JSCore crashes on ppc64el

Description of problem:
I notice this issue trying to build 'seed' on rawhide. Here is the error message during seed build:

Making all in readline
make[4]: Entering directory `/builddir/fedora/seed/master/seed-3.8.1/doc/modules/readline'
../../../src/seed ../../../doc/modules/make-functions.js ../../../doc/modules/readline/readline.js > ../../../doc/modules/readline/readline-funcs.xml
1 0x3fff92ed6f5c /lib64/libjavascriptcoregtk-3.0.so.0(WTFCrash-0x14038c) [0x3fff92ed6f5c]
2 0x3fff92ef99c8 /lib64/libjavascriptcoregtk-3.0.so.0(_ZN3WTF11OSAllocator6commitEPvmbb-0x11e6a0) [0x3fff92ef99c8]
3 0x3fff92c40120 /lib64/libjavascriptcoregtk-3.0.so.0(_ZN3JSC7JSStack12growSlowCaseEPNS_8RegisterE-0x3c8b78) [0x3fff92c40120]
4 0x3fff92c3de68 /lib64/libjavascriptcoregtk-3.0.so.0(_ZN3JSC7JSStack10entryCheckEPNS_9CodeBlockEi-0x3cab20) [0x3fff92c3de68]
5 0x3fff92c3c5d0 /lib64/libjavascriptcoregtk-3.0.so.0(_ZN3JSC11Interpreter7executeEPNS_17ProgramExecutableEPNS_9ExecStateEPNS_8JSObjectE-0x3cc638) [0x3fff92c3c5d0]
6 0x3fff92d40a28 /lib64/libjavascriptcoregtk-3.0.so.0(_ZN3JSC8evaluateEPNS_9ExecStateERKNS_10SourceCodeENS_7JSValueEPS5_-0x2cda90) [0x3fff92d40a28]
7 0x3fff92b2ec30 /lib64/libjavascriptcoregtk-3.0.so.0(JSEvaluateScript-0x4d1aa8) [0x3fff92b2ec30]
8 0x3fff9333128c /builddir/fedora/seed/master/seed-3.8.1/libseed/.libs/libseed-gtk3.so.0(seed_simple_evaluate-0x2f90c) [0x3fff9333128c]
9 0x3fff93336c6c /builddir/fedora/seed/master/seed-3.8.1/libseed/.libs/libseed-gtk3.so.0(seed_init_constrained_with_context_and_group-0x2a3ec) [0x3fff93336c6c]
10 0x3fff93336f04 /builddir/fedora/seed/master/seed-3.8.1/libseed/.libs/libseed-gtk3.so.0(seed_init_with_context_and_group-0x2a164) [0x3fff93336f04]
11 0x3fff93337028 /builddir/fedora/seed/master/seed-3.8.1/libseed/.libs/libseed-gtk3.so.0(seed_init_with_context_group-0x2a050) [0x3fff93337028]
12 0x3fff933370a0 /builddir/fedora/seed/master/seed-3.8.1/libseed/.libs/libseed-gtk3.so.0(seed_init-0x29fe8) [0x3fff933370a0]
13 0x100010dc /builddir/fedora/seed/master/seed-3.8.1/src/.libs/lt-seed() [0x100010dc]
14 0x3fff931166ec /lib64/libc.so.6(+0x466ec) [0x3fff931166ec]
15 0x3fff931168f4 /lib64/libc.so.6(__libc_start_main-0x1aaf0c) [0x3fff931168f4]
/bin/sh: line 1: 4677 Segmentation fault ../../../src/seed ../../../doc/modules/make-functions.js ../../../doc/modules/readline/readline.js > ../../../doc/modules/readline/readline-funcs.xml

And here is a backtrace from gdb:

