSUxFRDogIWdldERpcmVjdChvZmZzZXQpIHx8 ICFKU1ZhbHVlOjplbmNvZGUoZ2V0RGlyZWN0KG9mZnNldCkpLgorICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTg3MjU1CisgICAgICAgIDxyZGFyOi8vcHJv YmxlbS80MTc4NTI1Nz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKwor ICAgICAgICBUaGUgMzItYml0IEpJVDo6ZW1pdF9vcF9jcmVhdGVfdGhpcygpIG5lZWRzIHRvIGlu aXRpYWxpemUgdW5pbml0aWFsaXplZCBwcm9wZXJ0aWVzCisgICAgICAgIHRvbzogYmFzaWNhbGx5 LCBkbyB3aGF0IHRoZSA2NC1iaXQgY29kZSBpcyBkb2luZy4KKworICAgICAgICBUaGlzIGlzc3Vl IGlzIGFscmVhZHkgY292ZXJlZCBieSB0aGUgc2xvd01pY3JvYmVuY2htYXJrcy9yZXN0LXBhcmFt ZXRlci1hbGxvY2F0aW9uLWVsaW1pbmF0aW9uLmpzCisgICAgICAgIHRlc3QuCisKKyAgICAgICAg KiBqaXQvSklUT3Bjb2RlczMyXzY0LmNwcDoKKyAgICAgICAgKEpTQzo6SklUOjplbWl0X29wX2Ny ZWF0ZV90aGlzKToKKwogMjAxOC0wNy0wMyAgWXVzdWtlIFN1enVraSAgPHV0YXRhbmUudGVhQGdt YWlsLmNvbT4KIAogICAgICAgICBbSlNDXSBNb3ZlIHNsb3dEb3duQW5kV2FzdGVNZW1vcnkgZnVu Y3Rpb24gdG8gSlNBcnJheUJ1ZmZlclZpZXcKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9q aXQvSklUT3Bjb2RlczMyXzY0LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENv cmUvaml0L0pJVE9wY29kZXMzMl82NC5jcHAJKHJldmlzaW9uIDIzMzQ2NikKKysrIFNvdXJjZS9K YXZhU2NyaXB0Q29yZS9qaXQvSklUT3Bjb2RlczMyXzY0LmNwcAkod29ya2luZyBjb3B5KQpAQCAt OTYyLDYgKzk2MiwxMCBAQCB2b2lkIEpJVDo6ZW1pdF9vcF9jcmVhdGVfdGhpcyhJbnN0cnVjdGlv CiAgICAgSnVtcExpc3Qgc2xvd0Nhc2VzOwogICAgIGF1dG8gYnV0dGVyZmx5ID0gVHJ1c3RlZElt bVB0cihudWxscHRyKTsKICAgICBlbWl0QWxsb2NhdGVKU09iamVjdChyZXN1bHRSZWcsIEpJVEFs bG9jYXRvcjo6dmFyaWFibGUoKSwgYWxsb2NhdG9yUmVnLCBzdHJ1Y3R1cmVSZWcsIGJ1dHRlcmZs eSwgc2NyYXRjaFJlZywgc2xvd0Nhc2VzKTsKKyAgICBlbWl0TG9hZFBheWxvYWQoY2FsbGVlLCBz Y3JhdGNoUmVnKTsKKyAgICBsb2FkUHRyKEFkZHJlc3Moc2NyYXRjaFJlZywgSlNGdW5jdGlvbjo6 b2Zmc2V0T2ZSYXJlRGF0YSgpKSwgc2NyYXRjaFJlZyk7CisgICAgbG9hZDMyKEFkZHJlc3Moc2Ny YXRjaFJlZywgRnVuY3Rpb25SYXJlRGF0YTo6b2Zmc2V0T2ZPYmplY3RBbGxvY2F0aW9uUHJvZmls ZSgpICsgT2JqZWN0QWxsb2NhdGlvblByb2ZpbGU6Om9mZnNldE9mSW5saW5lQ2FwYWNpdHkoKSks IHNjcmF0Y2hSZWcpOworICAgIGVtaXRJbml0aWFsaXplSW5saW5lU3RvcmFnZShyZXN1bHRSZWcs IHNjcmF0Y2hSZWcpOwogICAgIGFkZFNsb3dDYXNlKHNsb3dDYXNlcyk7CiAgICAgZW1pdFN0b3Jl Q2VsbChjdXJyZW50SW5zdHJ1Y3Rpb25bMV0udS5vcGVyYW5kLCByZXN1bHRSZWcpOwogfQo=