mjsunit/wasm/js-api failing on GC stress |
||||||
Issue descriptionSeems like a flaky failure that became reliable after 470a10015d6d Test: mjsunit/wasm/js-api Flags: --stress-opt --always-opt Command: /b/swarm_slave/w/ir/out/Debug/d8 --test --random-seed=-2135455718 --stress-opt --always-opt --nohard-abort --enable-slow-asserts --verify-heap --expose-wasm --allow-natives-syntax /b/swarm_slave/w/ir/test/mjsunit/mjsunit.js /b/swarm_slave/w/ir/test/mjsunit/wasm/js-api.js --gc-interval=500 --stress-compaction --concurrent-recompilation-queue-length=64 --concurrent-recompilation-delay=500 --concurrent-recompilation Build environment: gn_args: is_component_build = true is_debug = true target_cpu = "x86" use_goma = true v8_enable_backtrace = true v8_enable_slow_dchecks = true v8_test_isolation_mode = "prepare" Run #1 Exit code: -11 Result: CRASH Expected outcomes: PASS Duration: 00:03:536 Stdout: ============ Stress 1/2 ============ ============ Stress 2/2 ============ Stderr: Received signal 11 SEGV_MAPERR 000059700004 ==== C stack trace =============================== [0x0000017c913f] [0x000099ff9deb] [0x0000ffffffff] [0x00000075d78d] [0x00000075d6c8] [0x0000006f0c39] [0x000000966c5d] [0x0000009a42f7] [0x0000009a427b] [0x0000009a3db1] [0x00000090b64d] [0x00000075de57] [0x00000074be1e] [0x0000006fd7b3] [0x0000006feb07] [0x000000702ad2] [0x0000006906be] [0x000000b2fd61] [0x000000b294aa] [0x000000b28ad7] [0x00005e58628a] [end of stack trace] Run #2 Exit code: -11 Result: CRASH Expected outcomes: PASS Duration: 00:03:555
,
Aug 3 2017
,
Aug 3 2017
,
Aug 3 2017
Hi Jaro, the crash happens in the GC when the GC iterates over a turbofanned code object which is marked for deoptimization and visits a pointer to an object which does not exist anymore. The code object is not a WebAssembly code object. Could this be a deoptimization issue which by accident pops up in a WebAssembly test? This issue rarely reproduces with the command provided above, or other commands I tried, but it reproduces quite well with ./tools/run-tests.py --arch=ia32 --mode=debug --outdir=$(pwd)/out/x86 mjsunit/wasm/js-api --random-seed-stress-count=1000 --extra-flags=" --stress-opt --always-opt --nohard-abort --enable-slow-asserts --verify-heap --expose-wasm --allow-natives-syntax --gc-interval=500 --stress-compaction --concurrent-recompilation-queue-length=64 --concurrent-recompilation-delay=500 --concurrent-recompilation" (thanks Ulan)
,
Aug 3 2017
I am testing with revision 47136, and it does not crash. I tested with the exact same gn args and with the command line from #4. Which revision was crashy for you? Do you by any chance remember the RelocInfo kind of the reference from the code object? At the moment, we only reset EMBEDDED_OBJECT references on deopt, but perhaps we need to fix more reloc kinds.
,
Aug 3 2017
Indeed, it does not crash anymore on ToT. I still crashes nicely at commit c2ef5fa95c6b40a9ba1269e8b918d4c71131f9fd (which I picked as one of today's earlier commits).
,
Aug 3 2017
DCHECK(rinfo->rmode() == RelocInfo::EMBEDDED_OBJECT); is true just before the crashing call site.
,
Aug 4 2017
,
Aug 23 2017
,
Aug 23 2017
Fixed by: Author: Juliana Franco <jupvfranco@google.com> AuthorDate: 2017-08-04 10:45:33 +0200 Commit: Commit Bot <commit-bot@chromium.org> CommitDate: 2017-08-04 12:13:58 +0000 Fixing failure on GC stress. This bug was introduced by the CL https://chromium-review.googlesource.com/c/586707 With these changes we make sure that the object being deoptimized does not point to code objects that have been already collected. The CL https://chromium-review.googlesource.com/c/596027 did not fix this problem because we were only invalidating embedded objects reachable from the stack, however it is possible that there are some dangling references in objects not on the stack. Thus we consider all the optimized code objects that are marked for deoptimization. Bug: v8:751825 Change-Id: I3a6410c2bf556fa254c54a25e1f49d7356b9e51d Reviewed-on: https://chromium-review.googlesource.com/601967 Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#47163}
,
Aug 16
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6772b400369fe0251b6b91e258c129717ff30f51 commit 6772b400369fe0251b6b91e258c129717ff30f51 Author: Ben L. Titzer <titzer@chromium.org> Date: Thu Aug 16 14:19:02 2018 [wasm] Enable some disabled WASM tests R=ahaas@chromium.org Bug: chromium:751825 , chromium:773631 Change-Id: I87f6e9859b6adfe46adde7bf08fd16978035aa1f Reviewed-on: https://chromium-review.googlesource.com/1177702 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55165} [modify] https://crrev.com/6772b400369fe0251b6b91e258c129717ff30f51/test/mjsunit/mjsunit.status |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by bugdroid1@chromium.org
, Aug 2 2017