(gdb) bt
#0 0x00003fffb7916f70 in WTFCrash () at Source/WTF/wtf/Assertions.cpp:333
#1 0x00003fffb79399c8 in WTF::OSAllocator::commit (address=0x3fffb39cc000, bytes=16384, writable=<optimized out>, executable=<optimized out>)
    at Source/WTF/wtf/OSAllocatorPosix.cpp:134
#2 0x00003fffb7680120 in commit (this=0x3fffb44cef38, this=0x3fffb44cef38, this=0x3fffb44cef38, size=<optimized out>, start=<optimized out>)
    at Source/WTF/wtf/PageReservation.h:85
#3 JSC::JSStack::growSlowCase (this=0x3fffb44cef18, newEnd=0x3fffb39cff70) at Source/JavaScriptCore/interpreter/JSStack.cpp:89
#4 0x00003fffb767de68 in grow (newEnd=<optimized out>, this=0x3fffb44cef18) at Source/JavaScriptCore/interpreter/JSStackInlines.h:180
#5 JSC::JSStack:...

I tried changing commitSize to 64k and I got another segfault, though it might be a different, unrelated, issue. Here is the stack trace using commitSize as 64k:

#0 JSC::LLInt::CLoop::execute (callFrame=0x3fffb39cff98, entryOpcode=0x3fffb44f0d28, isInitializationPass=false)
    at DerivedSources/JavaScriptCore/LLIntAssembly.h:2283
#1 0x00003fffb7692c94 in executeJS (executableAddress=0x3fffb7693510 <JSC::LLInt::CLoop::execute(JSC::ExecState*, void*, bool)+944>,
    newCallFrame=<optimized out>) at Source/JavaScriptCore/llint/LLIntThunks.cpp:132
#2 doCallToJavaScript<JSC::executeJS> (protoCallFrame=0x3fffffffe308,
    executableAddress=0x3fffb7693510 <JSC::LLInt::CLoop::execute(JSC::ExecState*, void*, bool)+944>) at Source/JavaScriptCore/llint/LLIntThunks.cpp:122
#3 JSC::callToJavaScript (executableAddress=0x3fffb7693510 <JSC::LLInt::CLoop::execute(JSC::ExecState*, void*, bool)+944>, protoCallFrame=0x3fffffffe308)
    at Source/JavaScriptCore/llint/LLIntThunks.cpp:137
#4 0x00003fffb7681dec in JSC::JITCode::execute (this=<optimized out>, vm=0x3fffb44b4000, protoCallFrame=0x3fffffffe308, topOfStack=0x3fffb39cfff8)
    at Source/JavaScriptCore/jit/JITCode.cpp:48
#5 0x00003fffb767c6ac in JSC::Interpreter::execute (this=0x3fffb44cef00, program=0x3fffb34eff70, callFrame=0x3fffb359f9b0, thisObj=<optimized out>)
    at Source/JavaScriptCore/interpreter/Interpreter.cpp:906
#6 0x00003fffb7780a48 in JSC::evaluate (exec=0x3fffb359f9b0, source=..., thisValue=..., returnedException=0x3fffffffee00)
    at Source/JavaScriptCore/runtime/Completion.cpp:82
#7 0x00003fffb756ec30 in JSEvaluateScript (ctx=<optimized out>, script=0x3fffb44b3258, thisObject=0x0, sourceURL=<optimized out>,
    startingLineNumber=<optimized out>, exception=0x0) at Source/JavaScriptCore/API/JSBase.cpp:63
#8 0x00003fffb7d7128c in .seed_simple_evaluate () from /lib64/libseed-gtk3.so.0
#9 0x00003fffb7d76c6c in .seed_init_constrained_with_context_and_group () from /lib64/libseed-gtk3.so.0
#10 0x00003fffb7d76f04 in .seed_init_with_context_and_group () from /lib64/libseed-gtk3.so.0
#11 0x00003fffb7d77028 in .seed_init_with_context_group () from /lib64/libseed-gtk3.so.0
#12 0x00003fffb7d770a0 in .seed_init () from /lib64/libseed-gtk3.so.0
#13 0x000000001000109c in 0000003a.plt_call.g_option_group_add_entries+0 ()
#14 0x00003fffb7b566ec in .generic_start_main.isra () from /lib64/libc.so.6
#15 0x00003fffb7b568f4 in .__libc_start_main () from /lib64/libc.so.6
#16 0x0000000000000000 in ?? ()

Created attachment 874079
commitSize_to_be_pageSize.patch

This patch avoid the Crash reported as the initial description.
But do not solve the segfault reported in Comment 1

refer to details of the crash in referenced fedora bugzilla

Created attachment 226710
webkitgtk3.commitsize.to.pagesize.patch

a first RFC patch to avoid the Crash.

