V8 crashes when running whole WebGL 2.0.0 conformance tests |
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36 Steps to reproduce the problem: 1. Start latest Chromium on Linux with option "--enable-unsafe-es3-apis" 2. Run webgl 2.0.0 conformance test via "https://www.khronos.org/registry/webgl/sdk/tests/webgl-conformance-tests.html?version=2.0.0&run" 3. When testing the case "deqp/functional/gles3/builtinprecision/sin.html", I got below fatal error from V8. # # Fatal error in ../../v8/src/runtime/runtime-maths.cc, line 55 # Check failed: result->byte_length() == Smi::FromInt(2 * sizeof(double)). # ==== C stack trace =============================== 1: 0x7f37231b51b5 2: 0x7f3723030031 3: 0x2417a6606327 Received signal 4 ILL_ILLOPN 7f37231b5d6f Received signal 11 SEGV_MAPERR 003000000020 Note that if I only run this case (clicking the run button before deqp/functional/gles3/builtinprecision/sin.html), or even run the whole precision tests (clicking the run button before all/deqp/functional/gles3/builtinprecision), V8 won't crash. What is the expected behavior? Whole WebGL 2.0.0 conformance tests can run well. What went wrong? This is a regression due to a commit in V8 on Jun 8: commit 8e02f47ea1e648038a126869215479aaca00c7fe Author: mstarzinger <mstarzinger@chromium.org> Date: Wed Jun 8 02:27:08 2016 -0700 [runtime] Deprecate RUNTIME_ASSERT from primitive ops. This removes explicit uses of the RUNTIME_ASSERT macro from some runtime methods. The implicit ones in CONVERT_FOO_ARG_CHECKED will be addressed in a separate CL for all runtime modules at once. R=verwaest@chromium.org BUG= v8:5066 Review-Url: https://codereview.chromium.org/2041353003 Cr-Commit-Position: refs/heads/master@{#36815} diff --git a/src/runtime/runtime-maths.cc b/src/runtime/runtime-maths.cc index ee8c289..b66219a 100644 --- a/src/runtime/runtime-maths.cc +++ b/src/runtime/runtime-maths.cc @@ -52,7 +52,7 @@ RUNTIME_FUNCTION(Runtime_RemPiO2) { DCHECK(args.length() == 2); CONVERT_DOUBLE_ARG_CHECKED(x, 0); CONVERT_ARG_CHECKED(JSTypedArray, result, 1); - RUNTIME_ASSERT(result->byte_length() == Smi::FromInt(2 * sizeof(double))); + CHECK(result->byte_length() == Smi::FromInt(2 * sizeof(double))); FixedFloat64Array* array = FixedFloat64Array::cast(result->elements()); double* y = static_cast<double*>(array->DataPtr()); return Smi::FromInt(fdlibm::rempio2(x, y)); This is a change just using CHECK instead of RUNTIME_ASSERT. Though this commit caused the regression, it's not the root cause. Did this work before? Yes Chrome version: 51.0.2704.63 Channel: n/a OS Version: 16.04 Flash Version: Shockwave Flash 21.0 r0
,
Jun 15 2016
,
Jun 15 2016
,
Jun 17 2016
mstarzinger@ I think you wanted to collect those errors as part of the PE fixit, right? Could you please reroute it to the right person?
,
Jun 17 2016
,
Jun 17 2016
,
Jun 17 2016
Yes, I am interested in this. Unfortunately I will be gone the entire next week and won't have time to look into it. Michael Stanton graciously agreed to find someone else to look at it in the meantime if it needs urgent attention. Thanks!
,
Dec 20 2016
It seems unlikely that this bug is still around, given the function in question doesn't seem to even exist anymore. Can anyone confirm?
,
Dec 20 2016
I just had a try and the bug no longer exists. Please close this.
,
Dec 20 2016
Thanks, Yang. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by qiankun....@intel.com
, Jun 15 2016