Just a note there before I will try to upstream it..

diff --git a/Source/JavaScriptCore/heap/CopiedBlock.h b/Source/JavaScriptCore/heap/CopiedBlock.h
index 4685e23..c5da610 100644
--- a/Source/JavaScriptCore/heap/CopiedBlock.h
+++ b/Source/JavaScriptCore/heap/CopiedBlock.h
@@ -81,7 +81,7 @@ public:
     size_t size();
     size_t capacity();

- static const size_t blockSize = 32 * KB;
+ static const size_t blockSize = 64 * KB;

     bool hasWorkList();
     CopyWorkList& workList();

This also affects aarch64 and the ppc64_align.patch currently in rawhide appears to fix this.

We are getting a similar crash in Ubuntu. Has there been any progress on reviewing the patch?

Created attachment 241283
Patch

Thanks for the patch. I don't know the JSC internals so I cannot review it myself.

However defining a local 'commitsize' to override the global constant 'commitSize' is very confusing. Either use a different name or use pageSize() directly.

This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Created attachment 266795
Make commitSize at least as big as the page size

Here's a new patch. It makes sure that commitSize is at least as big as the page size without decreasing it if it's less than 16 KB.

Comment on attachment 266795
Make commitSize at least as big as the page size

View in context: https://bugs.webkit.org/attachment.cgi?id=266795&action=review

commitSIze is only needed when "#if !ENABLE(JIT)". Let's put it in the appropriate sections.

> Source/JavaScriptCore/interpreter/JSStack.cpp:46
> static StaticLock stackStatisticsMutex;
> #endif // !ENABLE(JIT)
>
> +static size_t commitSize;

Move the commitSize declaration just below committedBytesCount above.

> Source/JavaScriptCore/interpreter/JSStack.cpp:58
> + commitSize = std::max(16 * 1024, getpagesize());
> +
> #if !ENABLE(JIT)

Move this initialization below the #if !ENABLE(JIT).

Also, it may not matter much but the commitSize value should only be set once, not every time we construct a new JSStack. Perhaps it would be better to have static function and use that instead wherever you use commitSize currently in JSStack.cpp:

static size_t commitSize()
{
    static size_t size = 0;
    if (!size)
        size = std::max(16 * 1024, getpagesize());
    return size;
}

Created attachment 266803
Make commitSize at least as big as the page size (v2)

Thanks for your comments, here's the updated version of the patch.

Comment on attachment 266803
Make commitSize at least as big as the page size (v2)

r=me

Committed r193648: <http://trac.webkit.org/changeset/193648>

Comment on attachment 266803
Make commitSize at least as big as the page size (v2)

View in context: https://bugs.webkit.org/attachment.cgi?id=266803&action=review

> Source/JavaScriptCore/interpreter/JSStack.cpp:48
> + static size_t size = 0;
> + if (!size)
> + size = std::max(16 * 1024, getpagesize());
> + return size;

The check for 0 here is unneeded and unhelpful. This should just be:

    static size_t size = std::max<size_t>(16 * 1024, pageSize());
    return size;

(In reply to comment #9)
> > Source/JavaScriptCore/interpreter/JSStack.cpp:48
> > + static size_t size = 0;
> > + if (!size)
> > + size = std::max(16 * 1024, getpagesize());
> > + return size;
>
> The check for 0 here is unneeded and unhelpful. This should just be:
>
> static size_t size = std::max<size_t>(16 * 1024, pageSize());
> return size;

You're right, I'll commit that change. Thanks!

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.